Slashdot Mirror

THANK YOU. My very first thought on seeing this - gee, my credit union probably won't like the .bank domain so much, and neither would my brokerage.

Re: having a special certificate class, there kind of already is - they're called Extended Validation certificates, from Verisign:

http://www.verisign.com/ssl/ssl-information-center /faq/extended-validation-ssl-certificates.html

Supposed to turn the address bar in IE 7 (and upcoming Firefox releases) green. Not that it will matter much, they're still only ~ $2K, easily within reach of even casual phishers.

• Banking authorities CA`s
  
• A Consumer advocacy group CA

A browser mod would be helpful there; I believe both IE and Firefox now have built-in "probably phishing" detectors. In fact, those probably-phishing detectors could be more useful than a domain name, which is clearly trying to cram a hack on top of DNS.

Much wiretapping in the US is actually outsourced to Verisign. Verisign's NetDiscovery center provides a full-service wiretapping service, with hooks into telcos, cellular networks, VoIP providers, cable TV systems, wireless data networks, and ISPs. Verisign's proprietary back door into the SS7 telephone signaling control network makes this not only possible, but allows Verisign to offer wiretapping services at a lower cost.

Verisign is extending their wiretapping network internationally. Italy is already hooked up.

So if Congress or the press wants to look into this matter, the place to go is Verisign's Network Security Office. Also, attending Intelligence Support Systems for Lawful Interception, Cybercrime Investigations and Intelligence Gathering Conference and Expo in May, in Washington, DC. "Now that most nations of the world require lawful interception support of VoIP and other IP-based services, ISS World Spring 2007 is a must attend event." Talks include "Best Practices for Successful Deployments of Word Spotting Technology" and "Content and P2P Monitoring and Filtering". Major topics for this year include inteconnecting multiple intercept systems to allow easier remote access.

Well, it is and it isn't. The cost of filing as a limited liability corporation (LLC) isn't all that bad. Our lawyer (who has handled wills and other family matters) will do it for somewhere between $300 and $500. He actually dissuaded me from setting this up a couple of years ago because, as he points out, there aren't any real advantages for a small retail business. The true cost at this point lies in the price of the EV certificate, which is a real shocker. Verisign, for example wants $1299 for a one-year period. That's a lot of money, and there's really no way to establish how much credence online buyers are going to put into this new validation. It's also a "special introductory offer" with the regular price being $1499.

What's irritating to me is that I've been a sole proprietorship for almost six years now. I can furnish bank and credit references and tax records to that effect. Seems as though there ought to be a way to verify through those records.

I already ante up extra $$$ for a cert from a well recognized authority. But $1299?

Are you trying to tell me that she can't afford the $60/yr to have a real, incorporated business, but she's just chomping at the bit to shell out $1300.00 per year just to be "green"?

Yeah, whatever.

I have a small business, legally registered, which is a sole proprietorship. Even though my business is legal and even though I'm personally legally responsible for the business I cannot get this green bar.

I doubt she'll be hurt. I own 3 small businesses. Most of my friends also own businesses. I don't know anybody who is rushing out to pay for one of these "make yourself green" certificates. Hell, I hear people grousing all the time about how much ordinary, no-human-intervention-required SSL certs cost. In small business, every dollar counts (why do you think Auntie Treestocking isn't even incorporated? Because that costs money), and did you look at how much these EV certs cost?

They cost $1299.00 per year. How much profit do you really think Pippy Longstocking is making from her little business? Look at her site. She does sales through via phone, a shared-SSL ecommerce package, and an eBay store. In other words, she didn't even spring for her own $20 SSL cert. Do you really think she's going to drop $1300 just so she can be "green"? Why not just direct all visitors to her eBay store? You know that they're going to be green.

Seriously, I don't think many small businesses are going to be hurt by this.

Let's cast some light on this. How it will work (including screenshots)

See Appendix F of Verisign Certification Practice (PDF). I think the fuss is about the following statement "Verisign verifies that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated)". Possibly people have mis-read "e.g" as "i.e".

BTW, does anyone else keep reading the name of this technology as "EVIL SSL"? No? Just me then.

Let's cast some light on this. How it will work (including screenshots)

See Appendix F of Verisign Certification Practice (PDF). I think the fuss is about the following statement "Verisign verifies that the Applicant is a legally recognized entity, in existence and validly formed (e.g., incorporated)". Possibly people have mis-read "e.g" as "i.e".

BTW, does anyone else keep reading the name of this technology as "EVIL SSL"? No? Just me then.

http://www.verisign.com/ssl/buy-ssl-certificates/e xtended-validation-pro-ssl-certificates/index.html

Several CAs, including Digicert, are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.

"Let me start by stating that the story as written is very much not in keeping with the tenor of the actual conversation I had with the reporter in question. Among other things, the story makes it sound like VeriSign is critical of the Mozilla Foundation for not having announced support for the Extended Validation SSL standard at this time. Quite the opposite, in fact. Several members of the FireFox community have been key contributors to the Extended Validation effort and are active participants in the CA/Browser Forum. I never characterized Mozilla as heel-dragging in any sense of the word, and it was my effort to defend Mozilla's method of operation that led to the most regrettable moment in the article."

Has anyone actually been able to find the specification for "high assurance" certificates? Apparently this is being closely held. The spec comes from something called the "CA Browser Forum", which is invitation-only and doesn't seem to have a web site. A standard was supposed to be issued in August, but apparently agreement wasn't reached until a meeting in September. There are many press releases, but no hard data.

So that's why it's not in Mozilla.

It's actually a good idea. Early in the history of SSL, getting a certificate required presenting appropriate business identification info to the certificate issuer. The problem is that some issuers (GoDaddy comes to mind) started issuing "domain only" SSL certificates; the only verification is that the domain can get email. Then, instead of revoking GoDaddy's root certificate for this, the other cert issuers copied GoDaddy's approach. Now anybody can get a meaningless certificate with a meaningless Relying Party Agreement.

The way it's supposed to work is that the certificate issuer bears financial responsibility for misidentification of the certificate owner. Some certificates from Verisign have a Relying Party Agreement that does provide a financial guarantee to the party relying on the certificate - $100 for a class 1 cert, $5000 for a class 2 cert, and $100,000 for a class 3 cert. Most of the other issuers have relying party agreements which promise nothing and deliver less.

So what's happening is that, soon, you'll be able to tell the difference between the crap certificates and the good ones. Before you buy. The idea is that if you put your credit card into a site that showed a green toolbar in IE, and it wasn't really the company it should have been, you can collect from the certificate issuer. This puts certificate issuers on the hook for phishing losses.

Unfortunately, the rules and the Relying Party Agreements for the new certificates haven't yet appeared, so we can't tell if the rules are tough enough to make this work. Since they're being drafted by the certificate issuers, there will probably be some loophole that lets them off the hook.

http://www.verisign.com/ssl/ssl-information-center /faq/high-assurance-ssl.html

This seems to be composed of two parts:

1. Some higher-level of SSL certificate for which Verisign will somehow verify the legitimacy of the company rather than just their domain, and for which they will presumably charge more $$$.
2. Visual indication in browsers that a site has such a certificate, and displaying who validated the certificate (i.e. Verisign.)

This will have negative ramifications for the disability community, as it will become harder for hobbyists to develop novel assistive devices

For those that have a problem with this, is it the cost or the principle of the matter? If it cost $50 instead of $500, would that change your mind?

Yes - CERT is part of DHS. In fact the press release specifically makes the point that US-CERT is one of the DHS departments.

If you don't think CERT belongs in DHS, just think back to the chaos created by the Blaster worm. A day or two later, the entire Northeast US goes black for days due to a cascading power outage. Coincidence?
http://www.verisign.com/security-intelligence-serv ice/current-intelligence/global-cyber-threats/2003 /66.html

The only surprise here is that the general alert level wasn't already raised - given the events in the Middle East and the threats going back and forth.

Then again, on 9/11, the Emergency Broadcast System (now called EAS) - which has been tested regularly as long as I've been alive - was not used in New York to tell people what to do. In retrospect, it looks like the main purpose of EBS/EAS was to give the FCC a revenue stream to fine stations not keeping their equipment functioning or keeping accurate logs of the tests.

If you rely on government to protect you in the event of an emergency, you will likely be disappointed.

Nothing to see here other than the tin-foil hat convention of those who stopped taking their meds.

my suggestion is to go with geotrust

Unfortunately just last month Verisign announced its intentions to purchase GeoTrust. It might suck for any GeoTrust resellers, as Verisign was never very supportive of their resellers.

Here's the press release.

Take your pick: GeoTrust
Comodo
Thawte
VeriSign

Take your pick: GeoTrust
Comodo
Thawte
VeriSign

Take your pick: GeoTrust
Comodo
Thawte
VeriSign

'Doh! I read here and believed it.

---snip---

VeriSign Naming Services is the largest domain name registry in the world, managing over 50 million digital identities in over 350 languages

--snip----

I don't think it matters though. No matter who got it they would complain because it isn't them. Of course Verisign is known for charging way the heck more for things like SSL certs.

There seems to be lots of confusion in the comments about what role VeriSign has, and its competition with the registrars:

1. VeriSign is the Registry, not a Registrar. VeriSign is the authoritative registry for .com and .net domain names.(VeriSign runs the TLD servers) [Verisign registry role]

2. Registrars (goDaddy, Register.com) take your money and then give the info to VeriSign. They pay about $5 to VeriSign to run the registry.

3. Verisign used to own NSI/Network Solutions, but they no longer do, so they don't have a retail presence. They have a retail presence for security certs, and payment services. You, as an individual, do NOT register a name with VeriSign.

So to repeat VeriSign = Registry GoDaddy = Registrar

Not anymore.

But today's wiretapping system isn't set up that way. The way it actually works is that there's a back door into the routing system for telephony, SS7. The back door is run by private companies, mostly Verisign. Verisign calls this their NetDiscovery Service. Wiretapping is done by issuing commands to switches (phone, cellular, IP) over the SS7 network.

Take a look at what Verisign describes as the subpoena processing flowchart. Note that there are no blocks on that chart for the court system. There's no data transfer back to the court system. The "legal review" step is marked as "optional". There's supposed to be a subpoena to start the process, but there's no external validation that what is monitored matches the subpoena.

That's the real problem. We need to put the courts back in the loop. It's wrong for them to be out of it. Courts have an obligation to monitor compliance with their subpoenas, and to oversee law enforcement. They're being denied the tools to do it.

But today's wiretapping system isn't set up that way. The way it actually works is that there's a back door into the routing system for telephony, SS7. The back door is run by private companies, mostly Verisign. Verisign calls this their NetDiscovery Service. Wiretapping is done by issuing commands to switches (phone, cellular, IP) over the SS7 network.

Take a look at what Verisign describes as the subpoena processing flowchart. Note that there are no blocks on that chart for the court system. There's no data transfer back to the court system. The "legal review" step is marked as "optional". There's supposed to be a subpoena to start the process, but there's no external validation that what is monitored matches the subpoena.

That's the real problem. We need to put the courts back in the loop. It's wrong for them to be out of it. Courts have an obligation to monitor compliance with their subpoenas, and to oversee law enforcement. They're being denied the tools to do it.

Nothing on the Verisign site http://www.verisign.com/products-services/security -services/code-signing/digital-ids-code-signing/in dex.html indicates that ever single piece of software requires a new certificate. So nothing prevents a group of opensource developers from getting together, incorporating, obtaining a cert, and then signing the software of those they trust. For example, Sourceforge could get a cert, and then offer driver-signing services to trusted projects.

Want to go it alone? It's $75 - $500 to incorporate, depending upon the type (http://www.entrepreneur.com/article/0,4621,287986 ,00.html).

Keep in mind that driver-signing doesn't 100% guarantee stability. My ATI card's signed drivers still periodically flake out...

Com TLD is about 75% of the domain names from your source.

So, to further my previous example, knowing a domain is .com cuts the number of records to search by more than half. Can't do that with alpha numeric I bet (maybe close for the letter "S" - but I digress).

Since this works through SS7, and full call-control information is available, it's immune to any in-band tones.

See this old Slashdot article with more links.

Let VeriSign help

All these cards pass the LUHN-10 test and if they try and ding it..will always fail. Use any Expiry, they arne't even running an AVS check on it for any validation.

The main page looks like wang fouey designed it with Frontpage 2000. A bunch of the images are broken. At first I thought it was just FireFox, but then I tried it with Opera and then /cringe IE. All the same, busted look. Makes me wonder if they should be in charge .com and .net if they can't get their homepage working right.

Other planted articles that are startlingly similar:
The actual verisign press release with a cute graph
PC World with a seemingly verbatim copy of the press release
Again from Tech News World
And C|Net's news.com.com even copies the fun and [extreme sarcasm]ever so statistically meaningful[/extreme sarcasm] graph

It is nice to note that VerisSign's Nasdaq abbreviation appears in all of these articles within the first sentence. So I wouldn't be too worried because its not surprising that VeriSign wants us to fear keyloggers.

Um, no. eBay bought Verisign's payment services, which means that's now part of eBay.

Exactly.

eBay didn't buy Verisign's accounting department, they bought Verisign Payment Services.

You really need to think these things through before making such ridiculous claims.

Indeed.

Well, the sample credit card numbers on the VeriSign page seem to work okay. I only tried a few, but they worked. And it only took a few seconds of googling to come up with those.

eBay you say?

I wonder how many bidders there were in the auction...

CLOSING SOON! Payment processing division of an ENORMOUS leading software company.

Current Bid: US $30,000 (Reserve not met)

Buy It Now price: US $370,000,000
Condition: very good condition
Item Location: Mountain View, CA 94043
Ships to: USA only
Shipping costs: ChUS $39.00 - US Postal Service Priority Mail (within United States)

Please check out my other divisions at http://www.verisign.com/verisign-inc/index.html

• Security Services (formerly RSA)
• Naming & Directory Services (formerly Network Solutions)
• Communications Services

And spell checkers actually are a hindrance in some places: take using the wrong word (principle v. principal). A grammar check won't pick up that "It's the principal that counts" is incorrect, either.

That would be the point of a good grammar checker. Of course depending on the context, your sentence could be perfectly correct, which is why writing a checker that can tell the difference is decidedly non-trivial.

I think we should just drop English as the Internet language and adopt Loglan (www.loglan.org). That's what it was invented for.

Right... Let's see. According to this article by Verisign, nearly three quarters of all Internet content is in English. They also claim one-third of the users are English-speaking, but it's hard to tell whether that's limited to first-language English speakers or not. My guess is that there are no more than a few thousand Loglan speakers out there. So, let's abandon the language spoken by hundreds of millions of internet users, and force EVERYONE to learn something new. Great.

Automatic routing of cellular 911 calls was introduced because manual routing worked very badly. California used to route all 911 calls from cell phones to the California Highway Patrol. As cell phones became more common, CHP dispatch was overwhelmed. By 2002, the CHP was getting over 8 million calls a year, most of which didn't involve freeway incidents, which is most of what the CHP handles. Call hold times on 911 were reaching 10 minutes during peak periods. The CHP was running a huge call center, which basically asked where callers were and forwarded their calls to some local 911 dispatch center.

That's the background for cellular 911. It's convenient that the dispatcher gets the location of the caller, but the real benefit is that the call gets sent to the right dispatcher.

If 911 routing isn't automated for VoIP, where should the calls go? Some call center in Bangalore? If the VoIP provider doesn't have some clue where the caller is, that's about all they can do.

There's worse stuff than this going on. The extension of the "Commmunications Assistance to Law Enforcement Act" rules to VoIP is much more of a Big Brother thing. If you aren't aware of how this works, the basic concept is that wiretapping has been built into the phone system, and wiretaps are now delivered to law enforcement over T1 lines. The US wiretapping system is run by Verisign. That's being extended to VoIP.

Verisign has a back door into the control network for the US phone system. Using this, they can divert, block, or intercept calls as desired. When a call is placed, Verisign's database is checked to see if it requires special handling. For telemarketing companies that use this service, Verisign checks their database to see if the destination is on the do-not-call list, and if so, blocks the call. Similarly, for wiretapping requests, the call is forwarded to a wiretapping center to be fed out to some agency over a T1 line, per CALEA standards. It's all done at the central office switch level via the SS7 network; there's no gear on customer premises at all.

Verisign sucks. Working for ISPs back in the day, I was responsible for thousands of domain registrations and maint. Over the years, they have eaten all of my personal domains one by one, and sold them to spam/ad sites. When I call to have things fixed or transfered, I'm treated like an unknowing moron by some slang-speaking Joe-Bob.

Fuck you, Verisign

Verisign, better known for its domain registration business, has a dark side. Verisign operates the nation's wiretapping control center. From its offices in Northern Virginia, not far from CIA headquarters, and in Mountain View, CA, Verisign's staff has a back door into the nation's telephone system. Law enforcement and the intelligence community send their wiretapping requests to Verisign, which then remotely reroutes calls for the selected telephones to Verisign's wiretapping center.

Verisign became the central point for wiretapping by acquiring Illuminet in 2001. Illuminet operated the "signalling system 7", or "SS7" network created decades ago by AT&T to control routing and billing throughout the telephone system. Ordinary phone functions like call forwarding work through SS7. Whomever controls SS7 can wiretap any phone, landline or cellular, within the area they control.

Verisign offers wiretapping as a commercial service, under the NetDiscovery name. As their advertising puts it, "Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs)."

Verisign is expanding their NetDiscovery service to cover Internet access and voice-over-IP. Their goal is to provide a single point of contact for all wiretapping requests in the United States. "NetDiscovery makes it easy to fulfill lawful interception mandates and takes the burden and expense of compliance out of a service provider's hands. By outsourcing the service to VeriSign, service providers maintain continuous, hassle-free compliance."

NetDiscovery is the wiretapping solution chosen by Vonage, Cox Cable, First Cellular, Arrival Communications, Cellular Mobile, Rural Cellular, and many others. Wireline, cellular, and VoIP carriers are already on line and being intercepted. In the UK, NetDiscovery is the wiretapping solution for GSM mobiles.

That's how Big Brother really works.

Popular Internet website "Slashdot" has ceased and desisted its run of distressingly unfunny April Fool's news entries. Trolls everywhere have reported repeated bouts of jealousy at the power of CmdrTaco to shit all over Slashdot - a capacity whose unhindered, total form had eluded them.

No, it's not dropping support for country specific TLDs (did i use the right term?). .cx, .us, .de etc., will all work. It disabled support for Internationalized domain names. Internationalized domain names are domain names with characters from non-english languages. http://www.verisign.com/products-services/naming-a nd-directory-services/naming-services/internationa lized-domain-names/index.html. IE doesn't support this too. It's all in TFA.

Almost all the security solutions that I have seen that involve a biometric have been multi factor systems. For example, a smart card would have a security token on it that is submitted when the card is inserted into a reader. You then would have to type in or submit some validating data, like a pin number.

Verisign has an interesting product that looks like it might hold some promise. I'm sure there are others out there that do similar things. The real trick would be to find a multi-factor system that is ubiquitous so it can be used in multiple systems without those systems needing to know anything about each other.

Wasn't that what the Liberty Alliance was supposed to be working on?

The minimum payment security is equal to at least the number of anticipated monthly registrations x number of years (minimum one year and maximum of ten years) x $6 USD registration fee.

This is a much more attractive alternative to Verisign, even over fun names like GoDaddy, and NameBargain.

Having done ISP work back in the day, I have personally submitted registrations on thousands of domains with the venerable Network Solutions. With Verisign and the recent mix, I have lost tons of my own personal domains I have collected over the years -- and registration on these things is quite expensive! Finally there are alternatives, and I think I would trust Google over Microsoft, Verisign, or the US Government. This is my Internet, and I don't want it fucked-up!

Also, I think that Google doing root nameserver fun would be more like a DNS cache for them.

• Complete Lawful Intercept Service

  VeriSign's NetDiscovery service provides telecom network operators, cable operators, and Internet service providers with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs).

Verisign does this for telephony by using (or abusing) their control of Signalling System 7., the routing network for telephony. When a wiretap request comes in, they change the SS7 routing data to route calls to/from the phone of interest to their call monitoring center, from which the call is then routed outward again. To the telephone network, this looks like call forwarding. This approach requires no additional hardware at the wireline carrier; it's done through the existing SS7 infrastructure. (Incidentally, this should increase latency, depending on how far you are from Northern Virginia. But they may have remote monitoring centers by now to cut that down.)

Verisign also offers wiretapping services for mobile phones, and cable-based VoIP.

Efforts are underway to integrate NetDiscovery capability into future Cisco routers.

Verisign takes the carrier or ISP completely out of the loop. "Authorized Government agencies" can submit their wiretapping request to Verisign, where they are "reviewed by a paralegal" and then implemented. There's no need for the carrier or ISP to even be aware of the wiretap.

So that's why there's no need for Carnivore any more.

Verisign - your full service wiretapping solution provider.

• Complete Lawful Intercept Service

  VeriSign's NetDiscovery service provides telecom network operators, cable operators, and Internet service providers with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs).

Verisign does this for telephony by using (or abusing) their control of Signalling System 7., the routing network for telephony. When a wiretap request comes in, they change the SS7 routing data to route calls to/from the phone of interest to their call monitoring center, from which the call is then routed outward again. To the telephone network, this looks like call forwarding. This approach requires no additional hardware at the wireline carrier; it's done through the existing SS7 infrastructure. (Incidentally, this should increase latency, depending on how far you are from Northern Virginia. But they may have remote monitoring centers by now to cut that down.)

Verisign also offers wiretapping services for mobile phones, and cable-based VoIP.

Efforts are underway to integrate NetDiscovery capability into future Cisco routers.

Verisign takes the carrier or ISP completely out of the loop. "Authorized Government agencies" can submit their wiretapping request to Verisign, where they are "reviewed by a paralegal" and then implemented. There's no need for the carrier or ISP to even be aware of the wiretap.

So that's why there's no need for Carnivore any more.

Verisign - your full service wiretapping solution provider.