Slashdot Mirror

• Complete Lawful Intercept Service

  VeriSign's NetDiscovery service provides telecom network operators, cable operators, and Internet service providers with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs).

Verisign does this for telephony by using (or abusing) their control of Signalling System 7., the routing network for telephony. When a wiretap request comes in, they change the SS7 routing data to route calls to/from the phone of interest to their call monitoring center, from which the call is then routed outward again. To the telephone network, this looks like call forwarding. This approach requires no additional hardware at the wireline carrier; it's done through the existing SS7 infrastructure. (Incidentally, this should increase latency, depending on how far you are from Northern Virginia. But they may have remote monitoring centers by now to cut that down.)

Verisign also offers wiretapping services for mobile phones, and cable-based VoIP.

Efforts are underway to integrate NetDiscovery capability into future Cisco routers.

Verisign takes the carrier or ISP completely out of the loop. "Authorized Government agencies" can submit their wiretapping request to Verisign, where they are "reviewed by a paralegal" and then implemented. There's no need for the carrier or ISP to even be aware of the wiretap.

So that's why there's no need for Carnivore any more.

Verisign - your full service wiretapping solution provider.

• Complete Lawful Intercept Service

  VeriSign's NetDiscovery service provides telecom network operators, cable operators, and Internet service providers with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs).

Verisign does this for telephony by using (or abusing) their control of Signalling System 7., the routing network for telephony. When a wiretap request comes in, they change the SS7 routing data to route calls to/from the phone of interest to their call monitoring center, from which the call is then routed outward again. To the telephone network, this looks like call forwarding. This approach requires no additional hardware at the wireline carrier; it's done through the existing SS7 infrastructure. (Incidentally, this should increase latency, depending on how far you are from Northern Virginia. But they may have remote monitoring centers by now to cut that down.)

Verisign also offers wiretapping services for mobile phones, and cable-based VoIP.

Efforts are underway to integrate NetDiscovery capability into future Cisco routers.

Verisign takes the carrier or ISP completely out of the loop. "Authorized Government agencies" can submit their wiretapping request to Verisign, where they are "reviewed by a paralegal" and then implemented. There's no need for the carrier or ISP to even be aware of the wiretap.

So that's why there's no need for Carnivore any more.

Verisign - your full service wiretapping solution provider.

VeriSign, Inc, discovered through its routine fraud screening procedures that on 29 and 30 January 2001, it issued two digital certificates to an individual who fraudulently claimed to be a representative of Microsoft Corporation.

Problems like that, and the fact that IE prompts you to accept certificates even for ActiveX controls that do not do anything potentially unsafe which just conditions people to click "Yes" without thinking, make code-signing a dangerous placebo rather than a real solution. Quite a few spyware authors have legitimate Verisign issued certificates BTW.

I don't like Microsoft, and I think Firefox is excellent, but this guy does have a point with the code signing.

Why isn't Firefox's code signed by VeriSign? It may seem frivolus but the average user wont MD5 it until hell freezes over.

http://www.verisign.com/products-services/security -services/code-signing/digital-ids-code-signing/in dex.html
There, its $695 dollars for the premium version with a $50 000 gurantee. The Mozilla foundation can afford that. And it really would re-assure those non-tech users. It may not matter for us geeks, but it can only do good, so we might as well.

Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.

Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).

So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.

Of course, if Verisign had its own way it would reinstate SiteFinder meaning that technically there would be an infinite number of domain names registered.

You mean signed with one of these keys?

Maybe it's because those keys cost money, and Firefox is a free (as in beer) application.

Convenient how Microsoft's "security" makes open source Windows apps look insecure, isn't it?

Even if signing the code would be secure it doesn't help a hell of a lot if the good burgers at Verisign hand out the keys to every pimply faced teenager walking in.

This advisory describes this spectacular goof in detail. I quote:

In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.

Or you can see the Verisign (Feb 2004) release of this.

What VeriSign was originally supposed to do was manage the .com, .net & .org domain extensions. In and of itself, that isn't a monopoly service, all they had to do was make sure registrars didn't double-dip on domain addresses and things like that. It wasn't until VeriSign bought Network Solutions, however, that a conflict of interest came up. *Then* VeriSign became both the manager of the gTLDs and it's own customer.

Sorry, you're a little backwards. Network Solutions operated the Registry for .com and .net (and .org and .edu), in addition to being a registrar (in fact, the only registrar for these TLDs before five years ago) before Verisign bought them in 2000. Over the next three years, the Registry and NSI registrar were separated, and Verisign sold off the Registrar while continuing to operate the Registry themselves.

Here is a small idea - if someone can create a small "blog style" button/badge/whatever they call them. I, and maybe others, could post it on their sites or blogs and have it link to a site explaining the situation.

It might prove more useful in some ways than donating to a legal fund, since wide spread bad publicity is more harmful to tarbox, jabba the lawyer and penguin than a lawsuit - they are well equipped to defend against lawsuits but can't stifle thousands of sites telling the true story of big corp deciding to change the name of book from girl.com that could defend itself to someone they thought they could pick on.

The googlebot (and lately the MS search bot) comes by my sites daily (so do those creepy corporate image/brand monitoring bots) so if someone posts a button, I'll put it up today.

Want a whole bunch (most) registered domain names in the world? You'll need to fill out some forms and wait maybe a week (except edu), but it's worth it. Click for biz, edu, int, info, org, com, net. These files are whoppers for the most part. Perl would not read the com file under redhat 6 its' so big. I use them for my surf engine, iconsurf.com.

For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".

Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.

This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.

I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.

For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".

Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.

This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.

I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.

For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".

Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.

This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.

I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.

For example, see the TrueSite Relying Party Agreement. "The Service is provided on an as-is basis without warranties of any kind".

Even Verisign's Relying Party Agreement, while it does offer some warranties, has a complicated scheme for weaseling out of Verisign's obligation to verify the certificate holder's identity. The relying party agreement refers you to the CPS Section 11, says "Issuing authorities (and VeriSign, to the extent specified in the referenced CPS sections) warrant and promise to ... perform the application validation procedures for the indicated class of certificate as set forth in CPS Section 5, Validation of Certificate Applications." There, Verisign says "The IA shall confirm that ... the information to be listed in the certificate is accurate, except for nonverified subscriber information (NSI)." The linked definition of "nonverified subscriber information" is "Information supplied to a certification authority as part of a certificate application". So Verisign doesn't actually stand behind any of the information in their certificates.

This is much weaker than a signature guarantee by a commercial bank, where the bank guarantees to other parties that the person was properly identified. But it costs more.

I'd like to see banks belonging to Visa International and MasterCard issue digital certificates, and require that their certificates had to be on a page that accepted their credit cards. Certificates from banks would actually be worth something.

Outlook Express 6 has Sign and Encrypt checkboxes. S/MIME, 168 bit. But you need a digital ID from VeriSign ($15/yr) or another service to enable the feature.

Dude, Verizon is not VeriSign.
Cripes, why is it any time one company comes up, someone thinks we're talking about the other? Read, people, READ!

Hey, dumbass, certificates cost money. Lots of money.

Verisign Class 1 Digital ID: $14.95 per year. I'm sure with some shopping around you can find a better deal.

Or there's the "web of trust" model.

Would you really entrust your domain to a company called godaddy.com? I don't think I would. Even if the alternative had a track record of exploiting every opportunity to be evil...

Personally, I recommend register.com. I've never had a bad experience with them.

Well, the problem is a bit more difficult than that. IPSec can be used with VoIP, but it isn't particularly efficient. There are special IPSec for VoIP specifications, so the problem isn't encryption, but the lack of certificates. Public key encryption is always vulnerable to man-in-the-middle attacks, be it SSH or SSL web traffic.

I'm guessing this might hold VoIP back for a little while, but when VoIP will be deployed large-scale, we will for sure see people having personal certificates. Right now, a real non-test certificate from verisign for a company web server costs 895 $ but I could see the prices going down for personal certificates, when markets for those would start to appear.

Or then there's the Finnish model, where you can get an electronic ID just like you can get a regular ID from the government. The electronic ID is the regular plastic ID card with a smart card chip. You get two certificates from the government-operated CA. All this for the measley price of 40 euros. This would be a viable choice for private persons too.

There is also a SIM card version (a WIM card) designed that will come out in the future.

Why should each CA have the same trustworthiness value to every user? Joe could think that Verisign was the best thing since sliced bread, while Maria might want to give them a low score, and instead might want to trust CAcert.org more highly.

Furthermore, why relegate trust just to official "Certificate Authorities"? If i know that my brother will do a good job verifying identities of organizations that he deals with, why can't i choose to trust him for these tasks as well?

Once you start to distribute the responsibility for certification, you are building a web of trust, in which each entity can both certify and be certified, and the middlemen/brokers/leeches we use today as CAs would be forced to actually do identity validation or become irrelevant and useless.

Of course, this all depends on every user knowing what it means to "trust a certificate authority"...

And it depends on web site admins not just wanting the "least hassle" when it comes to getting their SSL identities signed.

Yes, indeed!

I went to add the appropriate entries to a couple of my domains, and started getting errors up the wazoo!

From RFC 1034, on allowable names:

They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.

For more information, see Verisign's page information regarding using other characters in domain names, which includes the RFCs for their proposed encoding scheme for additional characters.

Stupid Microsoft! Their "Caller ID for Email" specification cannot even be implemented.

I don't know if it is still active, but on their (rather optimistic) PR accouncement from September of last year Verisign lists sitefinder@verisign-grs.com as an address for feedback. Back then, they said they "invite additional comments". I wonder if it still works?

All slashdotters, espeically people that were seriously affected by sitefinder, please complain NOW. Let them know how controversial it is!

Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?

Yes, they would be mutually exclusive. If spammers can generate disposable keys, then you might as well be filtering by the from header. I've been shouting this myself lately. Verisign has a fairly in depth whitepaper on the subject. This seems to be the most obvious answer, and more likely to actually succeed than all the hash cash/taxation schemes I've heard people kicking around.

Verisign once issued a certificate to a fraudster who claimed to be Microsoft, prompting MS to issue an emergency patch for even otherwise-unsupported OSs.

If Verisign won't even bother to verify the identity of their own partner in monopoly, do you really trust them to check anyone else's?

saying that your certificate is expired or not yet valid...except that it is...you need to go here.

• Since domains can have up to 63 chars, and the encoding takes away 5 chars plu 3 chars per umlaut, the longest domain name only consisting of umlauts is 19, right? And registrars will have the tedious task to explain to every customer that the length of their domain name is no longer fixed, right?
• I have a basic understanding of entering a domain name and what happens after it. But will this work with every OS and browser out of the box?
• Since there are two ways of writing those domain names, which layer should do the transcoding?
  • If it is the application layer, how are hyperlinks supposed to work with not-yet-upgraded browsers?
  • If it is the display layer (links are always used in their complicated form unless the end user sees them - I know this is no real network layer but bear with me), should we create hyperlinks to the complicated form?
• So far, I've only heard marketing talk about "how cool this is", but is really ensure that absolutely nothing is broken? Because I've tried out Verisigns extended charset examples and not a single one of the provided links worked on my machine. Can anybody tell me if it worked for them? Thanks!

I'm asking because today, I've tried out the Netsol way of doing umlauts and they don't work at all with my Mac OS X and Safari: None of the listed domains work. The page lists a "plugin" that every web user is supposed to install, but it's Win only (of course...) and it's quite silly to have a domain with umlauts if you have to tell all your customers "before visiting me, please install this plugin"...

Any idea if this new way work in all circumstances where the user has a international keyboard? Thanks!

I'm asking because today, I've tried out the Netsol way of doing umlauts and they don't work at all with my Mac OS X and Safari: None of the listed domains work. The page lists a "plugin" that every web user is supposed to install, but it's Win only (of course...) and it's quite silly to have a domain with umlauts if you have to tell all your customers "before visiting me, please install this plugin"...

Any idea if this new way work in all circumstances where the user has a international keyboard? Thanks!

Verisign also handles wiretapping. If your phone is being wiretapped, Verisign reroutes all your calls (in and out) to a wiretapping center by altering the routing database. From the wiretapping center, the call is then routed to the destination. This allows both interception and, potentially, man-in-the-middle crypto attacks.

Verisign also handles wiretapping. If your phone is being wiretapped, Verisign reroutes all your calls (in and out) to a wiretapping center by altering the routing database. From the wiretapping center, the call is then routed to the destination. This allows both interception and, potentially, man-in-the-middle crypto attacks.

I have my important domains at directnic.com which provides amazing 24/7 trouble-ticket based support. I don't even think the somewhat less tech savvy the, yet ultra cheap godaddy.com would try this.

2003-10-16 20:49:36 Verisign To Sell Network Solutions (articles,news) (rejected)

Not sure why Slashdot doesn't think this is newsworthy, but Pivotal Private Equity is buying Network Solutions from Verisign for $100 million. Pivotal Private Equity is a subsidiary of Pivotal Group, Inc., an investment company based in Phoenix AZ that is primarily focused on real estate (hotels, office buildings, etc.); clearly domain registrations have nothing to do with their business and they are purely interested in making money (not that there's anything wrong with that).

Verisign's press release is here.

I find it odd that no one has been discussing the Sitefinder TOS. Specifically, paragraph 6, which states:
6. Modification by VeriSign.
At any time VeriSign may modify or terminate these terms of use, its websites and the VeriSign Services and may at any time discontinue your use of the VeriSign Services without any notice to you, and without liability to you, any other user or any third party. Please review these Terms of Use from time to time so that you will be aware of any changes. Your continued use of the VeriSign Services constitutes your agreement to all such terms, conditions, and notices.

So I can be found to a "Terms of Use" agreement simply by mistyping a domain name? How is this legal? And are there any situations where a user could be caught in violation of this "agreement"?

here and here

Verisign is pulling out of the Registrar (not Registry!) business

http://www.verisign.com/corporate/news/2003/pr_200 31016.html

I doubt that they could enforce their T&Cs on me, since I'm not based in the US, but I personally dislike the idea that I can be obliged to accept a contract just by making a typing error. Further, I really dislike being told that I'm not able to refuse to accept this contract; if I don't like the T&Cs, I should be able to stop using the service.

...that Verisign is selling off Network Solutions. Sitefinder becomes, then, an abuse of network infrastructure to prop up, based on who's buying the company, a troubled business. Shame on that.

In their press release about their "survey"... they provide a comment from a user about how 404's are a pain.

Agreed, 404's are a pain... but the site finder service did absolutely nothing to prevent them or to help the user when they happened.

Your characterization of that patch is incorrect. It blocks A RRs which contain a specifc IPv4 address. This is not what the BIND patch does, it's far more general.

How it goes about doing what it does, I think, is a minor point. For purposes of blocking sitefinder.verisign.com's IP address in response to a DNS lookup of some other domain, it gets the job done without affecting other lookups. (You can punch in http://sitefinder.verisign.com/ and still go there, if that's what you want to do. It's only a lookup of something like http://dfsdshsdfsdfadfasdfs.fdjsdfajhfsdajhsdfajks dfjka.com/ that will fail, as it should.)

Could it be that Verisign's Site Finder service is giving problems to the Google search engine?

Here's How:
Google indexes a page with a link to a non existant domain that expired last month. SiteFinder redirects the google spider to another, unrelated page. It gets indexed as being related to the initial page. The end result is the google index gets very messed up.

============
-Do Justly, Love Mercy, Walk Humbly with your God!

Could it be that Verisign's Site Finder service is giving problems to the Google search engine?

Here's How:
Google indexes a page with a link to a non existant domain that expired last month. SiteFinder redirects the google spider to another, unrelated page. It gets indexed as being related to the initial page. The end result is the google index gets very messed up.

============
-Do Justly, Love Mercy, Walk Humbly with your God!

On the surface this sounds like a good idea. OTOH it has that lowest-common-denominator factor to it that gives me hives. Call me old fashioned, but I don't buy the idea that everything online should idiot proof. Should we really break stuff to keep the PEBKAC crowd happy?

(Links below if you want to find out more about Site Finder.)

Press release at http://www.verisign.com/corporate/news/2003/pr_200 30923.html
Site Finder Frequently Asked Questions
And Verisign's Site Finder news page

mizzy

On the surface this sounds like a good idea. OTOH it has that lowest-common-denominator factor to it that gives me hives. Call me old fashioned, but I don't buy the idea that everything online should idiot proof. Should we really break stuff to keep the PEBKAC crowd happy?

(Links below if you want to find out more about Site Finder.)

Press release at http://www.verisign.com/corporate/news/2003/pr_200 30923.html
Site Finder Frequently Asked Questions
And Verisign's Site Finder news page

mizzy

On the surface this sounds like a good idea. OTOH it has that lowest-common-denominator factor to it that gives me hives. Call me old fashioned, but I don't buy the idea that everything online should idiot proof. Should we really break stuff to keep the PEBKAC crowd happy?

(Links below if you want to find out more about Site Finder.)

Press release at http://www.verisign.com/corporate/news/2003/pr_200 30923.html
Site Finder Frequently Asked Questions
And Verisign's Site Finder news page

mizzy

I personally prefer this search which comes right back to slashdot, heh :)

http://sitefinder.verisign.com/lpc?url=ahuas8h4w39 8u2t.com&host=microsoft.com

Sol currently has no president. If you would like to lay claim to this solar system, click here.