Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Looks At Earning Money on Domain Typos

Posted by CowboyNeal on from the seemingly-good-ideas dept.

Harald Paulsen writes "In a recent article Computer Business Review uncovers how VeriSign Inc is testing a service that would return a webpage if a user mistypes an URL. Basically all nonexistant domain queries could return an IP address and if the user was trying to access a page with a webbrowser they could get redirected to a search-engine, or worse: a page asking them to buy a domain. This is most certainly breaking the DNS standard and could be compared to cybersquatting (Hey Ford, want to have a banner ad whenever someone mistypes Toyota?). This is interesting in relation to an earlier story about register.com and holding-pages."

12 of 288 comments (clear)

  1. Typical Verisign/Network Solutions crap... by LinuxMan · · Score: 5, Interesting

    So not only do they spam us, reserve weird rights to our domain names, and cybersquat, but now they are doing this. It is really too bad there is not some kind of ICANN policy against this type of thing... Then again, ICANN is made up of a bunch of organizations like them anyway, so the whole thing is corrupt.

    Code and Other Laws of Cyberspace

    1. Re:Typical Verisign/Network Solutions crap... by Lehk228 · · Score: 5, Interesting

      Want to know a Secret.... The only reason ICANN and Verisign have any control is that people agree to use them as the basis for DNS, anyone who wants to could set up a network of DNS servers with names identical to those that exist on existing DNS servers that point to totally different websites and there would be nothing illegal about that.

      --
      Snowden and Manning are heroes.
  2. If they wanted to be heroes... by Atario · · Score: 4, Interesting

    ...they'd create a service that sends you to the page you wanted when you mistype the name. Instead, they're out for a fast buck that annoys us. Feh.

    --
    "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
  3. Statistics on mistyping of "slashdot " by prakslash · · Score: 5, Interesting

    http://slsahdot.org

  4. Re:You can't cybersquat.... by dhwebb · · Score: 5, Interesting

    The issue is that all unused domains to come to a versign ad basically. What about the other registrars that you could register through. This seems like a mis-use of power.

    --
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
  5. And people trust Verisign? by Edgewize · · Score: 5, Interesting

    "Paxfire's Sullivan said his company's service is set up so that only web traffic returns an IP address. Domain queries for non-web applications such as email or FTP are dropped or return error messages, he said."

    Bullshit. He's lying or clueless, or both. It's not like DNS requests have a flag saying "I'm sending this query for a web page!" My take? They're lying to hide the side-effects of this blatant violation of internet standards from the general public.

  6. This is already done by Anonymous Coward · · Score: 5, Interesting
    Tell me how this is different from IE giving you a "Domain not found" page when you mistype a URL, complete with microsoft search engine, suggested related domains, and an offer to buy the nonexistant domain name?

    I've always hated that, especially because it lets MS log every single incorrect URL typed.

  7. Precedent? by DarkBlackFox · · Score: 5, Interesting

    If precedent is already set as per online advertising through a competitor (think Gator, where it was deemed legal to show pop-ups of a competing company when visiting certain sites, or sites with certain keywords), how would something like this hold up, where it is the user's fault for mis-spelling the intended domain?

    If it's legal to pop up competing websites without consent, then surely it's legal to redirect to a competing website when there is indirect consent (e.g. the user types in the erronous address).

    Not that it's a desireable thing, just based on past precedent it seems the direction the legal system is heading.

    I just thank my lucky stars I don't get redirected to some obscure/spyware infested search engine when I misspell slashdot- just a simple page informing me I've misspelled it, with a convenient number of how many others are afflicted with the same travesty.

  8. more IPs, less domains... by illumina+us · · Score: 5, Interesting

    With IPv6 on the verge of being implemented, how will this affect domain names? There will be a plethora of IPs but less and less usable domain names to bind to. Unless of course people want to start using stuff like y4h00.com! or 47t4v15t4.com; registering unused domains for comerical purposes is a detriment to the world wide web, and also, forces developing groups to use awkward domain names.

    --
    -illumina+us "I put on my robe and wizard hat..."
  9. Microsoft could do this already by Krellan · · Score: 5, Interesting

    From the client side, Microsoft is already collecting every mistyped URL and substituting their own search engine!

    In MSIE, a hostname that is not found will be sent to Microsoft. A page will be auto-generated, containing links to similar hostnames, and the Microsoft MSN search engine.

    Microsoft is already receiving this information. I'm sure that there is a high commercial value in knowing the exact data on which domains are mistyped the most often! I would be surprised if Microsoft doesn't use this information internally, or resell it to the highest bidder.

    Since MSIE is 90% of the installed browser base, I would be very surprised if server-side information on mistyped domains (as Verisign is logging) is very different from client-side information. The client-side information might even be more accurate, due to intermediary DNS servers doing caching of negative results!

    Does anybody know for sure what Microsoft is doing with their large database of mistyped domains?

    --

    Dr. Demento On The 'Net!

  10. Who ordered a sub? by yerricde · · Score: 5, Interesting

    From the perspective of a DNS server or client, what's the difference between a subdomain and a domain? Isn't "slashdot.org" a subdomain of "org"?

    These are subdomains: sub 1 sub 2 sub 3

    --
    Will I retire or break 10K?
  11. how to defeat this by wotevah · · Score: 4, Interesting
    I am sure we will find a way to defeat this "improvement". Possible options include (with the caveat that they might find another way to do this):

    • Have the browser (or proxy, for unfriendly browsers) pair a "www.domain.com A" lookup with a "domain.com NS" (expecting the NS query to return NXDOMAIN)
      • If the NS query does not fail and returns something, we can check that the domain nameserver's address is NOT owned by a Verisign or affiliated company (using black lists if we must, since this is not the kind of setup that is easy to change). I am expecting them to use a different set of nameservers for this than the roots (because the roots are critical infrastructure and the others are not, and also because these fake nameservers will be a different type of setup, database, management and all), so it should be fairly easy to catch. This might also cause the temporary domain pages to become unreachable, I am sure no one will miss them. I don't know how we would handle people who use redirects with them though.
      • If the NS record looks suspicious (such as if it has the same TTL as the www record, or some other indicator that suggests it has been returned and cached from the previous www.domain.com query) force a direct query to the root servers to make sure. This might cause unnecessary load on them but hey they are asking for it.
      • Variations of the above such as trying to query the SOA and MX records on the domain and check them against the www record.
    • Do whois on the domain (slow).
    • Do not use Verisign's root servers. The zone files for .com and .net are available. (requires significant resources, but I am sure someone out there, such as larger ISPs will do this)
    • Use bayesian filtering on the web pages to make the browser learn of the pages you do not want to see and the ones you do. This can probably work for a lot of other things too. Distribute a pre-taught package that is able to discriminate the verisign and other annoying content. Even better, have proxy modules for squid and the like that can enable the proxy to participate in the filtering.

    I'm sure there are a lot more possibilities. Oooh let them try and do this.