SiteFinder: the Verisign Slides

← Back to Stories (view on slashdot.org)

SiteFinder: the Verisign Slides

Posted by timothy on Wednesday October 29, 2003 @03:54AM from the what-they're-up-to dept.

Steve Loughran writes "It's been pretty quiet in public on the SiteFinder front, but it does not mean that VeriSign are accepting defeat. On October 15, the ICANN Security and Stability committee met to discuss it, as can be seen from the long transcript. The new item from this is a VeriSign review of Site Finder, which is very interesting." Loughran further analyzes the Verisign presentation, below.

Some key points:

English-only responses only merits a 'moderate' response. I am sure the rest of the world thinks their language is only 'moderately' important.
A lot of problems are viewed as minor, fixable with 'user education' or 'application patch'. I wonder if DNS patches were the application VeriSign expected us to patch?
Apparently most spam doesnt forge sender domains; only 3-5%. So checking domain validity doesn't help much as an effective spam filter. A SpamAssassin representative commented that there are so few invalid domains in their corpus is that they get filtered earlier, so this data may be bogus.
An acknowledged troublespot could be automated HTTP programs getting confused by the new responses, but they hadn't heard of that, and using HTTP over port 80 in this way by automated tool is discouraged according to BCP 56 .
User studies liked it, but since the core finding was "there's more functionality than you get with a 404 so it's helpful for me", the study may have been flawed. Site Finder did nothing for 404 pages, only for unknown hosts.
Most of the problems with services such as SMTP relate to misconfigured systems, and these did not show up with the small scale tests VeriSign tried.

After the presentation, the transcript shows some good feedback from the audience -ripping into the end user survey, for example, and trying to understand the relationship with other registrars. It is notable that the only two user groups considered are (a) registrars and (b) end users. The wants and needs of people who implement networked applications or support them are neglected because we are seemingly invisible.

I myself am most offended by the "we shouldn't be automating access over port 80" comment. Hello? VeriSign? What do you think Web Services are?

While Site Finder was up, I tested how SOAP stacks handled misconfigured addresses: the results are published on xml.com. Both SOAP stacks tested choked on the 302 response, giving errors to the clients that are nowhere near user intelligible. So VeriSign are making things harder, despite their apparent obliviousness or denials. I shall be sharing my data with VeriSign, and encourage anyone else to do the same."

23 comments

Min score:

Reason:

Sort:

this is a subject. fp. by Anonymous Coward · 2003-10-29 03:57 · Score: 0

WE can
YOU can
ICANN
Slashdot posting links to PowerPoint docs? by 0x0d0a · 2003-10-29 03:59 · Score: 1

Darn it, *what* am I going to do with a PowerPoint document? Can someone please post a conversion (possibly PDF?)

I wish Slashdot would make a policy against .doc, .ppt, .xls, and finally officially ban NYT links (every other site that requires registration *except* NYT is specifically disallowed).

--
May we never see th
1. Re:Slashdot posting links to PowerPoint docs? by pmsyyz · 2003-10-29 04:02 · Score: 3, Informative
  
  Yeah, they should have exported it to SVG using OpenOffice.org.
  
  Here is the google html cache of it.
  
  --
  Phillip
2. Re:Slashdot posting links to PowerPoint docs? by dreamchaser · 2003-10-29 07:40 · Score: 1
  
  Well if you run Windows, you can download a viewer for free from Microsoft. On *nix, you can use OpenOffice. I don't see what your problem is...
3. Re:Slashdot posting links to PowerPoint docs? by 0x0d0a · 2003-10-29 16:10 · Score: 1
  
  Thank you.
  
  --
  May we never see th
Another good reason by 0x0d0a · 2003-10-29 04:05 · Score: 1

If folks want more reason to eliminate links to Microsoft's document formats other than the obvious reasons, how about this: Slashdot is a place where more people than any other are aware of macro viruses and the nasty disease vector produced by these formats (which are designed for *internal use only*, not distribution -- that's what PDF is for).

I mean, can you imagine the impact if a link to a virus-infected macro Word document was posted on Slashdot's main page. :-( Not good. Slashdot generally doesn't link to executables from oddball sources ("Here's a neat .exe I got from someone on IRC that claims to exhibit the problem my story is about!"), and that should really be extended to formats that can contain executable data.

--
May we never see th
1. Re:Another good reason by pmsyyz · 2003-10-29 04:28 · Score: 1
  
  Freedom will not be published in PDF format.
  
  --
  Phillip
2. Re:Another good reason by steve_l · 2003-10-29 09:06 · Score: 1
  
  Ok. I submitted , I could have cached a PDF or SVG copy somewhere, but not my home server as it would have died. Apache.org maybe.
  
  I use openoffice.org myself, so could handle the formats, and am reasonably immune from the problem.
  
  Next time I submit I will identify PDF and SVG copies of the docs.
  
  The transcript is in plain ascii, and very well transcribed. Its nice to see ICANN holding some meetings in public, along with a SpamAssassin rep joining in with some good comments.
3. Re:Another good reason by 0x0d0a · 2003-10-29 16:13 · Score: 1
  
  Why?
  
  --
  May we never see th
Web Bugs are okay - Verisign.. by Oddly_Drac · 2003-10-29 04:22 · Score: 3, Insightful

"Jim Galvin: that's okay. One is the -- he's going to fix them for me.

Somebody asked, as follow-up question that Verisign did we correctly hear them say that they're not collecting any personal data of course and they said that multiple times that's a clear statement. However can you comment on the presence of the web bug in the SiteFinder webpage?

Scott Hollenbeck: the web bug exists. That was asked at our last session of we have plans to cut back on the information that's being passed from via -- the web bug to the URL. We have one of our development managers, Joel Nylund, if you wanted to say anything more about that.

Joel Nylund: other than we're passing the whole URL we plan to (inaudible).

Scott Hollenbeck: he said what I said. it's going to be changed to pass back only the minimal information.

Steve Crocker: is there an opt-out mechanism?

Ben Turner: the way we do the web bug is compliant with the standards that exist. It is a typical implementation for this type of bug.

Steve Crocker: I'm speechless. "

He's not the only one. For one thing there are privacy implications _outside_ the US.

--
Oddly Draconis
Too cynical to live, too stubborn to die.
PDF of PowerPoint presentation by Anonymous Coward · 2003-10-29 05:00 · Score: 2, Informative

PDF available here.

(posting anonymous - just say no to karma whoring)
Oh, I *LOVE* this one... by Anonymous Coward · 2003-10-29 05:29 · Score: 0

Issue: Mistyped domain name in multiple command-line applications (ftp, telnet, etc.)
Behaviour Before SiteFinder: "host not found" error message.
Behaviour After SiteFinder: Different error message (TCP reset or ICMP port unreachable) or timeout depending on the application and the user interface
Judgment of Change: A change in expected behaviour.
Suggested Remedy if Applicable: User education

User education? What the hell type of user education are they expecting here? "Well Johnny, before when you got that TCP error you knew that what happened was that the service wasn't available on that host. Now you're going to have to check to make sure you really are accessing the correct host before making that assumption."

Verisign, there's plenty of offence intended in this next statement, so I sure hope you understand it: Fuck you.
1. Re:Oh, I *LOVE* this one... by steve_l · 2003-10-29 08:54 · Score: 1
  
  yeah, it upset me no end too.
  
  Maybe verisign are planning on doing the education. I can image 30 second TV ads where a third tier movie star explains that 'sometimes, "connection refused" means "unknown host". But I cannot image verisign paying for it.
SiteFinder PPT by bbtom · 2003-10-29 05:31 · Score: 1

in a human readable (Google HTML translation) here

--
catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
Putting too much trust into them? by nologin · 2003-10-29 06:28 · Score: 2, Informative

I am sure that a lot of people will like Verisign's comments about handling traffic other than http.
Instead of returning a host not found, we will return another type of error (TCP reset for example) to the client application.
I know that some computer users know nothing about DNS, IP addresses, etc. But, who is there to say for sure that something will send a TCP reset? What if someone were to change it to now accept mail (using SMTP as an example)?
While it most likely won't happen, I can't trust these folks further than they can throw the person responsible for false renewal notices. I think the Verisign marketing departement takes the cake by coming up with the most destructive ideas to boost their bottom line.
1. Re:Putting too much trust into them? by steve_l · 2003-10-29 09:09 · Score: 2, Insightful
  
  That is a good point. They have already changed HTTP behaviour. If you write some hot new HTTP successor app, how long before they decide to answer failed lookups with their marketing front end, rather than valid data.
  
  What if they started to reply to senders with suggestions for valid email addresses, maybe with adverts for ink cartridges at the bottom.
  
  What if they cached all to and from addresses to add them to their list of 'consenting' users.
  
  Verisigns perspective was if it is technically feasible, they are prepared to do it.
2. Re:Putting too much trust into them? by krist0 · 2003-10-29 10:24 · Score: 1
  
  it just goes to show how moronic they are, i mean, its pretty simple, if the host cannot be found, then the program should be told, not something like a tcp reset. where they not parroting on about caring about standards or something....
  
  verisign blow. All this extra work for people just cause they want to make the sleazy buck, bastards.
  
  --
  all you are, is all you are, i'm so sorry for you.
Verisign's view on potential issues: by CowboyMeal · 2003-10-29 08:24 · Score: 1

From the article:

Issues more likely to occur with at least moderate impact & how addressed:

English-only web page
can be addressed by service operator

End-user error reporting
software update required

Spam filtering
filter update required

Automated HTTP tools
software update required

Resolvers with non-DNS fallback
software update required

Using DNS to check domain availability for registration purposes
software update required

Email delivery
most issues can be addressed by service operator

In other words, "Not our problem."

--
Your credit card information wants to be free.
1. Re:Verisign's view on potential issues: by steve_l · 2003-10-29 09:00 · Score: 2, Interesting
  
  Yes, it would be funny if it wasnt true. In exchange for the search revenue they are prepared to break everything.
  
  Only one person in the transcript (read it, if you havent), asked 'what about the app developers -dont you have an implicit contract not to return wildcards', and Verisign replied "we only care about the standards", meaning no.
  
  So the people who write the apps that make DNS lookups dont get consulted, dont get listened to, just get given extra work.
  
  Yet if hadnt been for the app developers, the DNS business would be nothing. They should recognise that we dont need to use DNS, and if they try hard we can use alternate directory mechanisms: DOI, google, UDDI, IM directories even napster usernames are alternatives.
'Appropriate Action...' by TALlama · 2003-10-29 11:54 · Score: 1

Future applications: applications could check for a wildcard A record, detect synthesized data in a response and take appropriate action...

Anyone know of any good (preferably Open-Source) burn-down-Verisign's-headquarters software? I'm interested in embedding it in all my future applications.

--
- The Amazina Llama
1. Re:'Appropriate Action...' by Shakrai · 2003-10-29 16:03 · Score: 1
  
  Anyone know of any good (preferably Open-Source) burn-down-Verisign's-headquarters software? I'm interested in embedding it in all my future applications.
  What happens when you write one and they decide to change the fundamental behavior of the Internet without telling anyone? BAM your program doesn't work anymore!
  See, they still win!
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
DDoS sitefinder.verisign.com by yerricde · 2003-10-29 17:04 · Score: 1

Anyone know of any good (preferably Open-Source) burn-down-Verisign's-headquarters software?

Use a scriptable HTTP client, such as Wget or Curl, to bombard http://sitefinder.verisign.com:80/ with valid requests. I wrote a short C program (no, I haven't had time to sit down with the llama book to learn Perl, and I needed a test case for my safe string library anyway) that does just this.

--
Will I retire or break 10K?
Verisign's totally objective surveys by oatleyd · 2003-11-03 06:05 · Score: 1

Another point to take away from the transcript is that Verisign was unwilling to show anybody the text of the surveys they paid to have conducted. The Eschalot claims to have "copies" of the surveys (http://www.theeschalot.com/verisign-survey-text.h tml), and I have to guess that isn't too far from right.
It only stands to reason that if you want to claim everybody loves your new service, and if everybody doesn't, you ought to have to show some legitimate reason for claiming they do.
'course, being a monopoly and all, well, I imagine they couldn't really care less...