SiteFinder: the Verisign Slides

Steve Loughran writes "It's been pretty quiet in public on the SiteFinder front, but it does not mean that VeriSign are accepting defeat. On October 15, the ICANN Security and Stability committee met to discuss it, as can be seen from the long transcript. The new item from this is a VeriSign review of Site Finder, which is very interesting." Loughran further analyzes the Verisign presentation, below.

Some key points:

1. English-only responses only merits a 'moderate' response. I am sure the rest of the world thinks their language is only 'moderately' important.
2. A lot of problems are viewed as minor, fixable with 'user education' or 'application patch'. I wonder if DNS patches were the application VeriSign expected us to patch?
3. Apparently most spam doesnt forge sender domains; only 3-5%. So checking domain validity doesn't help much as an effective spam filter. A SpamAssassin representative commented that there are so few invalid domains in their corpus is that they get filtered earlier, so this data may be bogus.
4. An acknowledged troublespot could be automated HTTP programs getting confused by the new responses, but they hadn't heard of that, and using HTTP over port 80 in this way by automated tool is discouraged according to BCP 56 .
5. User studies liked it, but since the core finding was "there's more functionality than you get with a 404 so it's helpful for me", the study may have been flawed. Site Finder did nothing for 404 pages, only for unknown hosts.
6. Most of the problems with services such as SMTP relate to misconfigured systems, and these did not show up with the small scale tests VeriSign tried.

After the presentation, the transcript shows some good feedback from the audience -ripping into the end user survey, for example, and trying to understand the relationship with other registrars. It is notable that the only two user groups considered are (a) registrars and (b) end users. The wants and needs of people who implement networked applications or support them are neglected because we are seemingly invisible.

I myself am most offended by the "we shouldn't be automating access over port 80" comment. Hello? VeriSign? What do you think Web Services are?

While Site Finder was up, I tested how SOAP stacks handled misconfigured addresses: the results are published on xml.com. Both SOAP stacks tested choked on the 302 response, giving errors to the clients that are nowhere near user intelligible. So VeriSign are making things harder, despite their apparent obliviousness or denials. I shall be sharing my data with VeriSign, and encourage anyone else to do the same."

Re:Slashdot posting links to PowerPoint docs?

[pmsyyz]

Yeah, they should have exported it to SVG using OpenOffice.org.

Here is the google html cache of it.

PDF of PowerPoint presentation

PDF available here.

(posting anonymous - just say no to karma whoring)

Putting too much trust into them?

[nologin]

I am sure that a lot of people will like Verisign's comments about handling traffic other than http.

Instead of returning a host not found, we will return another type of error (TCP reset for example) to the client application.

I know that some computer users know nothing about DNS, IP addresses, etc. But, who is there to say for sure that something will send a TCP reset? What if someone were to change it to now accept mail (using SMTP as an example)?

While it most likely won't happen, I can't trust these folks further than they can throw the person responsible for false renewal notices. I think the Verisign marketing departement takes the cake by coming up with the most destructive ideas to boost their bottom line.