SiteFinder: the Verisign Slides

Steve Loughran writes "It's been pretty quiet in public on the SiteFinder front, but it does not mean that VeriSign are accepting defeat. On October 15, the ICANN Security and Stability committee met to discuss it, as can be seen from the long transcript. The new item from this is a VeriSign review of Site Finder, which is very interesting." Loughran further analyzes the Verisign presentation, below.

Some key points:

1. English-only responses only merits a 'moderate' response. I am sure the rest of the world thinks their language is only 'moderately' important.
2. A lot of problems are viewed as minor, fixable with 'user education' or 'application patch'. I wonder if DNS patches were the application VeriSign expected us to patch?
3. Apparently most spam doesnt forge sender domains; only 3-5%. So checking domain validity doesn't help much as an effective spam filter. A SpamAssassin representative commented that there are so few invalid domains in their corpus is that they get filtered earlier, so this data may be bogus.
4. An acknowledged troublespot could be automated HTTP programs getting confused by the new responses, but they hadn't heard of that, and using HTTP over port 80 in this way by automated tool is discouraged according to BCP 56 .
5. User studies liked it, but since the core finding was "there's more functionality than you get with a 404 so it's helpful for me", the study may have been flawed. Site Finder did nothing for 404 pages, only for unknown hosts.
6. Most of the problems with services such as SMTP relate to misconfigured systems, and these did not show up with the small scale tests VeriSign tried.

After the presentation, the transcript shows some good feedback from the audience -ripping into the end user survey, for example, and trying to understand the relationship with other registrars. It is notable that the only two user groups considered are (a) registrars and (b) end users. The wants and needs of people who implement networked applications or support them are neglected because we are seemingly invisible.

I myself am most offended by the "we shouldn't be automating access over port 80" comment. Hello? VeriSign? What do you think Web Services are?

While Site Finder was up, I tested how SOAP stacks handled misconfigured addresses: the results are published on xml.com. Both SOAP stacks tested choked on the 302 response, giving errors to the clients that are nowhere near user intelligible. So VeriSign are making things harder, despite their apparent obliviousness or denials. I shall be sharing my data with VeriSign, and encourage anyone else to do the same."

Web Bugs are okay - Verisign..

[Oddly_Drac]

"Jim Galvin: that's okay. One is the -- he's going to fix them for me.

Somebody asked, as follow-up question that Verisign did we correctly hear them say that they're not collecting any personal data of course and they said that multiple times that's a clear statement. However can you comment on the presence of the web bug in the SiteFinder webpage?

Scott Hollenbeck: the web bug exists. That was asked at our last session of we have plans to cut back on the information that's being passed from via -- the web bug to the URL. We have one of our development managers, Joel Nylund, if you wanted to say anything more about that.

Joel Nylund: other than we're passing the whole URL we plan to (inaudible).

Scott Hollenbeck: he said what I said. it's going to be changed to pass back only the minimal information.

Steve Crocker: is there an opt-out mechanism?

Ben Turner: the way we do the web bug is compliant with the standards that exist. It is a typical implementation for this type of bug.

Steve Crocker: I'm speechless. "

He's not the only one. For one thing there are privacy implications _outside_ the US.

Re:Putting too much trust into them?

[steve_l]

That is a good point. They have already changed HTTP behaviour. If you write some hot new HTTP successor app, how long before they decide to answer failed lookups with their marketing front end, rather than valid data.

What if they started to reply to senders with suggestions for valid email addresses, maybe with adverts for ink cartridges at the bottom.

What if they cached all to and from addresses to add them to their list of 'consenting' users.

Verisigns perspective was if it is technically feasible, they are prepared to do it.