Slashdot Mirror
Verisign Considers Restarting Sitefinder
Rosco P. Coltrane writes "The Washington Post reports that VeriSign is considering reviving its infamous search engine. 'Site Finder was not controversial with users' says VeriSign's Tom Galvin, and VeriSign 'assured ICANN that it would give 60 to 90 days' warning to resolve any remaining technological problems.' Such as leaving the DNS service alone for example?"
Those who forget history are doomed to repeat it...
Visceral Psyche Films
And firebird^H^H^H^Hfox does it for google ... it could be argued that's even worse than Microsoft, since there you get shot off on an I'm Feeling Lucky, while microsoft gives you a list of close matches and lets you choose one. I've had too many times when I mistyped a URL, got shot off to another page entirely, and then had to go back and do a "google URL" to find what I was looking for.
;)
Also, M$'s way sends you back to a Microsoft page - which is expected, since MS has a search service (along with one copy of every single other web application). But Mozilla choose Google fairly arbitrarily - why not use Yahoo? Or Wikipedia? And anyone who argues "it's the #1 search option" gets a free copy of IE, the #1 browser, from your good friends at Monopolysoft
On the other hand, what Verisign does, affects the operation of any application that relies on DNS to connect anywhere.
True, but that is a browser thing. It doesn't break well-written applications that don't use MSIE (isn't that redundant?), and doesn't affect Linux/Mac users at all. This, on the other hand breaks applications through no fault of the original developers, forces ads down ppls throats with no means of changing it, and exploits a publicly trusted position.
#define DRM chmod 000
But DNS is used for more than web look ups. If DNS returns spurious results for gethostbyname(), a typo in a SSH command, or nntp request will be seriously bjorked.
I've no problem with Firefox (or IE) sending me to a search engine when I try to connect to a typo-ed web page: this is a reasonable policy to set at the application level
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
That's what we get by having corporations managing the Internet infraestructure instead of a public service. Some people talk about censorship, but if the corporations actually have the nerve to do something like this, whow long does it take until censorship sets in?
There will be another backlash although obviously to a lesser extent. The biggest backlash will come from admins who will once again blacklist the corresponding Site Finder IP.
The fun will start when Verisign starts not liking large ISPs blocking their users from accessing Site Finder and initiate a cat-and-mouse game of having Site Finder resolve to a ton of different changing IPs that the admins will have to keep up with.
Last time they were accepting emails to non-existant domains too. If everyone makes sure they have lots of web pages with long lists of email addresses in nonexistant domains then the spammers will spend a significant fraction of their bandwidth DOSing verisign instead of hassling the rest of us.
In your idea, remember to get the script to follow all the paid-for links. The advertisers will have to pay for the hit, and will soon realise they're getting bad value for money. And you can still identiy site-finder DNS entries easily, so you could just mis-spell random real web sites and see if they point to site-finder.
In soviet russia stale jokes recycle you!
How would choosing an alternate root server fix brokenness in the .com and .net tld's?
They still point to Verisign's gTLD-server.net's nameservers for the .com and .net domains, so using these alternate roots won't solve this problem.
Of course, you could set up your own alternate .com or .net TLD. Good luck in getting the full and updated list of all registered .com and .net domains and their nameservers :)
Getting a search engine is fine, if that's within my control. That's a good *browser* feature. And with a good browser, you can configure such a feature to go where you want it to, or just to give an error message (my personal preference). The problem with Verisign's approach is that there is nothing to tell the browser that there was no DNS record, so you no longer have the choice.
Nice idea, but the domain system only really works if we all agree on a single set of authoritative root servers. Otherwise you are effectively introducing another level into the DNS - go to 'www.mydomain.com2' is not very useful if you also have to append instructions on how to change your DNS servers. I can just imagine the voiceover at the end of the radio ads - very fast, and in the style of 'terms and conditions apply'.
As has been pointed out time and time again on NANOG and other operational mailing lists, DNS hijacking is still DNS hijacking, regardless of how noble the intent is.
From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.
While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are. All that does is gives Verisign more fuel for their "technocratic elite" arguments in press releases.
If you really want to fight this, tone down some of the passion and write to ICANN with legitimate concerns about the service and its effects. Crying foul about slimy business practices with no supporting evidence and a lot of sound and fury is a good way to make people who might be swayed agree with Verisign's claims of being attacked unjustly.
And as understand it some anti-spam programs does a lookup on the senders hostname to see if it's a valid hostname. If the lookup returns an error (not found) they send the mail directly to the trash.
But with this service you will always get a hit. Which in turn renders this anti-spam program ineffective.
Of course you could use other anti-spam tool, but this stops a lot of spam with fake hostnames.
Also, this community has lots of weight in the recommendation og technical solutions.
"Yes boss, we could use Verisign, but I spent some hours last night finding alternative solutions that are both better and cheaper. Here they are."
How many companies are looking to work with SCO these days?
Can't we do something, I mean, something to legally make them pay for it?
Verisign has a long story of abuse with DNS, and we should be able to do something more than bitch about it or make technical workarounds (ie, patches to dns) about it.
Perhaps a petition to ICANN with enough signatures to make them revoke Verisign's contract?
As others have pointed out, that's not the same thing at all: what Verisign want to do is to usurp the basic look-up-a-name service.
In fact, I'd expect Microsoft &co to *strongly* object to this, since what it will mean is that dns lookups will eseentially never fail, so you'll never see the search page from IE &c. Essentially Verisign are going to start providing the service that MS now does for IE users, and google now does for Mozilla!
60 to 90 days to patch every network utility out there to work around the DNS breakage. ROFL.
Oh, wait, that's NOT funny.
Please correct me if I got my facts wrong.
Yes, it would. But, that forces Verisign to build a lot of infrastructure, which they don't have in place right now. Right now, they're just using the gtld-servers, which can handle a lot of load, and the wildcard isn't adding any load to that. If they give the system NS records and point them somewhere else (likely the only way to get around delegation-only), then they have to build up a set of SiteFinder DNS servers to handle that query load, which will be an infrastructure and operational expense they weren't planning on. They had to build the webserver cluster, sure, but the cluster they had was clearly not up to the task (kept crashing), and now they'll have to add a nameserver cluster...all this for questionable revenue and a lot of bad blood in the community. The more expensive we make this, the less likely it is to happen.
I'm also secretly hoping that Paul Vixie & co will figure out a way to filter that step, once it comes to it.
By the way, this sort of arms race of action-filter is exactly what ICANN is terrified of. The last thing they want to see is an all-out war over the DNS...it causes instability. This is why it's at least somewhat likely that ICANN will stop Verisign. I can't guarantee that they will act, but they *really* don't want to see an arms race occur.
Sure, they could still trash .com, but who would care?
Would using alternative root servert also allow domains with just one part? E.g. slashdot instead of slashdot.org?
.org or .net TLDs), they are confusing (is the site for this norwegian company .no or .com?), most sites will want to have .com anyway, as it is sort of the de facto standard one, etc. So why don't we just dispose of the TLD, and the hostname, and call the website slashdot instead of slashdot.org?
I find the TLDs a bit silly, since the general purpose ones lost much of their meaning (commercial websites have
Please correct me if I got my facts wrong.
``While I and many other people involved in operations agree that Sitefinder is a horrible idea ethically, nobody is helping their case with histronics and ad hominem attacks on Verisign's business practices, regardless of how true they are.''
I do not oppose to Sitefinder alone, but to VeriSign as a whole. I think it's a Bad Thing to have a corporation in such a dominant position. I don't trust corporations. Sitefinder just proves me right. I don't just want Sitefinder to go away, I want VeriSign to go away. Down with corporate control! The Internet to the People!
Please correct me if I got my facts wrong.
...that they would learn from past mistakes. But no, of course not.
They have.
What they've learned is that outrage, like everything else, is a limited quantity.
You and I can't spend afford eight hours a day, five days a week to watch and warn against Verisign.
We have other things to worry about: Belkin using routers to spam, New York's Livingston County Social Services Commission letting confidential data get posted on the web, Johm Ashcroft eviscerating the Bill of Rights.
But Verisign can trigger our outrage the first time around, back down in the face of our massed complaints, and then, like a spider in its hole, wait patiently until the time is ripe to strike again.
Just like the Department of Justice and the proposed "Patriot II" law; they withdrew it after furious opposition, wait a while, and then got key provisions passed after everyone had relaxed.
Verisign is banking that each time around, they'll be a few less people able or willing to work up any outrage, until only a small minority objects -- a small minority that can be derided with a dismissive comment about "tin foil hats".
This is why we need organizations like the EFF and EPIC (and the ACLU): so the we have someone in out corner who, like a Verisign employee, is paid five days a week to watch for and counter these outrages.
Opinions on the Twiddler2 hand-held keyboard?
I know you were trolling, but anyways...
Actually, it makes sense to me that 84% of _users_ would not find it controversial, because typically, users wouldn't know or care about the implications that this will have behind the scenes. Now if Verisign was to quote the percentage of developers, administrators, and people who actually know what a bad thing this is, you'd have a more realistic figure.
I *heart* corporate thinking.
The Slashdot Paradox: "100% Overrated"
The Internet is a connected suite of protocols that work off of a similar top layer of technology, permitting multiple types of information transfer. Granted, the WWW, being the kick-ass application it is, is a very large part of this. However, what people ALWAYS fail to realize is that Electronic Mail, FTP, SSH, Telnet, Internet Gaming, X-Windows, ICQ, AIM, and every other Internet program under the sun utilizes DNS to try to get where it's going. When Verisign turns on its crappy service, what happens is that every OTHER program that relies on host names will be SCREWED UP. Why? Because instead of an error message that says you are trying to access a host that doesn't exist, you'll get a message that is much more similar to the fact that the host is unavailable! That means when you send an email message to dumbshit@verisiggn.com by mistake, instead of getting a response back immediately that you typed in a bad address, your message will sit in a queue for 3 days, and then you'll get an error message saying that your recipient couldn't be reached. This will cause you to contact your system administrator, and waste hours of his time, and time at other remote administrators because no one will catch the typo until after they've exhausted all the possible reasons your mail systems cannot talk to each other. System Admins RELY on error messages that make sense. When those are absent, answering user questions of 'It doesn't work - fix it' is VERY VERY DIFFICULT. This message is just for those of you who appear to not have a clue just how much frustration this causes, and who think that this makes even a modicum of sense to do.
Still, he added, it would be tough for VeriSign to win the public relations war because its opponents are highly regarded technologists.
Come again? Since when are "highly regarded technologists" given a second thought by the average user? Their thinking is...
"Let's see... www dot... oh, I hate these computers... where's the g? hootmaail.como... there! Wait, that's not my mail. This is... uh... oh yeah, silly me. I spelled it wrong. Yes, that's the one I want... I'll that... wait... online dry cleaning... I need THAT."
And that is the END of the thought process. They don't think about whether or not it's a helpful service unless a surveyor puts a gun to their head and makes them commit one way or the other. They certainly don't think about asking the "highly regarded technologists".
I know this is troll bait, but I will bite.
.com/.biz domains, they have been given a monopoly. No other company can do this since they don't control the athoritative root for those domains.
Capitalism works on the premise of competition. Because they are the sole athoritative root for all
Beyond that it fundementally changes the way the internet works to the benifit of a single company. This is very anticompetitive.
If I were a shareholder, I would tell them to drop all of its plans for site finder since eventually it will lead to a loss of all of its domain registration revenues.
Shameless self promotion : The Misadvetures of the in
It is analogous to saying that if I put a detour sign in the middle of the freeway to direct traffic to my shopping mall, that I am obeying the traffic sign protocols.
The comment about "ninety-nine percent of the traffic is pure HTTP" is a shorthand way to sum up why it is not possible to communicate with Verisign's executives, and why they must be stopped and soon.
Because it wouldn't matter if one hundred percent of the traffic on the internet were HTTP, it still is not a reason to break DNS in order to insert advertising. The "service" they claim to be providing should be provided by the browsers, giving everyone a chance to implement their own solution to the problem of mistyped domain names. Then many possible solutions to this issue can be innovated. By breaking DNS to lie about the existence of domain names, they actually prevent anybody else from providing any solution. This is the exact opposite of innovation. And they are smart people at Verisign, they clearly and obviously know all this, and yet they are lying to every one about it. And that, in a nutshell is what makes me more furious about this than any other Internet legal issue has in a long long time, maybe ever, or at least since Network Solutions took the .com database
offline and made it their own private property.
There was a story I heard once, about a company (Novell ?) which implemented their own file transfer protocol over the network. They did not use exponential backoff on retransmit, which made their protocol look much faster than TCP/IP. It would in fact hog all the bandwidth, bumping out all the more polite and well behaved protocols. This was great for them, but in fact as the network approached saturation, the system would fail catastrophically, for reasons obvious to Internet protocol designers.
At some meta-level, this is what is happening to the Internet itself now. Verisign is itself like the bad protocol, which does not play well with others. It is taking advantage of an opportunity which gives it a short term advantage, while degrading the entire network protocol infrastructure.
From an operations standpoint, the impacts of Sitefinder are unfortunatly minimal now. Most of the major operational issues brought up when it was first released have been solved by either Verisign or by various application developers (ISC and other DNS developers) and are no longer an issue.
/dev/urandom to a file for a while."
Except for things like this:
Option 1 -
MailServer: "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, so I'm gonna go ahead and reject that spam."
Option 2 -
MailServer "OK, you sent me mail from this domain, let's reverse look it up to see if it actually exists... nslookup domain... OK, it exists, let's look it up by IP to make sure it actually is the domain you're from... nslookup IP... ok, I'm going to go ahead and reject this, and either stop sending spam, or configure your reverse zones".
Option 3 -
MailServer: "OK, you sent this, I'm going to check and see if you're valid... nslookup domain... nslookup IP... fantastic! Welcome to my humble abode, and don't worry about that mail, it's been taken care of".
Or, with SiteFinder, Option 4 -
MailServer: "I hate my life. Are you a valid domain? Yes? No? I don't care, I'm barely here. My existance is meaningless, my spirit is broken. I think I'm going to cat
~Will
sig?
I say no. That the core is dumb is one of the reasons the internet is available to everyone. That the core is dumb is one of the reasons it is so reslient. That the core is dumb is the reason we can assign stewardship - not ownership - to Verisign, and yank it away from them when they misstep.
Keep the core dumb. No innovation is necessary or wanted.
Edith Keeler Must Die
Sitefinder is like discovering your receptionist has decided to redirect all wrong phone numbers to her cousin's "dial-a-psychic" service, and the janitor's been putting ads for his brother's body shop on everyone's desk.
Verisign doesn't own the "product" they're selling, they're just operating it for ICANN. This is no more a legitimate business than, oh, the original Napster was.
I don't trust corporations. Sitefinder just proves me right. I don't just want Sitefinder to go away, I want VeriSign to go away. Down with corporate control! The Internet to the People!
I don't know if you've been inside one, but it turns out corporations are made up of people. And it's a crazy thing, but so are governments. Everywhere you look, it's people, people, people. And as far as I can tell, none of 'em are perfect.
The problem isn't corporations as such; it's ICANN giving control of the big TLDs without sufficient oversight. Outsourcing the operation makes sense, but allowing Verisign to do whatever they please doesn't. ICANN should be making sure that none of their vendors are doing stuff that harms the internet, outrages the people who make it go, or inconveniences the zillions of people who rely on it.
Whether it's a coroporation or a government department doing the work, you still need oversight, and that seems lacking here.
A DDOSer who wanted to annoy Sitefinder could do random downloads from their site, and unless they've improved on the original Sitefinder, those downloads are 17KB of singing dancing Javascript instead of ~1KB of simple clean html text. If this has a big enough impact on Sitefinder's bandwidth cost, it will encourage them to provide simple clean html instead of their current potentially-dangerous dreck.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If it's going to do this, it should pop up a dialog the first time, explaining what it's doing, and give you the chance to turn it off right then and there.
"Remember, these are the guys that think a "dot porn" and a "dot kids" TLD will actually fix anything."
.kids or .students or some form of TLD that is managed would work well, especially if it were handled right. Right now, school districts are forced to try to filter the whole Internet to prevent pornographic materials (and I'm not talking art, I'm talking Tawnee Stone, god bless her soul:) from being easily accessible. If a heavily restricted .kids or .elem or the like domain were created, schools could trust the content of the domain. It'd be similar to the .museum domain. An organizational body could punish or retract domains based on abuses, and the body could work to establish actual guidelines for acceptibility. Granted, it'd be just as political as anything else bodies do, but at least there'd be a chance for it to work right.
I disagree with you to a point on the lack of merit to this idea. I think that a
The trouble with trying to make porn domains is that states could enact laws that prohibit ISPs from allowing traffic to sites that are so easily identified, which would be censorship. It would also be difficult to get pornographers to make use of the domain anyway, since a lot of content mirrored isn't exactly staying within copyright guidelines, and I would imagine that someone engaging in copyright violations wouldn't want to make themselves stand out that clearly.
Do not look into laser with remaining eye.