Verisign redirection and Internet Explorer

SteveDallas · 09-25-2003, 02:33 PM

I just had a thought. (Scary. Maybe I'm going to succumb to the temptation and start a blog.

)

Most of you reading this probably have heard about Verisign redirecting non-existent domain names. If not, you can read up.

My thought was,

How is this different from Internet Explorer taking you to the MSN search page when you can't reach whatever web page you were trying for?

How is it NOT different?

Cam · 09-25-2003, 02:50 PM

Becuase it's not your browser doing the redirecting it's another company. Yeah it's ridiculous that Microsoft puts that in it's browers but at least you have a choice to use a different brower. Now it makes no difference what browers I use I automaticly go to Verisign's site. Of course that's only half the problem with this, it also creates other havoc in the Internet, but I don't understand that enough to talk about it.

SteveDallas · 09-25-2003, 03:10 PM

Yeah, but really. That's fine for you and me and a lot of the other folks here. But let's face it, for an overwhelming number of people on the Internet, telling them to install a new browser would be akin to asking me to replace the radiator on my car. Technically you're right, but for all practical purposes they have a captive audience that's very large.

Cam · 09-25-2003, 03:30 PM

So in reality all Verisign is doing is taking away the numerous hits Microsoft gets on it's search page every day from mistyped URL's. So that's actually a good thing IMHO. Except for the other issues it causes, which are not good things.

xoxoxoBruce · 09-25-2003, 04:08 PM

If you mistype your URL request in Google, you'll still get there.

Undertoad · 09-25-2003, 04:34 PM

The problem with it is that it breaks the BIND protocol, which is more "infrastructure" than HTTP (which MS breaks). HTTP is only the web, BIND is the whole friggin' net and they do not get to break it on a whim in order to gain a business advantage.

Torrere · 09-25-2003, 05:19 PM

Well, Microsoft's IE error redirection has always pissed me off, too.

Especially when I type in "foo.org" and it sends me to the MSN search engine, asking me if I want to go to "www.foo.org".

juju · 09-25-2003, 11:19 PM

I can't seem to get this to happen. When I mistype a url in Mozilla I get a 404 error. What exactly must I do to get this effect?

Undertoad · 09-26-2003, 06:34 AM

You won't yet; Verisign has been blocked from doing it by the organization that oversees such things, but the concern is that this organization is just a mouthpiece for people like Verisign and will let up anyway.

hot_pastrami · 09-26-2003, 12:04 PM

Some peoples' concerns are security related. For instance, say a user tries to use a username and password to log into a fictional bank's website, but they mistype the URL (or maybe the URL is created improperly by a CGI or somethiing):

https://www.fictonalbank.com?user=someuser&password=trustno1

...this non-existent domain would take them to Verisign's redirect page on their webserver, and consequently their server logs would contain the username and password to access that bank account, as well as a domain name that is easily correctable for a human. These logs aren't so hard to get to on some servers.

A similar problem is if you mistype someone's domain in their e-mail address... the e-mail will go to Verisign. Some people don't like that. Even if Verisgn sends a "Mail could not be delivered" notice, are they deleting the e-mails? Saving the return addresses for SPAM lists? Who knows?

These are only two examples, there are others. Personally, I think it's Bad Idea for them to break the way the Internet is supposed to work. It's important for web browsers, e-mail apps, ftp software, and custom apps to know when they have not reached a real domain, so they can take corrective action. Verisign's change makes that job much harder, and in some cases impossible.

SteveDallas · 09-26-2003, 12:33 PM

The security concerns are real. Don't get me wrong, we ought to all give Verisign the smackdown on this. (And by the way, it's possible that this is not even a violation of the contract under which they operate the root servers. Just because nobody imagined the put it in the contract that they can't do it.) But it just occured to me that to the average end user, there's not a lot of difference between the Verisign results and the Microsoft results when you type something in wrong. (I'll leave any comments to the effect that comparing a practice to something Microsoft does is hardly a ringing endorsement as an exercise for the class.)

It will be interesting to see how long the ISC delegation workarounds take to filter around.

Tobiasly · 09-28-2003, 08:54 AM

Quote:

Originally posted by juju
I can't seem to get this to happen. When I mistype a url in Mozilla I get a 404 error. What exactly must I do to get this effect?

You have to type a non-existent second-level domain -- the part right before the ".com".

If you're getting a 404 error, you're typing a non-existent page on a valid domain, which isn't the same thing.

Try this:
http://www.asdfinsavlinasdv.com/

And it hasn't been blocked yet, UT, at least not for me. I know BIND is planning on releasing a patch to block it, but AFAIK it hasn't yet.

Tobiasly · 10-03-2003, 01:50 PM

Update: ICANN has issued Verisign an ultimatum: discontinue SiteFinder, or be sued.

09-25-2003, 02:33 PM	#1
SteveDallas Your Bartender Join Date: Jan 2002 Location: Philly Burbs, PA Posts: 7,651	Verisign redirection and Internet Explorer I just had a thought. (Scary. Maybe I'm going to succumb to the temptation and start a blog. ) Most of you reading this probably have heard about Verisign redirecting non-existent domain names. If not, you can read up. My thought was, How is this different from Internet Explorer taking you to the MSN search page when you can't reach whatever web page you were trying for? How is it NOT different?

09-25-2003, 02:50 PM	#2
Cam dripping with ignorance Join Date: Oct 2002 Location: Grand Forks ND Posts: 642	Becuase it's not your browser doing the redirecting it's another company. Yeah it's ridiculous that Microsoft puts that in it's browers but at least you have a choice to use a different brower. Now it makes no difference what browers I use I automaticly go to Verisign's site. Of course that's only half the problem with this, it also creates other havoc in the Internet, but I don't understand that enough to talk about it. __________________ After the seventh beer I generally try and stay away from the keyboard, I apologize for what happens when I fail.

09-25-2003, 03:30 PM	#4
Cam dripping with ignorance Join Date: Oct 2002 Location: Grand Forks ND Posts: 642	So in reality all Verisign is doing is taking away the numerous hits Microsoft gets on it's search page every day from mistyped URL's. So that's actually a good thing IMHO. Except for the other issues it causes, which are not good things. __________________ After the seventh beer I generally try and stay away from the keyboard, I apologize for what happens when I fail.

09-25-2003, 04:08 PM	#5
xoxoxoBruce The future is unwritten Join Date: Oct 2002 Posts: 71,105	If you mistype your URL request in Google, you'll still get there. __________________ The descent of man ~ Nixon, Friedman, Reagan, Trump.

09-26-2003, 12:04 PM	#10
hot_pastrami I am meaty Join Date: Dec 2001 Location: Salt Lake City, UT Posts: 1,119	Some peoples' concerns are security related. For instance, say a user tries to use a username and password to log into a fictional bank's website, but they mistype the URL (or maybe the URL is created improperly by a CGI or somethiing): https://www.fictonalbank.com?user=someuser&password=trustno1 ...this non-existent domain would take them to Verisign's redirect page on their webserver, and consequently their server logs would contain the username and password to access that bank account, as well as a domain name that is easily correctable for a human. These logs aren't so hard to get to on some servers. A similar problem is if you mistype someone's domain in their e-mail address... the e-mail will go to Verisign. Some people don't like that. Even if Verisgn sends a "Mail could not be delivered" notice, are they deleting the e-mails? Saving the return addresses for SPAM lists? Who knows? These are only two examples, there are others. Personally, I think it's Bad Idea for them to break the way the Internet is supposed to work. It's important for web browsers, e-mail apps, ftp software, and custom apps to know when they have not reached a real domain, so they can take corrective action. Verisign's change makes that job much harder, and in some cases impossible. __________________ Hot Pastrami!

09-25-2003, 03:10 PM	#3
SteveDallas Your Bartender Join Date: Jan 2002 Location: Philly Burbs, PA Posts: 7,651	Yeah, but really. That's fine for you and me and a lot of the other folks here. But let's face it, for an overwhelming number of people on the Internet, telling them to install a new browser would be akin to asking me to replace the radiator on my car. Technically you're right, but for all practical purposes they have a captive audience that's very large.

09-25-2003, 04:34 PM	#6
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	The problem with it is that it breaks the BIND protocol, which is more "infrastructure" than HTTP (which MS breaks). HTTP is only the web, BIND is the whole friggin' net and they do not get to break it on a whim in order to gain a business advantage.

09-25-2003, 05:19 PM	#7
Torrere a real smartass Join Date: Dec 2001 Location: Kirkland, WA Posts: 1,121	Well, Microsoft's IE error redirection has always pissed me off, too. Especially when I type in "foo.org" and it sends me to the MSN search engine, asking me if I want to go to "www.foo.org".

09-25-2003, 11:19 PM	#8
juju no one of consequence Join Date: Jun 2001 Location: Arkansas Posts: 2,839	I can't seem to get this to happen. When I mistype a url in Mozilla I get a 404 error. What exactly must I do to get this effect?

09-26-2003, 06:34 AM	#9
Undertoad Radical Centrist Join Date: Jan 2001 Location: Cottage of Prussia Posts: 31,423	You won't yet; Verisign has been blocked from doing it by the organization that oversees such things, but the concern is that this organization is just a mouthpiece for people like Verisign and will let up anyway.

09-26-2003, 12:33 PM	#11
SteveDallas Your Bartender Join Date: Jan 2002 Location: Philly Burbs, PA Posts: 7,651	The security concerns are real. Don't get me wrong, we ought to all give Verisign the smackdown on this. (And by the way, it's possible that this is not even a violation of the contract under which they operate the root servers. Just because nobody imagined the put it in the contract that they can't do it.) But it just occured to me that to the average end user, there's not a lot of difference between the Verisign results and the Microsoft results when you type something in wrong. (I'll leave any comments to the effect that comparing a practice to something Microsoft does is hardly a ringing endorsement as an exercise for the class.) It will be interesting to see how long the ISC delegation workarounds take to filter around.

10-03-2003, 01:50 PM	#13
Tobiasly hot Join Date: Mar 2002 Location: Jeffersonville, IN (near Louisville) Posts: 892	Update: ICANN has issued Verisign an ultimatum: discontinue SiteFinder, or be sued.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)