VeriSign Sued Over SiteFinder Service

dmehus writes "It was only a matter of time, the pundits said, and they were right. Popular Enterprises, LLC., an Orlando, Florida based cybersquatting so-called 'search services' company, has filed a lawsuit in Orlando federal court against VeriSign, Inc. over VeriSign's controversial SiteFinder 'service.' While PopularEnterprises has had a dodgy history of buying up thousands of expired domain names and redirecting them to its Netster.com commercial "search services" site, the lawsuit is most likely a good thing, as it provides one more avenue to pursue in getting VeriSign to terminate SiteFinder. According to the lawsuit, the company contends alleges antitrust violations, unfair competition and violations of the Deceptive and Unfair Trade Practices Act. It asks the court to order VeriSign to put a halt to the service. VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."

Arrrrrr!

[by Anonymous Coward]

VeriSign be a bunch of land-lubbin' butt pirates, mateys!

Re:Arrrrrr!

[by Anonymous Coward]

Aye, I do believe you be correct, me bucko.

Talk like a pirate day [talklikeapirate.com]

Nice tactic.

[NightSpots (682462)]

Anti-trust was one of the very few tactics I didn't hear discussed as possible ways to stop Verisign.

Arguing that they get for free what other companies must pay for is probably one of the easier arguments for win, since it proves itself nearly by definition.

I applaud the jackass who pays to abuse typos. At least they've finally proven their worth.

I dunno about that.

[TheSHAD0W (258774)]

They get it for free, but they also lose it any time someone wants to take it away, for any specific domain. I personally don't like it, but I don't know if this particular avenue of attack will succeed.

Re:Nice tactic.

[*no comment* (239368)]

Don't forget the petition!!! Go sign it.

http://www.petitiononline.com/icanndns/ [petitiononline.com]

comparison

[Jucius Maximus (229128)]

The only thing I can say here is that Verisign seems to be in competiton with SCO for numerous titles:

- most hated company on the internet
- most stupid business moves
- most obvious 'shoot self in foot' maneuvre

I expect that slashdot would implode if SCO sued Verisign for this maneuvre. Do you cheer because one of them will lose? Or groan because one will win?

Pert Peeve

[QuantumSpritz (703080)]

Cybersquatting, though one of the great minor evils of the web, is damned hard to stop. I can't think of any way to regulate/legislate it without messing up the domain registration and transfer process for everyone else - though it would be nice to be able to buy domains BACK from these companies - I would imagine quie a few choice domains are in their hands. Nice to see a lawsuit taking on Verisign over this - even if it is a cybersquatter. I wonder if there's an intelligent way to reserve domain names for individuals and organizations which already have use for the name - maybe a form of 'prior branding' only better implemented...

Re:Pert Peeve

[Malcontent (40834)]

"though one of the great minor evils of the web"

A great minor evil. That's a new one on me.

The pool

[r_glen (679664)]

OK guys, who had 3-5 days??

"Unfair advantage"?

[tessaiga (697968)]

According to the lawsuit, Mountain View, California-based VeriSign has been using its position as the keeper of the master list of all Web addresses ending in ".com" and ".net," also called domain names, to unfair advantage.

So Popular Enterprises' complaint is not that VeriSign is cybersquatting, but that they're doing it more effectively without letting others have a slice of the pie?

I guess people will figure that the end justifies the means, but the argument still seems a little distasteful.

Re:"Unfair advantage"?

[Caled (26214)]

Verisign has just acquired more domain names than there are atoms in the universe. If Mountain View wanted them they'd have to pay more money than exists, whereas it only cost versign a line in their DNS records.

This is clearly abuse of monopoly.

Re:"Unfair advantage"?

[tessaiga (697968)]

Verisign has just acquired more domain names than there are atoms in the universe. If Mountain View wanted them they'd have to pay more money than exists, whereas it only cost versign a line in their DNS records.

Exactly. Most Slashdotters (myself included) are objecting to the fact that Verisign has essentially hijacked all unused domains. However, Mountain View's objection is that doing the same would cost them money, while it's free for Verisign. The action itself doesn't bother them; it's the uneven costs of doing so that has them annoyed.

Or, put another way, Mountain View would be perfectly satisfied if the result of the lawsuit was that Verisign allowed other cybersquatters to grab mistyped domains for free also, creating a huge happy cybersquatting family. Somehow I don't think the rest of us would be quite as delighted though.

Re:"Unfair advantage"?

[digital bath (650895)]

You know, I wouldn't really have THAT much of a problem if verisign at least served up the page with a 404 status error in the header. However, their sitefinder gives out the normal "200: ok" status on bad domains, which seems to me like a serious problem - I can see this breaking existing apps.

Re:"Unfair advantage"?

[berny@work (57298)]

This actually causes LARGE problems for people operating over VPN connections.

What normally happens is this:

People do a request for a site, e.g. intranet.internal.foo.org.

The external DNS servers fail in that they don't come back with an answer, and then the client continues through its list of DNS servers until it gets to the internal servers where it gets an answer.

What's happening now is that they ARE getting a good answer from the external servers, and the client is trying to connect to the 64.x.x.x address of Sitesearch. Now in most organisations the client isn't able to connect to that box (because its firewalled or whatever else), so it isn't a problem for VeriSign, however, it is a problem for the organisation, as the clients who are trying to work are getting given IP addresses for internal servers that are incorrect.

I have had to change dial up settings on a few clients and change others over to using static IPs at the moment until a better solution comes around. Or even better till VeriSign stop doing this.

Berny

Most ISPs have blocked it

[Amsterdam Vallon (639622)]

*Confirmed*: Adelphia has blocked VeriSign's new "service."

Please reply to this and list names of fellow anti-VeriSign ISPs if your ISP has blocked this new "feature" as well.

Thanks! I will enjoy analyzing this data.

Re:Most ISPs have blocked it

[shostiru (708862)]

We (mid-sized midwestern ISP) had our main nameservers (tinydns and djbdns) patched by 2AM the night this mess started, using the patches we found here. By a few hours later, I'd kludged the BIND source myself on a couple of other machines to return NXDOMAIN for anything in all three of the /24 netblocks in AS30060 (it worked fine, at least until the ISC patch was released). AFAIK our customers never even noticed the wildcarding.

If you work in an ISP or other network infrastructure company, you know first-hand the degree of astonishment and rage that Verisign's move elicited; the fallout (spam filtration, security, network monitoring, etc.) goes far beyond HTTP. I don't think any of us slept much that night ... it only took a few hours to restore normal DNS behaviour, the remaining ten or so I spent in shock with my jaw scraping the floor.

I've dealt with Verisign before (try getting decent documentation on the cybercash application library!) and knew they were greedy and stupid, but I wasn't counting on raw, unfettered eeeeeevil.

Re:Most ISPs have blocked it

[Enigma Deadsouls (700792)]

the remaining ten or so I spent in shock with my jaw scraping the floor.

Thats part of Verisigns new "Shock and Jaw" Campaign.

Re:Most ISPs have blocked it

[jms (11418)]

Speakeasy appears to have blocked the "feature".

and the IEFT now has an Internet-Draft

[shostiru (708862)]

which I just found, draft-main-typo-wcard-02 [fysh.org]. Worth a look, as is the IETF mailing list archive [ietf.org]. They're definitely aware of the problem. I particularly like following paragraph from the Internet-Draft:

An error response that only works correctly in one situation would be as bad as an SMTP server that ignored its input and always produced a fixed sequence of responses: it would work in the one situation it was designed to expect, but cause chaos whenever presented with any other situation.

sounds like the Snubby Mail Rejector, hmm?

Is it possible Verisign's move will be irrelevant?

[JayBlalock (635935)]

I was just thinking about this. At this point, pretty much the entire Internet has mobilized to counter their redirection trick. ISPs are getting filters installed, virus software is getting rewritten, ICANN will likely jump into the fray any time now.

At the rate things are going, in a couple weeks, no one will be able to get to their search engine site at all, whether they want to or not.

Someone probably deserves recompensation for the hassle, but it's looking like the Internet has proven resilient to even this "high level" attack.

Re:Is it possible Verisign's move will be irreleva

[John Paul Jones (151355)]

Someone probably deserves recompensation for the hassle, but it's looking like the Internet has proven resilient to even this "high level" attack.

At what cost? Routers are working harder, code has been introduced into core servers that has no technical reason to exist, and an IP address, or possibly a sizeable range of IP addresses are now blacklisted worldwide. Those IPs won't be usable for anything anymore, or at least until we see widespread adoption of IPv6. *cough*

What the Internet doesn't need is to become even less of an end-to-end transport, less reliable. And we did it to ourselves.

Re:Is it possible Verisign's move will be irreleva

[JayBlalock (635935)]

Oh, I'm not arguing that it doesn't suck and that Verisign didn't do a very, very naughty thing.

But at the same time, if you take a step back, the rapid mobillization of the response to this is VERY impressive, and the rate at which the Internet is reconfiguring itself to get rid of the trouble is quite amazing.

Remember, three days ago, people were moaning about how this would be a disaster, DNS would be broken, spam filters would be rendered impotent, etc etc.

I'm just saying that, objectively, if you look at this sort of like a body repelling a bacterial attack, the rate at which it's been countered is quite amazing, and shows how well the Internet is fundamentally put together.

don't u love these spokespeople

[hansoloaf (668609)]

VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."

They should just build an ASIMO robot in the mold of a spokesperson. There would be only 2 lines of code for the robot to speak out everytime they are contacted on a story: "The company has not seen the lawsuit." "No comment" Then we can skip the obligatory spokesperson quote in articles in the future as its' pretty much all they say nowdays.

another annoying 'feature' of sitefinder

[ApheX (6133)]

My browsers - Firebird and IE both keep history for a few days. It used to be that when i accidentally typed something in and the domain could not be found that it wouldn't be in my history since it wouldn't resolve. Now - thanks to URL resolving my history is gradually starting to fill full of crap. So when im in a hurry and select something out of my history i sometimes end up getting a sitefinder page instead of what I was looking for. ARRRGH.

Verisign Sucks. They always have and always will.

Hello, Pot? This is kettle!

[dacarr (562277)]

This is a classic example of hypocrisy, but maybe this'll pay off.

Don't badmouth Netster too bad

[Tyler Eaves (344284)]

Yes, it's semi-sleazy, but they don't cybersquat.

Timeline:

1997 or so: I registered tylereaves.com, mainly for use in e-mail

2000: I let the domain lapse, not really using it, and tired of paying $40 a year or so for it (Hey, registering was expensive in '97!)

200?: Netster becomes the owner of tylereaves.com

2003: I nicely ask for it back.
2003: I get my domain back. They didn't even charge me the trasnfer fees.

Someone at Network Solutions responded to me.

[xenoweeno (246136)]

I sent an email to various VeriSign addresses about their abuse. Somehow one of them got routed to a Network Solutions drone.

The drone informed me in a form letter that VeriSign's practices were "well within the guidelines" established by the document Domain Name System Wildcards in Top-Level Domain Zones [verisign.com].

After deconstructing this, we are left with: VeriSign is within the guidelines of the document VeriSign wrote on the matter.

Uhm...

Re:Someone at Network Solutions responded to me.

[Bronster (13157)]

Wow, that document was published 10 days ago. That's best practices for you.

Notice that they only address HTTP and SMTP in the guidelines. I guess there really aren't any other protocols worth speaking of.

(https maybe? Hmm - I wonder what happens there)

Technical defense against hijacked domains

[ODBOL (197239)]

This is a good time to look at Bob Frankston's dotDNS proposal [circleid.com] for a layer of reliable but meaningless domain names. dotDNS lookups can be made self-verifiable using public-key signatures, but without the costly chain of trust required by DNSSEC methods. The validity of a dotDNS binding can be verified easily by the querier, without relying at all on the server that provided the putative binding.

dotDNS does not solve the whole problem, since any layer that translates from humanly meaningful names to dotDNS names is still vulnerable to hijacking. But the reliable and verifiable name bindings in dotDNS will make it *much* easier to switch name-resolution services when we are dissatisfied with their policies.

dotDNS is a cheap and immediately deployable positive step toward fixing the DNS mess, requiring no approval by any central agency. It's time for a visionary sponsor to step forward and just do it.

I'm not surprised...

[Pan T. Hose (707794)]

Their new ad campaign with naked women [verisign.com] went too far in my opinion. They were basically asking to be sued. Didn't they think about the children [ala.org]?

Electronic Communication Privacy Act

[by Anonymous Coward]

The Electronic Communication Privacy Act (ECPA) [usiia.org] provides that "any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication; . . .shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).

wherein, "intercept" means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device;

The ECPA also provides that "In a civil action under this section, appropriate relief includes--(1) such preliminary and other equitable or declaratory relief as may be appropriate;(2) damages under subsection (c); and (3) a reasonable attorney's fee and other litigation costs reasonably incurred.

Damages.--The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.

Seems like a good case can be that emails to mistyped addresses are being intercepted by Verisign. Certainly, the emails where not intended to be sent to Verisign, and they appear to be collecting some information from the email (the from address).

When will people learn?

[dmiller (581)]

The enemy of your enemy is not necessarily your friend. Domain and typosquatters are the near bottom of the barrel, just a rung above spammers. Just because they are attacking another bottom-feeder does not make them heros.

Verisign delusional

[SnowWolf2003 (692561)]

In this article on on CNET [com.com] O'Shaughnessy said "the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."

So they are attributing a slashdotting, and a lot of media interest to people being positive about the service. I haven't seen one article, comment or anything that was even remotely positive. What are these guys on?

He also claims they are fully compliant with every RFC. I don't see how this is possible, unless they have found some loophole.

I'd have less of a problem

[KalvinB (205500)]

If putting in

www.icarusindi.com

would list

www.icarusindie.com

as a suggested site. But it doesn't. It lists a number of domains that are off quite a few letters more than 1.

If it were at least making an intelligent attempt at getting the user where they wanted to go it could be argued that it is at least useful. Microsoft's search that comes up when you get a DNS error on some domain names is excellent about getting you where you actually wanted to go.

Verisign either gives a half assed attempt at correcting the user or deliberatly ignores domains that aren't registered through them. Despite the fact they get money regardless of who you register through.

Now we just need a credible plaintiff. Preferably a class action suit to maximize damages.

Ben

Right...

[by Anonymous Coward]

So if we're really lucky, just as the guilty verdict is being read, with the upper level management of both companies present...that asteroid that everyone said was going to destroy civilization twelve years from now, will crash in down on the courthouse, ionizing not only the leadership of both companies, but several ragged hordes of killer attack lawyers as well.

Then when the press questions the astronomers on how their orbital calculations could have been so wrong, the astronomers (being the clever guys they are) will say, "but are calculations were right!" and then erupt in maniacal laughter.

I for one welcome our new...[looks up at the sky]...never mind, I didn't start to say anything. Nope, nothing at all.

Null space needs to remain null

[mabu (178417)]

First off, the idea that Verisign can appropriate unregistered domains represents a huge conflict of interest with its management of the TLDs. Nobody should be able to reassign IPs for non-registered domains. This undermines the whole system, which has facilities to address this situation.

The fact that ICANN didn't block this move is further evidence than this organization is totally useless and political.

Along the same vein, I disagree with MS's misleading implementation of the IP-not-found error page to redirect users to their proprietary search engine.

The Internet community should rally against any entity that seeks to appropriate undefined address space for their own gain.

If Verisign is allowed to do this, what we're likely to see is each major ISP and browser manufacturer follow suit and hijack undefined space to promote their own systems.

Imagine if you dialed a wrong number on the telephone and you got an advertisement for the phone company. What if local broadcasters bombarded all the unused frequency spectrum with their own promotions.

This has less to do with Verisign than it does to protect the sanctity of null space.

It makes me wonder if someone has a patent on silence yet?

Re:Null space needs to remain null

[kfg (145172)]

"It makes me wonder if someone has a patent on silence yet?"

No, there's too much prior art, but John Cage has a copyright on 4'33" of it.

KFG

sitefinder can't find verisignsucks.com

[consumer (9588)]

Has anyone else noticed this? It returns a sitefinder page immediately for blahblahsucks.com, but nada for verisignsucks.com.

Dear VeriSign, Thanks for the spam.

[AntiOrganic (650691)]

I truly thank VeriSign's lovely spam service.

Someone a few months ago mentioned to me that Sendmail has a feature where, upon receiving mail, it will check the domain of the sender. If the domain does not exist, it has a forged From: header and is obviously spam.

Thanks to Verisign's efforts to piss me off, every DNS query on a nonexistant .com domain or .net domain is returning an SOA record and none of these messages are being blocked.

Since this "service" has been implemented, I've gone from 7-8 spams a day to 30-35.

Thanks a lot, assholes.

Journalists should not write tech stories

[flakac (307921)]

From the article:

Typically, Internet users are shown a generic "404 -- cannot be found" page when a Web address does not exist.

Sooooo, if the web server can't be found, who's sending the HTTP 404 response (which incidentally means that a file on a server doesn't exist...)?

maybe it's time to give DNS back to the public?

[thomas_klopf (672359)]

When Verisign was given the authority to manage DNS for these TLDs, they were given this responsibility with the public trust.. The public trusted them NOT to do things exactly like this. You should do DNS, and that's it - nothing more, nothing less. In return, Verisign was given a source of income. I think that if Verisign continues in this way, it may be time to take back this thing entrusted to them. This has become yet another disaster in "privatization", and we should maybe consider moving this service back to the "public" sector (as much as it can be...).

Lies in Verisign's terms of use

[XNormal (8617)]

2. NATURE OF THE VERISIGN SERVICES.
You may have accessed the VeriSign Service(s) by initiating a query to our DNS resolution service for a nonexistent domain name. We are unable to resolve such queries through the DNS resolution service.

They are, and they do. They resolve such queries to 64.94.110.11.

You need to reject their terms of use!

[royles (461766)]

I have simply sent them an email and more importantly a 'letter' that informs Verisign that I do not accept their terms of service and that I am seeking their advice on how to stop making use of their software, considering I do not meet their terms of service.

I have informed them that if they cannot stop providing me with this service, (for which I do not accept their terms, and by which I cannot be bound) then they will have to contact me to negotiate a new set of terms to which I do agree.

I would imagine that if every user that is upset by this new 'service' was to do the same then Verisign would have to do 'something' about it.

how to complain about Verisign to ICANN

[chongo (113839)]

In addition to signing the:

online petition [petitiononline.com]

you can file a complaint about Verisign to ICANN by using their:

Registrar Problem Report Form [internic.net]

This isn't cybersquatting.

[oneiros27 (46144)]

There were two main types of cybersquatting, as I saw it --

• buying up random names, and hoping someone would buy it from you (aka. domain speculation)
• buying up specific company names, and charging them obnoxious amounts if they want it (which would end up in court, etc)

In this case, Verisign didn't pay for anything-- they're claiming everything that hasn't been bought. Not only that, but if someone had a domain, but didn't have a host in the domain, they're claiming that as theirs, too.

[Not that I'm surprised...the first sign that things like this were going to happen was when IE started replacing webserver error messages with their own if they decided your error message wasn't big enough, and replacing 'server not found' with links to their search engine]

So well, your 40 acres comparison falls through as it's more the equivalent of someone saying 'all this is mine until someone else buys it' and then, after you buy your plot, they still claim the area that you haven't built on yet, even though you have the deed to it.

Re:I've never understood

[marphod (41394)]

How is it different from the pioneers getting 40 acres and a mule?

First, a history lesson. '40 Acres and a Mule' wasn't a pioneer issue. What it is true that during the western rushes, various federal lands were put up for auction or claim by pioneers. The lands were not, however, specified to be 40 acres, but varied in size based on the territory and the specific land grant. For that matter, according to one of my HS Social Studies teachers (a dozen years ago), there were still federal lands for claim in parts of Alaska. That teacher was known to embellish the truth, so I won't put any varacity statement with that.

'40 acres and a mule' were reparations for slaves in the south. They were instituted by a Northern (Union) general, during the aftermath of the civil war, and were later reveresed by an presidential executive order.

So, in short, your parellel falls a little short. If the ICANN were to pass a ruling granting johnny-come-latelies names from vast corporate pools, that would be comprable.

So, what's wrong with cybersquatting: Well, with the federal land grants, if you occupied and developed the federal lands for a specified period of time, they became yours. You could sell or otherwise use them as you wished. Here, cybersqquatters either are taking a developed item (debatably property) and using its good will and value for an interest contrary to the orginal owners. Which would be a violation of the land grants, so thats one point where your analogy fails.

The other type of cybersquatter (who speculates on names or misspellings) is also abusing the good will of the originator, but may be a valid comparison. It is, however, annoying, to get redirected away from what you wanted because of a typo, and from the other side, a squatter who is taking an otherwise useful resource and making it near-useless is neither providing a valid service or generating good will.

Re:Homesteading

[jms (11418)]

Homesteading required that the homesteader develop and improve the property in order to receive title. You had to actually live on the land, and farm it, and build a house with a door and window, and after you had proved the land, you would receive title.

Cybersquatters do no such thing. There's a difference between registering coffee.com to build a coffee site and registering www.coffee.com to resell it later. Cybersquatters are more akin to ticket scalpers than to homesteaders.

Owning a domain you don't use

[Animats (122034)]

Owning a domain that wasn't in DNS used to be called a "lame delegation". At one time, about a decade ago, it was considered reasonable to garbage-collect domains that were lame delegations, but that was back before the Internet went commercial. Now you can have all the lame delegations you want.

But why? There's no real market in domain names any more. Verisign tried to make one. GreatDomains used to have thousands of listings, and you'd see things like "Asked: $25,000. Bid: $20." Now Verisign only has "premium domains" on GreatDomains, ones like "record.com". There are only 66 domains for sale, and few sales.

Re:what the fuck?

[IHateUniqueNicks (577298)]

Where have you been? Have you noticed the fact that it's important to be able to tell when a site doesn't exist? That this crap means typos can cripple most e-mail servers? That it invalidates a good section of the RFCs the Internet itself was based on???

Wake up. If you want to find a site, you use Google. If you want to go to a non-existant one, you should damn well be told there's nothing there.

Re:Give them a break, they just want more hit

[by Anonymous Coward]

Awh come on now, we can do better than that! Use the built-in distro-standard apache benchmark tool! ab -n1000 -c100 sitefinder.verisign.com/ That will send out 100 requests at once, 10 times. Might want to increase that number.... Anyway, its a good way to test your bandwidth...