WiFi Finder

Locate wireless services by a specific address, city, state, country, airport, or zip code.

Get Connected Now

RSS Feeds

Get our latest content via convenient RSS feeds.

See All RSS Feeds

Become a PCW Member

Join the community and start enjoying the benefits:

Get tech advice from thousands of PC World Members
Rate and recommend the latest tech products
Share your thoughts in blog and article comments
Get free excerpts and exclusive discounts on Super Guides

Signing up is free and easy.

VeriSign Accused of Privacy Violation

New redirection policy draws concerns, accusation of vulnerability.

Paul Roberts, IDG News Service

Privacy advocates are warning that recent changes to the .com and .net database of domain names by VeriSign could violate the privacy of millions of Internet users, inadvertently sending confidential e-mail content and Web surfing data to VeriSign's systems.

The concerns come after VeriSign introduced a new service on Monday. When users request a nonexistent URL, the company automatically redirects them to a VeriSign site, sitefinder.verisign.com, which offers a choice of alternative Web addresses.

Almost immediately, the service provoked angry responses from Internet users who say VeriSign is abusing its stewardship of the .com and .net domains to boost company profits.

The new service has also prompted a lawsuit. Filed by Popular Enterprises of Orlando, operator of the Site Finder competitor Netster.com, the suit charges VeriSign with antitrust violations for using its control of the .com and .net domains to squeeze out competitors.

Now one company is warning that the service may be turning over a wealth of potentially useful information and sensitive personal data to VeriSign.

New Procedure

In particular, e-mail messages sent to addresses at nonexistent Internet domains will be delivered to VeriSign's Site Finder servers instead, according to Lance Cottrell, president and founder of Anonymizer, a provider of anonymous Web surfing and online privacy protection products.

In the past, those messages would not have left the systems of the user's ISP before being marked as undeliverable and returned to the user. VeriSign could potentially harvest these messages and their contents, Cottrell says.

Internet users should also be concerned about VeriSign collecting information about surfing patterns from requests for domains, he says. Such information would give VeriSign a wealth of free market research, Cottrell adds.

Such accusations are "fiction," according to Brian O'Shaughnessy, a VeriSign spokesperson.

"We do not log, and do not have any plans to log, any data sent to Site Finder," he says.

The new service is a valuable tool that will improve the Internet experience of the users behind more than 20 million mistyped domain requests each day, O'Shaughnessy says.

"We, like many technology companies, are looking at the best way of using technology to make the user's experience online a fulfilling one," he says.

Unforeseen Conflicts

But the new practice raises other questions and problems as well, according to Cottrell.

Some spam filters that use Domain Name System (DNS) requests to verify whether a return address on spam is valid are affected by the new VeriSign service, he says. Instead of being rejected by the .com and .net DNS servers, such requests now go to Site Finder, he says.

Also, Site Finder does not filter incorrect domains for attack code, Cottrell says. This leaves the site vulnerable to cross-site scripting attacks, which could hijack the Site Finder site and the VeriSign name for attacks on other users, Cottrell says.

"It's a concentration of information that was previously very dispersed and that makes (Site Finder) a high value target for hackers," he says.

VeriSign acknowledges the Site Finder service affects some spam filters. However, the company is having a "robust conversation" with those companies to find ways around the problem, O'Shaughnessy says.

Also, VeriSign could not immediately comment on accusations that Site Finder is vulnerable to cross-site scripting attacks.

Alternative Actions

O'Shaughnessy says VeriSign tested its new service thoroughly, but that the Internet's complex nature makes it difficult to predict all possible issues.

As for accusations that VeriSign's launch of Site Finder abuses its role as a manager of the Internet infrastructure, O'Shaughnessy says the company is acting in the best interest of Internet users.

"The facts are that millions of people are using the service now and getting to what they need quicker," O'Shaughnessy says.

The managers of other top-level domains, including the .biz domain are considering similar services, he says. Besides, companies can modify their DNS servers to ignore Site Finder service, he adds.

That's what Anonymizer has done on the DNS server it operates, Cottrell says.

Requests returned from the .com and .net root servers with the Site Finder address are re-translated into "Domain does not exist" messages for the user, he adds.

Sponsored Resource:Improve your network with the right mix of features, performance and pricing.
Sponsored Resource:Growing your business requires the right tools. Dell's networking servers can help.
Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
Sponsored Resource:Twitter: A how-to guide for using Twitter as a business tool.
Sponsored Resource:Smartphone security threats are on the rise. Is it time to safegaurd your device?

Laptop Showcase

Balance Performance and Portability with Lenovo IdeaPads and Thinkpads. Visit the Resource Center.

The Best of PC World

A free newsletter bringing you editors' picks and hot topics from the week at PC World. Subscribe here.

Featured APC Accessories

APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.