At the Front Lines of Protecting the Internet
VeriSign is in many ways synonymous with managing the Web, thanks to its handling of key DNS root servers and of name resolution for .com, .net, and other domains. In recent years, it's had both strong ups and strong downs.
On the up side, VeriSign has aggressively pushed PKI, SSL/TLS, EV, and digital certificates, making these authenticated security approaches commonplace. And VeriSign has spent millions of dollars building out and protecting the Internet's massive DNS infrastructure, even though its contract with the DNS's governing body required that VeriSign spend just a fraction of that amount. Although VeriSign's extra investment was a business decision meant to keep its lead as DNS infrastructure manager, the result for Internet users is still a better DNS infrastructure than was required.
On the downside, in the 2005-2007 period, the company angered many users by adding new services to the Internet, such as domain waitlisting, and by raising registration fees. It garnered significant ill will when its Network Solutions domain registration unit (later sold) began redirecting misspelled URLs to ads, causing an uproar among users. When VeriSign met resistance over such actions from ICANN, the global steward of Web domains, it sued the organization. Although that suit was resolved after VeriSign agreed to new ICANN procedures, users and elected officials remained nervous about VeriSign's potential actions. In 2007, the company ran afoul of federal regulators, resulting in its CFO's resignation and a restatement of earnings.
During this same period of ups and downs, VeriSign entered several new lines of business, such as Wi-Fi roaming services, RFID contract resolution (to translate an RFID tag's electronic number to a product's common name), and one-time-use security credentials. More recently, VeriSign has been part of a consortium promoting the OpenID federated certificate standard.
Today, VeriSign is refocused on its Internet roots, after having dropped some of its new ventures, to focus on DNS management. The company processes about 48 billion name resolution requests per day across 60 different locations, peaking at 700,000 queries a second. It is a major provider of PKI technologies and services, including digital certificate products, managed security services, and IT consulting services.
InfoWorld interviewed CTO Ken Silva on the company's current and past challenges. Silva manages VeriSign's technical operations, which handle much of the world's DNS traffic and cryptographically protect millions of Web sites. Before joining VeriSign, Silva spent 10 years with the National Security Agency (NSA). Roger asked about VeriSign's current status and future plans. Here are some excerpts from that interview:
Q: In the first part of this decade, the global DNS infrastructure came under a few big denial-of-service attacks that caused service disruptions, but in the last few years, we haven't seen any significant service outages. How well have we done in making DNS resistant to DoS attacks?
A: VeriSign services have never completely been taken out from a DoS attack because of our distributed nature. We do get DDoS [distributed DoS] attacks, and they are getting bigger, and bigger, and bigger, but they haven't affected us that greatly. In February 2006, we launched our Project Titan initiative, in response to our growing legitimate services and to handle DDoS attacks in the multiple tens of gigabytes. Our goal was to fortify the infrastructure to over 10 times the predicted infrastructure needed. Project Titan will increase bandwidth 10,000 times the 2000 levels by 2010. It's already at 1,000 times the size today [as compared to the 2000 levels], and will be another 10 times today's level in the next two years. It will be able to handle 4 trillion queries a day.
Q: Why are DNSSec and any of the other "advanced" DNS security proposals slow to gain more widespread acceptance?
A: These are complicated technologies, and you have to agree to get the entire world to agree on the standard, what makes up the standard, and do it at the same time. That alone makes it difficult.
Q: Users have a tendency to ignore or bypass digital certificate errors, undermining the whole system of trust. What can be done to improve the user's security experience in light of that fact? What are browser vendors missing?
A: VeriSign has been working closely with browser vendors to improve the user experiences, but there isn't enough real estate in the browser to do it perfectly. But many vendors, especially Microsoft, are doing innovative things like Extended Validation (EV) certificates. When a user browses to an EV-protected Web site, an EV-enabled browser [such as Microsoft Internet Explorer 7, Mozilla Firefox 2, and Opera 9.5] will turn the address bar green, identifying that the site as trusted using the strongest assurance we can offer today. Users can trust EV certificates. It is proven that sites that use EV certificates have much lower abandonment rates than sites without EV. For example, Overstock.com found users were abandoning their shopping cart at the point at which they were supposed to put in their credit card information ... at the moment they really needed to trust the vendor. Overstock.com start using EV certificates and saw a 16,000 times return on investment.