Feeds

Web community puts price on head of super highwayman VeriSign

Domain transfer madness at Hoopla.com

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Domain registrar VeriSign has infuriated the Web community by wrongly transferring a New York writer's domain to an unchecked person in Germany.

The transfer of Hoopla.com was the result of a faked fax request but even though VeriSign has admitted its error, it has refused to sort out the situation, prompting real owner Leslie Harpold to hire a Florida lawyer in pursuit of the domain.

At the same time, hundreds of Internet users are working on a "Google bomb" to embarrass the company. A Google bomb works by putting up hundreds of links to a particular URL and naming it after the search term that people type into the Google search engine. In this case, the link is to Harpold's tale of events and the search name is VeriSign.

Hopes are not high though that either action will prompt VeriSign to do the decent thing and return ownership to Harpold, especially considering the company's track record. The trouble lies in VeriSign antiquated mechanism for changing domain name information.

The company, which owns Network Solutions, was the original Internet registrar, building and maintaining the first domain lists. However, following enforced competition in the domain name market, the company has faced many accusations that it is using unfair methods
to protect its ailing monopoly from cheaper competitors.

The seriousness of the situation - which has seen hundreds of domains wrongly transferred to others in the last two years - is such that Internet overseeing body ICANN even put registrar transfers on the agenda at its last meeting. Its recommendations are currently in a white paper which critics argue still do not tackle the main problem of verification.

The facts in this case are that VeriSign received a forged fax from a Sarah at a fake address in Berlin, stating that Leslie Harpold had given permission for the domain Hoopla.com to be transferred to her. The domain was not itself due for renewal until June this year. The company did so, and Harpold was frozen out the domain. Upon complaining, she was told that she would have to personally contact the new owner to agree terms, despite the fact that VeriSign never checked the transfer was correct.

Under ICANN rules, VeriSign is not actually obliged to doublecheck with the original owner that a transfer is agreed to, and it assumes authorisation is correct if the fax it receives contains the same email address as the contact address it has for that domain. This situation, inevitably, has led to hundreds of falsely transferred domains. The company efforts to prevent this happening by asking for extra authorisation have also met with criticism.

The problem lies with the company's insistence on using printed and faxed forms, rather than Web-based password-protected entry to registrant details that many other registrars use. VeriSign does offer more secure options but at a premium and even this has been seen to fail, with hijackers grabbing domains with even so-called top-level security (Internet.com is a case in point).

The company has been reluctant to move from its form method as it not only makes transfer to other registrars a more time-consuming and complicated affair, but also leaves it in ultimate power over the domain details. And there are no shortage of complaints that VeriSign continually refuses simple requests to change over to a new registrar or even that the forms have vanished between leaving the registrant and arriving at VeriSign. VeriSign does offer a $199 premium service however that will see domains re-registered within two days. There are no known complaints from those who have used this service instead of the cheaper $15 option.

But while the financial benefits of not creating a new, more secure system for domain details and transfers are clear, VeriSign is skating on thin ice. Despite a close relationship with those in power at ICANN, large sections of the Internet business and increasingly Internet community are at odds with its approach.

This was further heightened recently when the company sent emails to customers of competing registrars warning them they needed to renew their domain before it is was released to the public and apparently offering to save them $20 - months before the domain was actually due for renewal.

It is clearly a flawed system when a single fax can see the transfer of a domain that someone has worked on for years to a complete stranger without verification. If VeriSign doesn't mend the error of its ways, it could soon see itself as a minor player in what was once its playground. ®

Related Links

The Google bomb plan
What the hell have you done with my domain?
ICANN mulls the problem over

Website security in corporate America

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.