Verisign's SiteFinder finds privacy hullabaloo

Making Overtures

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Privacy advocates have joined the chorus of critics of Verisign's "SiteFinder," which on Monday began directing mistyped dot-com and dot-net e-mail and Web addresses to a pay-for-play search site operated by the company, writes SecurityFocus' Deborah Ratcliff.

On Wednesday, Boston-based Internet security and privacy consultant Richard Smith found buried in the SiteFinder page a so-called "Web bug," an invisible image file served up by Overture.com, a Pasadena, Calif.-based advertising company that brands itself as a search engine. The bug delivers a cookie that doesn't expire for five years.

This certainly means the culling of some information, said Smith. "They're getting a sense of what domain names are mistyped, and perhaps this can be used by a domain name sales company. In addition, Overture is a pay for click search engine, with questionable affiliates."

The question on everyone's mind is, what are Verisign and Overture doing with information gathered through SiteFinder? Will the companies be able to tell that the person looking for a medical marijuana site on Monday is the same person looking for a cancer support group the week before?

"We don't know if this site is harvesting personal information, but we believe it's at risk," said Lance Cottrell, president of Anonymizer.com in Pasadena, which Thursday updated its privacy software to circumvent SiteFinder.

On Wednesday, discussion boards filled up with hundreds of messages reflecting user's concerns over the potential for privacy violations by Verisign.

Some privacy advocate are particularly concerned that the company could merge databases from its other ventures with information logged by SiteFinder, creating rich ore for data mining. The company holds digital certificates for two million individual certificate holders, and has access to those customers' personally identifiable information. By mapping certificates to domain names to IP address, a record of mistyped domain names could be tied to some users' identities -- if someone wanted to go to all that trouble, said Seth Finkelstein, who a civil libertarian software engineer who runs a popular anticensorware site.

"They're [Verisign] getting to know your IP address; and you may very well have a customer relationship with them through certificates which allows them to know you in great detail," adds Cottrell.

E-Mail Woes

SiteFinder's privacy policy says VeriSign only collects data "in aggregate form and solely for the purposes of operating and improving the performance of our Site Finder." It notes that Overture collects information "in order to serve content to our site, improve the services offered on our site, or measure advertising effectiveness of paid search results."

A Verisign's spokesman did not return repeated calls about the privacy concerns, but the company issued a written statement saying the purpose of SiteFinder is to ensure people get to their Web sites even if they mistype the address. The statement also said that Verisign is working with the technical community to solve a different problem that is wreaking havoc on some anti-spam efforts: SiteFinder immediately made nonexistent domain names indistinguishable from genuine hosts in the domain name system, breaking some anti-spam solutions that block e-mail from bogus domains, said Dan Camper, a software developer at Borrowed Time, Inc., in Austin.

From a privacy perspective, people are also concerned about what happens to all the mis-routed e-mails that are sent to Verisign when users type in bad addresses. This week the SiteFinder site was rejecting those e-mails, but only after receiving the "to" and "from" addresses.

"If Verisign's running an SMTP server or POP server, they can start grabbing people's e-mail addresses and passwords if they want to. It's not good that they're directing more than just the Web browser traffic here," said Smith. "I doubt that Verisign would do this, but Verisign did go ahead and change the Internet routing system, without first thinking of the unforeseen consequences of doing this."

The commercial exploitation of mistyped Web addresses also rubs critics the wrong way. When people mistakenly type in a URL and end up at Site Finder, Overture's paying advertisers will be listed as the top alternative choices for what the Web surfer may have meant to look for with the mistaken URL.

Moreover, Overture's been implicated in numerous spam complaints, according to Chris Brandon, president of an Internet investigations firm Brandon Internet Services, in North Carolina. "Overture has a long history of being in collusion with gangs of spammers," said Brandon. "I get complaints about them all the time from my 330 backbone ISP members about spam trying to direct them to Overture's search engines," he says.

Overture says it does advertise its own services, but it does not spam. The company says the only advertisements it sells are in the form of top picks on Web search engines, which is a common practice among search sites such as Yahoo, which is expected to complete an acquisition of Overture in mid-October. Moreover, Overture said that all of its affiliate members are hand-screened by an editorial board for legality and compliance to its strict rules of netiquette.

In fact, it's the commercialization of the DNS service that has many people up in arms. DNS, the very backbone of the Internet, they say, should not be tainted with advertising and privacy concerns, and VeriSign should not be taking advantage of its role as the official domain name registrar for .com and .net addresses. "It raises grave questions," Smith says.

Copyright © 2003,

Related stories

All your Web typos are belong to us
Verisign DNS change broke my HP printer (letters)
BIND developer blocks Verisign Net grab move

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.