Verisign's SiteFinder finds privacy hullabaloo

Making Overtures

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Privacy advocates have joined the chorus of critics of Verisign's "SiteFinder," which on Monday began directing mistyped dot-com and dot-net e-mail and Web addresses to a pay-for-play search site operated by the company, writes SecurityFocus' Deborah Ratcliff.

On Wednesday, Boston-based Internet security and privacy consultant Richard Smith found buried in the SiteFinder page a so-called "Web bug," an invisible image file served up by Overture.com, a Pasadena, Calif.-based advertising company that brands itself as a search engine. The bug delivers a cookie that doesn't expire for five years.

This certainly means the culling of some information, said Smith. "They're getting a sense of what domain names are mistyped, and perhaps this can be used by a domain name sales company. In addition, Overture is a pay for click search engine, with questionable affiliates."

The question on everyone's mind is, what are Verisign and Overture doing with information gathered through SiteFinder? Will the companies be able to tell that the person looking for a medical marijuana site on Monday is the same person looking for a cancer support group the week before?

"We don't know if this site is harvesting personal information, but we believe it's at risk," said Lance Cottrell, president of Anonymizer.com in Pasadena, which Thursday updated its privacy software to circumvent SiteFinder.

On Wednesday, discussion boards filled up with hundreds of messages reflecting user's concerns over the potential for privacy violations by Verisign.

Some privacy advocate are particularly concerned that the company could merge databases from its other ventures with information logged by SiteFinder, creating rich ore for data mining. The company holds digital certificates for two million individual certificate holders, and has access to those customers' personally identifiable information. By mapping certificates to domain names to IP address, a record of mistyped domain names could be tied to some users' identities -- if someone wanted to go to all that trouble, said Seth Finkelstein, who a civil libertarian software engineer who runs a popular anticensorware site.

"They're [Verisign] getting to know your IP address; and you may very well have a customer relationship with them through certificates which allows them to know you in great detail," adds Cottrell.

E-Mail Woes

SiteFinder's privacy policy says VeriSign only collects data "in aggregate form and solely for the purposes of operating and improving the performance of our Site Finder." It notes that Overture collects information "in order to serve content to our site, improve the services offered on our site, or measure advertising effectiveness of paid search results."

A Verisign's spokesman did not return repeated calls about the privacy concerns, but the company issued a written statement saying the purpose of SiteFinder is to ensure people get to their Web sites even if they mistype the address. The statement also said that Verisign is working with the technical community to solve a different problem that is wreaking havoc on some anti-spam efforts: SiteFinder immediately made nonexistent domain names indistinguishable from genuine hosts in the domain name system, breaking some anti-spam solutions that block e-mail from bogus domains, said Dan Camper, a software developer at Borrowed Time, Inc., in Austin.

From a privacy perspective, people are also concerned about what happens to all the mis-routed e-mails that are sent to Verisign when users type in bad addresses. This week the SiteFinder site was rejecting those e-mails, but only after receiving the "to" and "from" addresses.

"If Verisign's running an SMTP server or POP server, they can start grabbing people's e-mail addresses and passwords if they want to. It's not good that they're directing more than just the Web browser traffic here," said Smith. "I doubt that Verisign would do this, but Verisign did go ahead and change the Internet routing system, without first thinking of the unforeseen consequences of doing this."

The commercial exploitation of mistyped Web addresses also rubs critics the wrong way. When people mistakenly type in a URL and end up at Site Finder, Overture's paying advertisers will be listed as the top alternative choices for what the Web surfer may have meant to look for with the mistaken URL.

Moreover, Overture's been implicated in numerous spam complaints, according to Chris Brandon, president of an Internet investigations firm Brandon Internet Services, in North Carolina. "Overture has a long history of being in collusion with gangs of spammers," said Brandon. "I get complaints about them all the time from my 330 backbone ISP members about spam trying to direct them to Overture's search engines," he says.

Overture says it does advertise its own services, but it does not spam. The company says the only advertisements it sells are in the form of top picks on Web search engines, which is a common practice among search sites such as Yahoo, which is expected to complete an acquisition of Overture in mid-October. Moreover, Overture said that all of its affiliate members are hand-screened by an editorial board for legality and compliance to its strict rules of netiquette.

In fact, it's the commercialization of the DNS service that has many people up in arms. DNS, the very backbone of the Internet, they say, should not be tainted with advertising and privacy concerns, and VeriSign should not be taking advantage of its role as the official domain name registrar for .com and .net addresses. "It raises grave questions," Smith says.

Copyright © 2003,

Related stories

All your Web typos are belong to us
Verisign DNS change broke my HP printer (letters)
BIND developer blocks Verisign Net grab move

Choosing a cloud hosting partner with confidence

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Big Content outs piracy hotbeds: São Paulo, Beijing ... TORONTO?
MPAA calls Canadians a bunch of bootlegging movie thieves
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
Hungary's internet tax cannot be allowed to set a precedent, says EC
More protests planned against giga-tariff for Tuesday evening
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.