Verisign's SiteFinder finds privacy hullabaloo

Making Overtures

  • alert
  • submit to reddit

High performance access to file storage

Privacy advocates have joined the chorus of critics of Verisign's "SiteFinder," which on Monday began directing mistyped dot-com and dot-net e-mail and Web addresses to a pay-for-play search site operated by the company, writes SecurityFocus' Deborah Ratcliff.

On Wednesday, Boston-based Internet security and privacy consultant Richard Smith found buried in the SiteFinder page a so-called "Web bug," an invisible image file served up by Overture.com, a Pasadena, Calif.-based advertising company that brands itself as a search engine. The bug delivers a cookie that doesn't expire for five years.

This certainly means the culling of some information, said Smith. "They're getting a sense of what domain names are mistyped, and perhaps this can be used by a domain name sales company. In addition, Overture is a pay for click search engine, with questionable affiliates."

The question on everyone's mind is, what are Verisign and Overture doing with information gathered through SiteFinder? Will the companies be able to tell that the person looking for a medical marijuana site on Monday is the same person looking for a cancer support group the week before?

"We don't know if this site is harvesting personal information, but we believe it's at risk," said Lance Cottrell, president of Anonymizer.com in Pasadena, which Thursday updated its privacy software to circumvent SiteFinder.

On Wednesday, discussion boards filled up with hundreds of messages reflecting user's concerns over the potential for privacy violations by Verisign.

Some privacy advocate are particularly concerned that the company could merge databases from its other ventures with information logged by SiteFinder, creating rich ore for data mining. The company holds digital certificates for two million individual certificate holders, and has access to those customers' personally identifiable information. By mapping certificates to domain names to IP address, a record of mistyped domain names could be tied to some users' identities -- if someone wanted to go to all that trouble, said Seth Finkelstein, who a civil libertarian software engineer who runs a popular anticensorware site.

"They're [Verisign] getting to know your IP address; and you may very well have a customer relationship with them through certificates which allows them to know you in great detail," adds Cottrell.

E-Mail Woes

SiteFinder's privacy policy says VeriSign only collects data "in aggregate form and solely for the purposes of operating and improving the performance of our Site Finder." It notes that Overture collects information "in order to serve content to our site, improve the services offered on our site, or measure advertising effectiveness of paid search results."

A Verisign's spokesman did not return repeated calls about the privacy concerns, but the company issued a written statement saying the purpose of SiteFinder is to ensure people get to their Web sites even if they mistype the address. The statement also said that Verisign is working with the technical community to solve a different problem that is wreaking havoc on some anti-spam efforts: SiteFinder immediately made nonexistent domain names indistinguishable from genuine hosts in the domain name system, breaking some anti-spam solutions that block e-mail from bogus domains, said Dan Camper, a software developer at Borrowed Time, Inc., in Austin.

From a privacy perspective, people are also concerned about what happens to all the mis-routed e-mails that are sent to Verisign when users type in bad addresses. This week the SiteFinder site was rejecting those e-mails, but only after receiving the "to" and "from" addresses.

"If Verisign's running an SMTP server or POP server, they can start grabbing people's e-mail addresses and passwords if they want to. It's not good that they're directing more than just the Web browser traffic here," said Smith. "I doubt that Verisign would do this, but Verisign did go ahead and change the Internet routing system, without first thinking of the unforeseen consequences of doing this."

The commercial exploitation of mistyped Web addresses also rubs critics the wrong way. When people mistakenly type in a URL and end up at Site Finder, Overture's paying advertisers will be listed as the top alternative choices for what the Web surfer may have meant to look for with the mistaken URL.

Moreover, Overture's been implicated in numerous spam complaints, according to Chris Brandon, president of an Internet investigations firm Brandon Internet Services, in North Carolina. "Overture has a long history of being in collusion with gangs of spammers," said Brandon. "I get complaints about them all the time from my 330 backbone ISP members about spam trying to direct them to Overture's search engines," he says.

Overture says it does advertise its own services, but it does not spam. The company says the only advertisements it sells are in the form of top picks on Web search engines, which is a common practice among search sites such as Yahoo, which is expected to complete an acquisition of Overture in mid-October. Moreover, Overture said that all of its affiliate members are hand-screened by an editorial board for legality and compliance to its strict rules of netiquette.

In fact, it's the commercialization of the DNS service that has many people up in arms. DNS, the very backbone of the Internet, they say, should not be tainted with advertising and privacy concerns, and VeriSign should not be taking advantage of its role as the official domain name registrar for .com and .net addresses. "It raises grave questions," Smith says.

Copyright © 2003,

Related stories

All your Web typos are belong to us
Verisign DNS change broke my HP printer (letters)
BIND developer blocks Verisign Net grab move

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Nokia offers 'voluntary retirement' to 6,000+ Indian employees
India's 'predictability and stability' cited as mobe-maker's tax payment deadline nears
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Adrian Mole author Sue Townsend dies at 68
RIP Blighty's best-selling author of the 1980s
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Analysts: Bright future for smartphones, tablets, wearables
There's plenty of good money to be made if you stay out of the PC market
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.