IP issues with .com/.net change?

• Previous message (by thread): IP issues with .com/.net change?
• Next message (by thread): IP issues with .com/.net change?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 17 Sep 2003, Jack Bates wrote:

> Not sure about IP, but there are privacy issues. Verisign has
> intentionally redirected all email that was mistyped on the recipient to
> their server. Instead of immediately rejecting and terminating the
> connection, they allow the send to issue 3 commands, which would
> typically give them the sender and rcpt information where previously the
>   information would not leave the originating mail server. How could
> this be construed as anything but address harvesting and a breach of
> privacy?
>
> In addition, at no point has Verisign obtained permission to steal
> information in this way. They are eavesdropping! Every time I've
> checked, port 80 was down on the destination IP, but 25 was running full
> speed. It makes me wonder if their real intent wasn't to collect that
> information to begin with.

Regardless of Verisign's intent, there are definite privacy concerns here.
Verisign is now able to obtain all URL information from a browsing session
in which the domain name is mistyped (and the domain doesn't exist.) This
is of secondary concern to the NANOG list, which has been preoccupied with
the numerous technical and political problems this change poses, but is
nonetheless very serious.

Whereas ISP-provided search pages, such as AOL's, or local browser search
pages, such as IE's will be presented under identical circumstances (the
user mistypes a domain name), they don't have the same privacy problems
associated with them. As Microsoft's features are client-side, no user
information is leaked without the user's knowledge. And as the user is
already entrusting AOL, as her ISP, with her privacy, the problem is moot
there as well. Prior to this change, users never had to consider that
Verisign might be obtaining and recording their URL requests.

The email problem has been discussed here a bit more than the URL
requesting issue, and is troublesome in a number of other ways. The
potential for spam, the lack of clear reporting of a typo failure, and the
potential for privacy violations via the harvesting of email addresses,
and email address sender/recipient correlation are of concern.

Anonymizer has modified our name servers to correctly report unregistered
domains as such. Users of our anonymous web browsing proxy service are
protected from the web privacy problems created by Verisign's change;
users of our SSH tunneling service are protected from both the web and
email privacy problems.

We hope that Verisign will reconsider their actions. In the mean time,
we'll be doing everything we can to mitigate the risks to our users.


--Len.

• Previous message (by thread): IP issues with .com/.net change?
• Next message (by thread): IP issues with .com/.net change?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]