Verisign: the Ultimate in Typo-Squatting

September 16, 2003 2:48 PM

One reason Microsoft Internet Explorer annoys me is the typo feature. When you mistype a domain, rather than give you back an error-message, it redirects you to MSN's search site. I don't like this for two reasons: firstly it adds significantly to the time it takes to just correct the typo and load the right page. Secondly, it makes an annoying assumption at which search engine I might want to use. (Hint: it's not MSN)

This is one reason I try not to use MSIE. Mozilla throws up an error message when it can't find a domain, and makes it very easy for me to choose Google as my default search-engine.

Verisign, it seems, have the trump-card. By putting a wildcard DNS on '.net' and '.com', they are redirecting every single domain typo to their own search page. I can't even begin to describe how much this whole idea annoys me.

It's disreputable. I've always considered typo-squatting--the practise of registering domains that are similar to popular sites so as to get hits from typos--to be a pretty underhand tactic: something you'd expect from the second-hand car salesman school of marketing. Now Verisign are planning to typo-squat probably half the Internet.

It's technically reprehensible. It's breaking the DNS. In one fell swoop it removes the technical distinction between an unregistered domain and a registered domain. It's part of this stupid assumption that the whole Internet is just the World Wide Web with a few unimportant bits bolted on the side. So obviously it's OK to break a fundamental feature of the DNS just so that one company can exploit a few more web users.

It's vulnerable to cross-site scripting

It's an abuse of monopoly. If a web browser of an operating system plays this sort of trick, you can stop using it as I avoid MSIE. You can't avoid the DNS,1 and you can't just choose to go with some provider of the .com domain who isn't a scum-sucking bottom-feeder.2

The body that should slap Verisign down won't, of course. Verisign should be the caretaker of .com, they shouldn't own the whole namespace. Verisign are abusing the fact that they've been put in charge of a significant public resource, with too few checks on what they are permitted to do with it.

I'm just going to blackhole

Update: This Bind8 patch allegedly fixes the issue (I haven't tested it), checking for the IP address that the wildcard resolves to.

This Linux ld_preload patch (again allegedly) intercepts calls like gethostbyname() and substitutes a 'domain not found' response for the IP address of the Verisign server.

Update: Overheard: "Verisign: We put the * in .com"

1 Yes, I'm aware of the existence of alternative TLD registries. Wake me when they are relevant to the real world.
2 There are alternative registrars, but Verisign still are own all your base.

Previously: Basic Mathematics

Next: Apple Expo: New 15" Powerbook