Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Does VeriSign's SiteFinder service violate the ECPA?
From: Michael Wojcik <Michael.Wojcik () microfocus com>
Date: Tue, 23 Sep 2003 09:22:51 -0700

From: N407ER [mailto:n407er () myrealbox com] 
Sent: Tuesday, September 23, 2003 10:43 AM

By this logic, all webservers which unintentionally accept traffic 
without somehow verifying that a typo did not take place violate the 
ECPA. Thats ridiculous. Do you really want a precedent where, if someone 
accidentally POSTs bank information to your site instead of the URL 
they meant to type, you are somehow liable?

IANAL, but the law recognizes degrees of liability.  It's far less likely
that someone mistypes a URL and ends up with another valid FQDN, than ends
up with garbage that sends them to SiteFinder.  By choosing to make it so
easy for data to be misdirected to SF, Verisign has arguably taken on
greater liability.

On a more practical note, by potentially exposing many, many users to data
misdirection, Verislime opens itself to class-action lawsuits.

Verisign executives appear to enjoy dancing on the edge of a precipice.  The
CA business is essentially an unregulated financial service; if e-commerce
continues to grow, that won't last.  The DNS business is an unnatural
monopoly.  Verisign has screwed up royally in both (the bogus Microsoft
certificates and the sex.com transfer).  Sooner or later someone with the
right resources will get sufficiently pissed to see them ground under the
government's thumb.  Whether that happens through regulation or the courts
is the only real question.

And while there may well be unfortunate long-term effects, it'll be hard not
to feel a degree of glee in the moment.

Michael Wojcik
Principal Software Systems Developer, Micro Focus

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]