FRAMINGHAM (09/25/2003) - My hope and hopeful expectation is that by the time this column gets published common sense or the voice of authority will have won out over greed, and VeriSign will have stopped hijacking .com and .net. Even if my hopes are fulfilled, this episode has been an important lesson on the requirement to not trust the well being of the Internet to people who so easily put their greed in front of all other considerations.
I'll give a bit of background for those of you who have been too busy following the California recall-election debacle to pay attention to what's going on with the Internet. On Sept. 15, VeriSign - the operator of the .com and .net domain name registries - changed the data in its database so that whenever anyone looks up a domain name that did not exist, the IP address of a VeriSign server was returned instead of the server responding that the domain did not exist. VeriSign explained what it was doing in a white paper.
To someone using a Web browser, the result of the changes VeriSign made might not be all that obvious. If you mistype a URL, you get a VeriSign Web page that lets you search for the site you were trying to reach. This is about the same thing that users of some browsers were already getting when they mistyped a URL, the difference being that the Web page is now a VeriSign one rather than one selected by the browser company.
But the Internet is more than just the Web. There are thousands of applications that also use the Internet with more or less user interaction. Now all of these applications will get redirected to the VeriSign server when there is a problem with the domain name. VeriSign only tried to deal with Web and e-mail traffic, and it dealt with e-mail in a way that broke a number of systems that try to eliminate spam. All other applications now mysteriously will fail with no notice to the users.
VeriSign's change set off a firestorm in Internet techie circles. There were more than 500 messages to the nanog list on the topic in less than a week - almost all of which expressed strong views against VeriSign's actions.
Later in the week, the Internet Engineering Task Force's Internet Architecture Board and the Internet Corporation for Assigned Names and Numbers (the folk who are supposed to be overseeing the domain name system) weighed in with their views, also negative. Software updates already are being distributed to counteract VeriSign's changes.
One can reasonably ask how a change that affected so much of the Internet could be installed without any sort of advance discussion. VeriSign did it because it could - it controls the databases. Apparently the question of whether the company should do it never entered the minds of its officials. VeriSign felt it knew what was best for VeriSign - it has said that it hopes to make money redirecting the typos. What was best for the Internet was apparently irrelevant.
But one big lesson that must be learned from this episode is that organizations or people in positions of responsibility in the Internet infrastructure must be worthy of our trust. We now have a case study of what happens when this is not the case.
Disclaimer: Arrogance is not a stranger at Harvard but, even at Harvard, VeriSign would stand out. That said, the above is my own arrogant(?) view.
Bradner is a consultant with Harvard University's Information Systems. He can be reached at email@example.com.