[<prev] [next>] [day] [month] [year] [list]
Message-ID: <75C025AE395F374B81F6416B1D4BDEFB0146C0E7@mtv-corpmail.microfocus.com>
Date: Tue, 23 Sep 2003 09:22:51 -0700
From: Michael Wojcik <Michael.Wojcik@...rofocus.com>
To: BugTraq <bugtraq@...urityfocus.com>
Cc: N407ER <n407er@...ealbox.com>, rms@...puterbytesman.com
Subject: RE: Does VeriSign's SiteFinder service violate the ECPA?
> From: N407ER [mailto:n407er@...ealbox.com]
> Sent: Tuesday, September 23, 2003 10:43 AM
>
> By this logic, all webservers which unintentionally accept traffic
> without somehow verifying that a typo did not take place violate the
> ECPA. Thats ridiculous. Do you really want a precedent where, if someone
> accidentally POSTs bank information to your site instead of the URL
> they meant to type, you are somehow liable?
IANAL, but the law recognizes degrees of liability. It's far less likely
that someone mistypes a URL and ends up with another valid FQDN, than ends
up with garbage that sends them to SiteFinder. By choosing to make it so
easy for data to be misdirected to SF, Verisign has arguably taken on
greater liability.
On a more practical note, by potentially exposing many, many users to data
misdirection, Verislime opens itself to class-action lawsuits.
Verisign executives appear to enjoy dancing on the edge of a precipice. The
CA business is essentially an unregulated financial service; if e-commerce
continues to grow, that won't last. The DNS business is an unnatural
monopoly. Verisign has screwed up royally in both (the bogus Microsoft
certificates and the sex.com transfer). Sooner or later someone with the
right resources will get sufficiently pissed to see them ground under the
government's thumb. Whether that happens through regulation or the courts
is the only real question.
And while there may well be unfortunate long-term effects, it'll be hard not
to feel a degree of glee in the moment.
--
Michael Wojcik
Principal Software Systems Developer, Micro Focus
Powered by blists - more mailing lists