Bugtraq mailing list archives
RE: Does VeriSign's SiteFinder service violate the ECPA?
From: Justin Hahn <jeh () profitlogic com>
Date: Thu, 25 Sep 2003 10:47:02 -0400
The point I think Mr. Smith is trying to make is that Verisign seems to *want* to intercept this private information and use it to their own commercial advantage. Respectable sysadmins do not wish to receive form data intended for other sites.
As an aside, I find it very curious that people characterize HTTP traffic done in the clear (i.e. unencrypted) on the public internet as private data. If I shout my Social Security Number out loud in public, I am surely to blame for any losses I might incur from this act. HTTP traffic on the net is nominally analogous. Now, if they were using some sort of wildcard SSL cert (technically, this is doable. Most browsers support a wildcard CN cert, but curiously Verisign is one of the CAs that DOESN'T issue them.) then it'd be a different story. Something to consider is if I've got a website foobar.com and it's a secure site, what happens if I accidentally direct traffic to foobarrr.com, which is actually SiteFinder+SSL. Hopefully the browser will alert the user that they are connecting to a different site with a different cert. However, it's quite likely that won't happen. (and if it does, I'm betting it's one of the popups that most users disable.) I'd be careful making legal arguments, but I suspect that if Verisign is doing anything with this data they are justifying it as being "Public" and that if people are foolish enough to transmit "Private" data in a "Public" medium they can't be held liable. (But of course, that's for the courts to decide, and I wouldn't shed a tear if a judge disagreed with that interpretation.) --jeh
Current thread:
- Does VeriSign's SiteFinder service violate the ECPA? Richard M. Smith (Sep 22)
- Re: Does VeriSign's SiteFinder service violate the ECPA? N407ER (Sep 23)
- Re: Does VeriSign's SiteFinder service violate the ECPA? David Nichols (Sep 25)
- Re: Does VeriSign's SiteFinder service violate the ECPA? Bob Johnson (Sep 26)
- Re: Does VeriSign's SiteFinder service violate the ECPA? David Nichols (Sep 25)
- <Possible follow-ups>
- RE: Does VeriSign's SiteFinder service violate the ECPA? Kaplan Michael N NPRI (Sep 23)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Michael Wojcik (Sep 23)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Christopher Wagner (Sep 24)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Justin Hahn (Sep 25)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Frank Nospam (Sep 25)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Andrea Rimicci (Sep 25)
- Re: Does VeriSign's SiteFinder service violate the ECPA? N407ER (Sep 23)