Non-Existent Domain Hijacking Not Just Annoying, But A Security Threat
from the please-stop dept
Back in 2003, there was a huge mess over VeriSign's plan to create "SiteFinder," which effectively hijacked "page not found" messages online and inserted advertising instead. This also broke a bunch of online services that relied on accurate page not found messages. Eventually, VeriSign backed down, but over the last couple of years, ISPs have been starting to do the same thing on their own at a slightly different level in the process. However, some security researchers have demonstrated just how dangerous this can be, by using Earthlink's set up to show how it can be used by phishers to make pages look like they're really on someone else's domain. This particular hole has been patched, but it does demonstrate some of the unintended problems of hijacking a widely accepted standard behavior on the internet for the ISP's own purposes. The ISPs (including Earthlink in this case) always claim that they put up these ad pages as a "customer service" or to "improve their experience," but that's simply untrue. Such pages don't help matters. If a page can't be found, the user should be told that the page can't be found. They can do a search on a search engine themselves to find the proper page.