by Mike Masnick
Mon, Apr 21st 2008 9:01pm
Back in 2003, there was a huge mess over VeriSign's plan to create "SiteFinder," which effectively hijacked "page not found" messages online and inserted advertising instead. This also broke a bunch of online services that relied on accurate page not found messages. Eventually, VeriSign backed down, but over the last couple of years, ISPs have been starting to do the same thing on their own at a slightly different level in the process. However, some security researchers have demonstrated just how dangerous this can be, by using Earthlink's set up to show how it can be used by phishers to make pages look like they're really on someone else's domain. This particular hole has been patched, but it does demonstrate some of the unintended problems of hijacking a widely accepted standard behavior on the internet for the ISP's own purposes. The ISPs (including Earthlink in this case) always claim that they put up these ad pages as a "customer service" or to "improve their experience," but that's simply untrue. Such pages don't help matters. If a page can't be found, the user should be told that the page can't be found. They can do a search on a search engine themselves to find the proper page.
If you liked this post, you may also be interested in...
- FBI Won't Tell Me How Much It Paid To Break Into Syed Farook's iPhone, Saying It Might Jeopardize Its Investigation
- Security Analyst Arrested For Disclosing Security Flaw In Florida County's Election Systems
- DOJ Says That The Crack Of Syed Farook's iPhone Only Applies To That Model Of iPhone
- 5,000 Domains Seized Based On Sealed Court Filing; Confused Domain Owners Have No Idea Why
- EasyDNS Continues To Fight Bogus Website Seizures By City Of London Police After Verisign Issues 'No Decision'