Bugtraq mailing list archives
Does VeriSign's SiteFinder service violate the ECPA?
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Sat, 20 Sep 2003 12:55:30 -0400
Hi, Here's a question for the lawyers. In certain situations, does the VeriSign SiteFinder service violate the Electronic Communications Privacy Act (AKA, ECPA)? Here's the actual text of the ECPA: http://www4.law.cornell.edu/uscode/18/pIch119.html With my packet sniffer, I noticed that the VeriSign SiteFinder Web server happily accepts POST form data which is intended for another Web server. This situation will occur if the domain name is misspelled in the action URL of a form. Without SiteFinder in the picture, the HTTP POST operation is never done since the DNS lookup fails. Here's an example POST HTTP request which was misdirected by VeriSign: POST /cgi-bin/mail.pl HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us,ru;q=0.5 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) Host: www.atypodomainthatismisdirectedbyverisign.com Content-Length: 240 Connection: Keep-Alive Cache-Control: no-cache toaddr=rms () computerbytesman com&fromaddr=dbrown () lawyers com&message=Rich ard%2C%0D%0A%0D%0ACan+you+give+me+a+call+right+away+on+my+cellphone%3F++ I+have+some+news+about+your+pending+lawsuit.%0D%0A%0D%0AThanks%2C%0D%0AD avid+Browm%2C+Esq.%0D%0A And here's the misleading response from the SiteFinder server: HTTP/1.1 302 Found Date: Sat, 20 Sep 2003 16:29:41 GMT Server: Apache Location: http://sitefinder.verisign.com/lpc?url=www.atypodomainthatismisdirectedb yverisign.comPOST%20/cgi-bin/mail.pl&host=www.atypodomainthatismisdirect edbyverisign.com Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Richard M. Smith http://www.ComputerBytesMan.com
Current thread:
- Does VeriSign's SiteFinder service violate the ECPA? Richard M. Smith (Sep 22)
- Re: Does VeriSign's SiteFinder service violate the ECPA? N407ER (Sep 23)
- Re: Does VeriSign's SiteFinder service violate the ECPA? David Nichols (Sep 25)
- Re: Does VeriSign's SiteFinder service violate the ECPA? Bob Johnson (Sep 26)
- Re: Does VeriSign's SiteFinder service violate the ECPA? David Nichols (Sep 25)
- <Possible follow-ups>
- RE: Does VeriSign's SiteFinder service violate the ECPA? Kaplan Michael N NPRI (Sep 23)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Michael Wojcik (Sep 23)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Christopher Wagner (Sep 24)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Justin Hahn (Sep 25)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Frank Nospam (Sep 25)
- RE: Does VeriSign's SiteFinder service violate the ECPA? Andrea Rimicci (Sep 25)
- Re: Does VeriSign's SiteFinder service violate the ECPA? N407ER (Sep 23)