Registrar Connections

Special series article by Karthik Shyamsunder, Principal Engineer at VeriSign
Part 3 of 3 - The Part 2 article in our August issue discussed Cross-Site Scripting, Cross-Site Request Forgery and Improper Authentication.

Denial of Service
Hackers achieve Denial of Service (DOS) and Distributed Denial of Service (DDOS) by consuming scarce or limited resources. Common misconception is that these attacks are primarily network level attacks but vulnerabilities in the applications can be used to cause denial of service. In AJAX applications, the hacker can attack the client by injecting malicious code/script. Classic cases include a hacker tying up client CPU with an infinite loop or exploiting a bug in the browser. A hacker can also cause Denial of Service by attacking the server. The hacker achieves this by invoking exposed web services uncontrollably or even calling the web services in out of order fashion in an attempt to crash the web application. In the case of mashups, the hacker attacks the server’s server, which is sometimes referred to as “Smashing the Mashup”.

Since most of the DOS is caused by code injection, cross-site scripting bugs need to be removed. Validating user input data effectively and practice output encoding is also essential. Also, it is vital to rate-limit the client requests in B2C and your B2B services. This can be handled at the network or application level. Work on preventing automation by using CAPTCHA schemes, where the user has to enter a word or phase shown in a distorted image. Above all, have good monitoring, real-time analysis & alert systems in place to identify the situation.

Code Complexity Issues
With Web 2.0 AJAX applications, the developers have to master even more technologies. AJAX applications are event driven applications and so tend to get complicated as the client browser makes asynchronous calls regularly which may lead to concurrency issues. If these asynchronous interactions are not well understood, the risk of introducing vulnerabilities increases.

The countermeasure is simply Education! Education! Education! Also, ensure that enough time is built into the schedule for developers to ramp up. Finally, implement a security review process.

In short, AJAX has become a popular technology for building Web applications, but it is still beset by security issues. AJAX by itself does not substantially change the fundamentals of Web application security, but it makes traditional threats and attacks much, much worse by increasing the attack surface. Hence, it is critical that web application developers understand these security issues and take appropriate countermeasures. Ignoring them can lead to big disasters for the corporate world.
Back to top

Usability Tips: Consumers Look for Trustworthy Sites

Contributed by the VeriSign User Experience Design Team
This section will provide tips on how to better convert sales, increase shopping cart sizes, attract attention to promotions and make your site look more secure.

A recent study conducted by a third party commissioned by VeriSign shows online shoppers are more likely to convert to customers when the Web site displays cues that indicate a commitment to their safety. Initial impressions are important factors in how shoppers interpret security, award trust and spend money. Customers feel more secure entering personal and payment information on sites that communicate trustworthiness.

1) VISUAL TRUST - Make sure your site has a solid balanced layout: A visually unbalanced site with perceptible gaps in its layout shouts “warning!” to shoppers. Poor visual design indicates to shoppers that a site is put together hastily, by a hacker, or by an illegitimate individual posing as a company. Check that your site design is consistent and professional to convey professionalism and visual trust.

2) POLICY TRUST – Call out and link to your company policies and features: A new shopper will parse your site to gain an understanding of what ‘life after the purchase’ will be like. If your company has a privacy policy, put a link to it in the footer, and highlight important features at conversion points; anywhere your shopper needs to enter personal or payment information. If your company offers customer support through telephone or online chat, call it out. Remember, if your shopper does not see your policies and features, they don’t exist.

3) SECURITY TRUST – Show a trust mark on your site: Online shoppers want to know that their personal and payment information will not be intercepted. If your company uses a service that protects customers or offers some guarantee, ensure your visitors know it by displaying the appropriate seal. Showing a trust mark like the VeriSign Seal can help convert visitors into paying customers.

Online shopping is a great convenience for many consumers but ‘trustworthiness’ ranks high when they decide to conduct e-shopping. Make sure your Web site demonstrates security and safety by doing all you can to reassure your customers of their online “well-being” in order to retain their business and keep them coming back.
Back to top

Supporting You and Your Customer’s Web Audiences on Mobile Clients

The mobile phone market is experiencing a tremendous growth worldwide. There are approximately over 2 billion cell phones that are connected. Moreover, hundreds of thousands of these new mobile devices are being provisioned on a daily basis.

The interesting fact is that two out three phones are web capable, but only a fraction of these are being used for Web browsing. There are several challenges when it comes to delivering content to small devices compared to standard laptops/desktops. First, cell phones have smaller screens. Second, there is limited bandwidth. Third, there is the lack of a full keyboard. Fourth, cell phones have limited system resources in such areas as display color, computing power, memory, and storage. Finally, the browsers that are built into these mobile devices have limited capabilities with respect to engines such as JavaScript, VBScript, plug-ins, and many other taken-for-granted areas.

Examining the current Internet marketplace carefully, one thing that is worth noting is that most established companies/organizations and agencies already have an Internet presence. However, most of these web pages are designed for desktop-only browsing. The Web pages are not optimized for browsing using mobile devices; instead they are optimized for desktop or laptop browsing.

One might wonder what can be done to best support mobile devices. The answer is fairly straightforward and that is to broaden the accessibility of your established brand by making the existing web presence “Mobile Friendly”. In other words, the goal is to make delivery to mobile devices be seamless, reliable, cost-effective, and useful. This idea is called “One Web”* - i.e. use one Web identity to deliver content to any device, used by anyone, anywhere. This is the recommended approach from the W3C, which sets recommendations for Web applications.

The idea is not to reinvent your brand or even split your brand into components, but rather to extend the reach of your existing brand. In other words, focus on the changes necessary to ensure a seamless experience to your customers. Don’t put a “brand selection” burden on your customers by telling them that if they are using a desktop, they should go to one domain but if they are using a cell phone, they have to navigate to a different URL. Use server side technology to present your well marketed brand in an optimal format for the device being used.

The “One Web” vision can be achieved by using an existing Internet brand for delivering content to all devices. When connecting to a web site, most devices send a device signature to the web server using an HTTP header called “user-agent”. This information can be captured by a server application and leveraged so that content can be sent to the particular device in the most effective way. More information on the best practices can be found at http://www.w3.org/2006/Talks/1106-sb-OneWeb-Mobile2/.
______________________________________
* Copyright © 2005-2006 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
Back to top

Tell Us What You Want and Enter to Win a $50 Gift Check

Registrar Connections is a newsletter for the benefit of registrars. VeriSign strives to make our topics relevant, valuable and interesting to our readers—so tell us what you think! All completed surveys will be entered into a drawing on October 31, 2007 and two winners will be selected to each win a $50 gift check from Amazon.com.

Webinar Schedule

Our first three webinars have been very well received with growing number of attendees. Our next session, “Don’t Get Hacked!” is scheduled for October 18 at 1:00 p.m. EDT (UTC/GMT -04:00, New York).

Reserve your space at your earliest convenience. Join this webinar and learn about security threats “ripped from the headlines” as well as step-by-step directions to help avoid letting these issues threaten your business. Registrars and their customers are facing threats to their physical, network, application and browser security. After attending this session, attendees will have a stronger understanding of the nature of these threats, and they will be able to identity common potential threats and reduce vulnerabilities.

The presenter, Karthik Shyamsunder, has 15 years of experience in the software industry and is currently a Principal Engineer within the VeriSign Naming Engineering division, leading the effort on VeriSign’s Engineering wide Architecture board. He also serves as an adjunct faculty at The Johns Hopkins University, Computer Science School and has received numerous awards including Johns Hopkins University’s 2000 Teaching Excellence award and the Margaret Aldrich Award for Mathematics.
Back to top

VeriSign Naming Services Staff Spotlight: James Gould

“Engineering is very exciting work. The elements to produce art are the same elements as producing software. It involves the same creative passion and intensity that an artist draws from when he translates his mind’s vision into a masterpiece on canvas. But engineering brings in math too and I like math just as much as I like art.” Jim Gould, Principal Engineer, VeriSign, Inc.

This month marks Jim Gould’s seven-year anniversary with VeriSign and they have been very exciting years. Jim is a Principal Engineer with VeriSign and he has proven himself a true professional who is highly respected within the company, as well as among his peers in the technology industry.

A vital member of VeriSign’s Naming Services business unit, Jim has contributed his talents directly to key initiatives including Lead Architect for the Naming Registry Services which include the .com/.net Registry, NameStore, and NAME Registry; and Lead Engineer on the Extensible Provisioning Protocol (EPP) software development kit (SDK).

The technology industry has also benefited from Jim’s expertise as he has actively participated as a speaker at the annual JavaOne conference since 2005 and has been one of our senior executive presenters at several VeriSign Engineering Symposiums. He also chairs the architecture board of Naming Services that is comprised of 20 engineers who confer on determining best practices, architecture reviews, and brainstorming solutions to current challenges.

Jim graduated cum laude from the University of Maryland and went to night school to complete his MBA. But he’s not a computer geek in the least! He dispels any tendency towards the couch-potato malady by having fun and spending a lot of time with his wife (who by the way is also a software engineer) and their four lovely children, cheering for the University of Maryland Terrapins or keeping his 6’2” frame in shape by running in 10-mile races.

It’s a happy picture indeed! Jim loves his wonderful family, enjoys his work and appreciates VeriSign. On VeriSign, he recalls when he interviewed back in 2000 with Ari Balogh, currently VeriSign’s Chief Technology Officer. Ari told him, “sure you’re smart but VeriSign has a lot of very, very smart people. It will be challenging but rewarding.” And Jim agrees wholeheartedly. Working at VeriSign has been highly rewarding primarily because of the people. Plus, getting the opportunity to work on the Registry side of the business makes it exciting because the domain name business is such a critical piece of the Internet. We’re convinced – engineering is very exciting work!
Back to top

Correction: RSS Feed Link

Customer Service: Frequently Asked Questions

This section includes some recent questions handled by the Customer Service group. To view past Q&As, please check past issues of Registrar Connections.

Question: Why am I getting a response code of 1001 when initiating a transfer? I used to get a response of 1000.

Answer: As of August 25, 2007, some response codes have changed. Please review the details for complete information regarding these changes.

Answer: After August 25, 2007, the NameStore Manager Registrar tool started to display the time in Coordinated Universal Time (UTC) format, and no longer displays time in US EDT for the .com and .net top-level domain names. Time was already being displayed in UTC for the EPP Gateway Channel.

Question: I received "parameter value policy error" when I tried to register a IDN domain name. Why?

Answer: A CREATE domain registration request that involves the following code points beyond Unicode 3.2 will be disallowed. If an IDN registrar attempts to register a domain name that uses the following code points, the registrar will receive “parameter value policy error" with error code: 2306

0750-077F
07C0-08FF
1380-139F
18B0-1DFF
2B00-2E7F
2FE0-2FEF
31C0-31EF
4DC0-4DFF
A4D0-ABFF
D7B0-D7FF
FE10-FE1F
10000-102FF
10350-103FF
10450-1CFFF
1D200-1D3FF
1D800-1FFFF
2A6E0-2F7FF
2FA20-DFFFF
E0080-EFFFF

Special Report on Technology from eMarketer: Online Video – Making Content Pay

Online video has reached mass-market status in the US media landscape. Television networks, film studios, independent content owners, Web portals, social media sites, technology providers, online stores, brand marketers and consumers are shaping this Internet video revolution. They are forging new paradigms in how digital content is created, distributed, consumed and monetized.

The business models and delivery platforms for online video are in flux, creating a mixture of uncertainty and opportunity among media professionals.

Some fear that the widespread availability of video content on the Internet threatens the traditional TV and film industries. Others see the potential to increase revenues through a variety of business models, including ad-supported streaming, pay-to-own downloads, subscription services and online rentals.

By 2011, 86.6% of the US Internet population will view online video; up from 62.8% in 2006.This translates to 183 million viewers in 2011, up from 114 million in 2006. eMarketer also expects that spending on online video advertising will increase dramatically in the United States, reaching $4.3 billion in 2011, up from $410 million in 2006.

In the News

This section contains a selection of articles pertaining to the Domain Name Industry compiled by Information, Inc.

"E-Recruitment Comes of Age, Survey Says"
HR Magazine (08/07) Vol. 52, No. 8, P. 34; Minton-Eversole, Theresa
Companies are streamlining their recruitment operations by adopting e-recruiting tools, though the most effective companies are those using more sophisticated e-recruiting tools, according to the 2007 E-Recruiting Survey conducted by the Society for Human Resource Management (SHRM). The survey polled roughly 600 SHRM members; some member companies possessed .jobs domain names, while others did not. All those surveyed asserted that employee referrals produce the most talented job candidates and the best return on money spent. Membership directories, industry-specific forums, and social networking sites were cited as the most frequently used tools for connecting to passive job candidates. According to the poll, the largest obstacles to online recruiting are limited department resources, trouble finding diverse and high-quality candidates, and difficulty handling the quantity of resumes. Overall, companies possessing .jobs domain names fared better with e-recruiting than companies without .jobs domain names, and were substantially more likely to utilize best practices such as tracking the average number of clicks needed to reach their Web sites' career section. However, having a .jobs domain name is not the only route to e-recruiting efficiency, says Shawn Fegley of SHRM. Employing a combination of recruitment techniques will enhance recruitment effectiveness, explains Fegley.
http://www.shrm.org/hrnews_published/archives/CMS_022031.asp#P-8_0

"What's in a Specialized Domain Name? More Clicks, Sandia Says"
Internet Retailer (08/28/07)
Specialized domain names allow e-commerce firm Sandia Marketing to differentiate itself from the competition, according to Pat Riley, the company's Webmaster. Sandia sells sports bottles and other merchandise to businesses, churches, schools, and sports teams, with those organizations' logos imprinted on the merchandise. Sandia uses a pay-per-click advertising model that accounts for nearly all of the company's business through Web sites at domain names such as SportsBottleWorld.com, GolfPromoProducts.com, RealEstatePromoProducts.com, and DrinkWareCentral.com. All told, Sandia uses seven Web sites hosted by search provider PicoSearch. Some of the seven sites have upwards of 1,200 SKUs, Riley says, explaining that SportsBottleWorld.com, which is about to surpass 150 SKUs, is the second-most profitable of the sites. The most productive site features a 1-68 ratio of sales to visitors, and the average purchase is $800. Riley is a big believer in the value of PicoSearch's search-related technology, pointing out that its search functions can be tailored to eliminate sections and parts of a Web page, including unimportant phrases, so that the search focuses only on the pertinent areas of the product pages.
http://www.internetretailer.com/printArticle.asp?id=23549

"'Tune In' as Dot TV Names Surge With the Popularity of Online Video"
Business Wire (08/20/07)
GoDaddy.com says registrations for the .tv TLD in 2007 have increased 65 percent over last year. "People associate 'TV' with their entertainment experience from television," says GoDaddy's Warren Adelman. "That's why .tv names are especially good for video and multimedia sites.’TV' is one of the most recognized two-letter symbols in the world, so it's memorable and marketable." GoDaddy says the rise in registrations coincides with the increasing use of online video on the Web. A new report from the Pew Internet and American Life Project says nearly one in five adults online watch or download video on a typical day, and more than half of online video viewers share links to the videos they find with others. GoDaddy notes that beyond television stations and media companies, .tv names are also becoming more popular with individuals who already have a .com Web site but want a separate site where they store their favorite videos. The company also says small business owners are using .tv sites for product demonstration videos and taped customer testimonials.
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070820005085&newsLang=en

"Freedom Key to Web Evolution, Says Guru"
Financial Times (08/31/07) P. 11; Edgecliffe-Johnson, Andrew
Vint Cerf, Google's vice president and chief internet evangelist, says any threat to open access to the Internet would be "a hazard to innovation," and that the Internet's ability to handle a continually expanding number of users and amount of content on the network is less important than security, stability, reliability, and privacy. "The most important thing is to make sure we have a secure and stable network," Cerf says. "There are ways to attack the system which we need to defend against." As for "net neutrality," Cerf hopes that the Internet will remain open and that broadband providers will discriminate between content providers or move to block applications that use large amounts of bandwidth. "If we ever move into a regime where the providers of basic Internet services have control over what users or entrepreneurs can put on the network then I see a potential hazard to innovation," Cerf says. Cerf urges regulators around the world to recognize the importance of an open network with general neutrality, and that if the Internet is ever controlled by "monopoly broadband providers" the investments in data centers and other infrastructure necessary to expand its reach could not be accomplished. Cerf also believes that more consumers will be willing to pay for online content as broadband expands. "I do think that as time goes on, the consumer will understand the value of the content and be willing to pay," Cerf says. Vint Cerf is a co-winner, with Bob Kahn, of the 2004 ACM A.M. Turing Award. For more information, click on http://awards.acm.org/citation.cfm?id=8047952&srt=alpha&alpha=C&aw=140&ao=AMTURING
http://www.ft.com/cms/s/0/27421114-575a-11dc-9a3a-0000779fd2ac.html

"China Sale Spurs Domain Name Boom"
CBC News (CAN) (08/30/07)
According to VeriSign's quarterly Internet domain names brief, reducing the cost of the Chinese ".cn" top-level domain resulted in a fivefold surge of Web sites using the domain extension. Registration for the .cn domain was 14 cents Cdn, leading to 402 percent growth compared to last year. The report also said that China had a little under 6 million registered domains by mid-2007. VeriSign noted that country TLDs such as Germany's ".de" and Canada's ".ca" experienced 36 percent growth this year, totaling roughly 51.5 million registered sites. China reached high ranks on the list of TLDs, followed by the Russian ".ru" and South Korean ".kr." The ".com" domain topped the list of leading TLDs, with ".net" and the United Kingdom's ".uk" in vying positions. There are 267 domain suffixes internationally, all approved and overseen by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN's latest approval, ".asia," is expected for release in October.
http://www.cbc.ca/money/story/2007/08/30/tech-domain-china.html?ref=rss
© Copyright 2007 Information, Inc.
Back to top

September 2007

In this issue:

Don’t Get Hacked: What everyone should know about AJAX Security