Editing Verisign (section)

== Controversies ==

=== 2001: Code signing certificate mistake ===

In January 2001, Verisign mistakenly issued two Class 3 [[code signing]] certificates to an individual claiming to be an employee of [[Microsoft]].<ref>{{cite web|url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-017|title=Microsoft Security Bulletin MS01-017 - Critical: Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard|publisher=[[Microsoft]]|date=March 22, 2001|access-date=April 29, 2021}}</ref> The mistake was not discovered and the certificates were not revoked until two weeks later during a routine audit. Because Verisign code-signing certificates do not specify a Certificate Revocation List Distribution Point, there was no way for them to be automatically detected as having been revoked, placing Microsoft's customers at risk.{{citation needed|date=June 2012}} Microsoft had to later release a special security patch in order to revoke the certificates and mark them as being fraudulent.<ref>{{cite web|url=http://www.microsoft.com/en-us/download/details.aspx?id=11288|title=Windows Security Update: Verisign Digital Certificates Spoofing Hazard|publisher=[[Microsoft]]|date=March 28, 2001|access-date=June 30, 2012}}</ref>

=== 2002: Domain transfer lawsuit ===

In 2002, Verisign was sued for [[domain slamming]] – transferring domains from other registrars to themselves by making the registrants believe they were merely renewing their domain name. Although they were found not to have broken the law, they were barred from suggesting that a domain was about to expire or claim that a transfer was actually a renewal.<ref>[https://www.theregister.co.uk/2003/09/25/verisign_slammed_for_domain_renewal TheRegister.co.uk] {{Webarchive|url=https://web.archive.org/web/20170810091852/https://www.theregister.co.uk/2003/09/25/verisign_slammed_for_domain_renewal |date=August 10, 2017 }}: VeriSign slammed for domain renewal scam</ref>

=== 2003: Site Finder legal case ===

In September 2003, Verisign introduced a service called [[Site Finder]], which redirected Web browsers to a search service when users attempted to go to non-existent {{mono|[[.com]]}} or {{mono|[[.net]]}} domain names. [[ICANN]] asserted that Verisign had overstepped the terms of its contract with the [[United States Department of Commerce|U.S. Department of Commerce]], which in essence grants Verisign the right to operate the [[Domain name system|DNS]] for {{mono|.com}} and {{mono|.net}}, and Verisign shut down the service. Subsequently, Verisign filed a lawsuit against ICANN in February 2004, seeking to gain clarity over what services it could offer in the context of its contract with ICANN. The claim was moved from federal to California state court in August 2004.<ref>{{cite web |url=http://icann.org/general/litigation-verisign.htm |title=Litigation Documents |access-date=August 21, 2007 |publisher=ICANN.org |date=March 26, 2007 |archive-url=https://web.archive.org/web/20070712200727/http://www.icann.org/general/litigation-verisign.htm |archive-date=July 12, 2007 |url-status=live |df=mdy-all }}</ref> In late 2005, Verisign and ICANN announced a proposed settlement which defined a process for the introduction of new registry services in the {{mono|.com}} registry. The documents concerning these settlements are available at ICANN.org.<ref>{{cite web|url=http://www.icann.org/tlds/agreements/verisign/settlement-agreements.htm|title=ICANN|website=www.icann.org|access-date=February 3, 2006|archive-url=https://web.archive.org/web/20060207154104/http://www.icann.org/tlds/agreements/verisign/settlement-agreements.htm|archive-date=February 7, 2006|url-status=live|df=mdy-all}}</ref> The ICANN comments mailing list archive<ref>{{cite web|url=http://forum.icann.org/lists/settlement-comments/|title=ICANN Email Archives: [settlement-comments]|website=forum.icann.org|access-date=February 3, 2006|archive-url=https://web.archive.org/web/20060218070510/http://forum.icann.org/lists/settlement-comments/|archive-date=February 18, 2006|url-status=live|df=mdy-all}}</ref> documents some of the criticisms that have been raised regarding the settlement.

=== 2003: Gives up {{mono|.org}} domain ===

In keeping with ICANN's charter to introduce competition to the domain name marketplace, Verisign agreed to give up its operation of {{mono|[[.org]]}} top-level domain in 2003 in exchange for a continuation of its contract to operate {{mono|.com}}, which, at the time had more than 34 million registered addresses.

=== 2005: Retains {{mono|.net}} domain ===

In mid-2005, the existing contract for the operation of {{mono|[[.net]]}} expired and five companies, including Verisign, bid for management of it. Verisign enlisted numerous IT and telecom heavyweights including Microsoft, IBM, Sun Microsystems, MCI, and others, to assert that Verisign had a perfect record operating {{mono|.net}}. They proposed Verisign continue to manage the {{mono|.net}} DNS due to its critical importance as the domain underlying numerous "backbone" network services. Verisign was also aided by the fact that several of the other bidders were based outside the United States, which raised concerns in national security circles. On June 8, 2005, ICANN announced that Verisign had been approved to operate {{mono|.net}} until 2011. More information on the {{mono|.net}} bidding process is available at [[ICANN]].<ref>{{cite web|url=http://icann.org/tlds/dotnet-reassignment/dotnet-general.htm|title=ICANN - Archives - General Information Regarding Designation of the Subsequent .net registry Operator|website=icann.org|access-date=December 4, 2004|archive-url=https://web.archive.org/web/20041204105517/http://icann.org/tlds/dotnet-reassignment/dotnet-general.htm|archive-date=December 4, 2004|url-status=live|df=mdy-all}}</ref> On July 1, 2011, ICANN announced that VeriSign's approval to operate .net was extended another six years, until 2017.<ref>{{Cite web|title = ICANN|url = https://www.icann.org/resources/unthemed-pages/net-2012-02-25-en|website = www.icann.org|access-date = 2015-10-01|archive-url = https://web.archive.org/web/20151003005044/https://www.icann.org/resources/unthemed-pages/net-2012-02-25-en|archive-date = October 3, 2015|url-status = live|df = mdy-all}}</ref>

=== 2010: Data breach and disclosure controversy ===

In February 2012, Verisign revealed that their network security had been repeatedly breached in 2010. Verisign stated that the breach did not impact the [[Domain Name System]] (DNS) that they maintain, but would not provide details about the loss of data. Verisign was widely criticized for not disclosing the breach earlier and apparently attempting to hide the news in an October 2011 SEC filing.<ref name="pcworld1">{{cite web |last=Bradley |first=Tony |url=http://www.pcworld.com/article/249242/verisign_hacked_what_we_dont_know_might_hurt_us.html |title=VeriSign Hacked: What We Don't Know Might Hurt Us |publisher=PCWorld |date=2012-02-02 |access-date=July 13, 2013 |archive-url=https://web.archive.org/web/20130611054417/http://www.pcworld.com/article/249242/verisign_hacked_what_we_dont_know_might_hurt_us.html |archive-date=June 11, 2013 |url-status=live |df=mdy-all }}</ref><ref>{{cite web |last=Albanesius |first=Chloe |url=https://www.pcmag.com/article2/0,2817,2399773,00.asp |title=VeriSign Hacked Multiple Times in 2010 &#124; News & Opinion |publisher=PCMag.com |date=February 2, 2012 |access-date=July 13, 2013 |archive-url=https://web.archive.org/web/20130116083322/http://www.pcmag.com/article2/0,2817,2399773,00.asp |archive-date=January 16, 2013 |url-status=live |df=mdy-all }}</ref>

Because of the lack of details provided by Verisign, it was not clear whether the breach impacted the certificate signing business, acquired by Symantec in late 2010. Some, such as Oliver Lavery, the Director of Security and Research for nCircle, doubted whether sites using Verisign SSL certificates could be trusted.<ref name="pcworld1"/>

=== 2010: Web site domain seizures ===

On November 29, 2010, the [[U.S. Immigration and Customs Enforcement]] (U.S. ICE) issued seizure orders against 82 web sites with {{mono|.com}} Internet addresses that were reported to be involved in the illegal sale and distribution of counterfeit goods.<ref>{{cite web
 |url          = http://www.ice.gov/news/releases/1011/101129washington.htm
 |title        = 82 Websites removed by DNS removal
 |access-date   = November 12, 2010
 |archive-url  = https://web.archive.org/web/20101202160119/http://www.ice.gov/news/releases/1011/101129washington.htm
 |archive-date = December 2, 2010
 |url-status     = dead
 |df           = mdy-all
}}</ref> As registry operator for {{mono|.com}}, Verisign performed the required takedowns of the 82 sites under order from law enforcement.<ref>{{cite web |url=http://domainincite.com/icann-had-no-role-in-seizing-torrent-domains/ |title=Verisign implicated in DNS annulment |access-date=November 12, 2010 |archive-url=https://web.archive.org/web/20101201183309/http://domainincite.com/icann-had-no-role-in-seizing-torrent-domains/ |archive-date=December 1, 2010 |url-status=live |df=mdy-all }}</ref> ''InformationWeek'' reported that "Verisign will say only that it received sealed court orders directing certain actions to be taken with respect to specific domain names".<ref>{{cite web
 |url          = http://www.informationweek.com/news/showArticle.jhtml?articleID=228500229
 |title        = Verisign acknowledges DNS removals
 |access-date   = November 12, 2010
 |archive-url  = https://web.archive.org/web/20101206223747/http://www.informationweek.com/news/showArticle.jhtml?articleID=228500229
 |archive-date = December 6, 2010
 |url-status     = live
 |df           = mdy-all
}}</ref> The removal of the 82 websites was cited as an impetus for the launch of "the Dot-P2P Project"<ref>{{cite web
|url=http://dot-p2p.org
|title=Peer-to-peer response to Verisign's DNS removals
|access-date=November 12, 2010
|archive-url=https://web.archive.org/web/20180328104132/http://dot-p2p.org/
|archive-date=March 28, 2018
|url-status=live
}}</ref> in order to create a decentralized DNS service without centralized registry operators. Following the disappearance of [[WikiLeaks]] during the following week<ref>{{cite news|url=https://www.theguardian.com/media/2010/dec/07/wikileaks-under-attack-definitive-timeline|title=WikiLeaks under attack: the definitive timeline|first=Charles|last=Arthur|date=January 8, 2010|newspaper=the Guardian|access-date=December 18, 2016|archive-url=https://web.archive.org/web/20170117220540/https://www.theguardian.com/media/2010/dec/07/wikileaks-under-attack-definitive-timeline|archive-date=January 17, 2017|url-status=live|df=mdy-all}}</ref> and its forced move to wikileaks.ch, a Swiss domain, the [[Electronic Frontier Foundation]] warned of the dangers of having key pieces of Internet infrastructure such as DNS name translation under corporate control.<ref>{{cite web |url=https://www.eff.org/deeplinks/2010/12/amazon-and-wikileaks-first-amendment-only-strong |title=EFF warns of Internet chokepoints |access-date=November 12, 2010 |archive-url=https://web.archive.org/web/20101205043433/https://www.eff.org/deeplinks/2010/12/amazon-and-wikileaks-first-amendment-only-strong |archive-date=December 5, 2010 |url-status=live }}</ref>

=== 2012: Web site domain seizure ===
In March 2012, the U.S. government declared that it has the right to seize domains ending in {{mono|.com}}, {{mono|.net}}, {{mono|.cc}}, {{mono|.tv}}, {{mono|.name}}, and {{mono|.org}} if the companies administering the domains are based in the U.S. The U.S. government can seize the domains ending in {{mono|.com}}, {{mono|.net}}, {{mono|.cc}}, {{mono|.tv}}, and {{mono|.name}} by serving a court-order on Verisign, which manages those domains. The {{mono|.org}} domain is managed by the [[Virginia]]-based non-profit [[Public Interest Registry]]. In March 2012, Verisign shut down the sports-betting site Bodog.com after receiving a court order, even though the domain name was registered to a Canadian company.<ref>{{cite magazine |last1=Kravets |first1=David |title=Uncle Sam: If It Ends in .Com, It's .Seizable |url=https://www.wired.com/2012/03/feds-seize-foreign-sites/ |access-date=24 June 2021 |magazine=Wired |date=6 March 2012}}</ref>