At the front lines of protecting the Internet

Info World – VeriSign is in many ways synonymous with managing the Web, thanks to its handling of key DNS root servers and of name resolution for .com, .net, and other domains. In recent years, it's had both strong ups and strong downs.

On the up side, VeriSign has aggressively pushed PKI, SSL/TLS, EV, and digital certificates, making these authenticated security approaches commonplace. And VeriSign has spent millions of dollars building out and protecting the Internet's massive DNS infrastructure, even though its contract with the DNS's governing body required that VeriSign spend just a fraction of that amount. Although VeriSign's extra investment was a business decision meant to keep its lead as DNS infrastructure manager, the result for Internet users is still a better DNS infrastructure than was required.

On the downside, in the 2005-2007 period, the company angered many users by adding new services to the Internet, such as domain waitlisting, and by raising registration fees. It garnered significant ill will when its Network Solutions domain registration unit (later sold) began redirecting misspelled URLs to ads, causing an uproar among users. When VeriSign met resistance over such actions from ICANN, the global steward of Web domains, it sued the organization. Although that suit was resolved after VeriSign agreed to new ICANN procedures, users and elected officials remained nervous about VeriSign's potential actions. In 2007, the company ran afoul of federal regulators, resulting in its CFO's resignation and a restatement of earnings.

During this same period of ups and downs, VeriSign entered several new lines of business, such as Wi-Fi roaming services, RFID contract resolution (to translate an RFID tag's electronic number to a product's common name), and one-time-use security credentials. More recently, VeriSign has been part of a consortium promoting the OpenID federated certificate standard.

Today, VeriSign is refocused on its Internet roots, after having dropped some of its new ventures, to focus on DNS management. The company processes about 48 billion name resolution requests per day across 60 different locations, peaking at 700,000 queries a second. It is a major provider of PKI technologies and services, including digital certificate products, managed security services, and IT consulting services.

InfoWorld interviewed CTO Ken Silva on the company's current and past challenges. Silva manages VeriSign's technical operations, which handle much of the world's DNS traffic and cryptographically protect millions of Web sites. Before joining VeriSign, Silva spent 10 years with the National Security Agency (NSA). Roger asked about VeriSign's current status and future plans. Here are some excerpts from that interview:

Q: In the first part of this decade, the global DNS infrastructure came under a few big denial-of-service attacks that caused service disruptions, but in the last few years, we haven't seen any significant service outages. How well have we done in making DNS resistant to DoS attacks?

A: VeriSign services have never completely been taken out from a DoS attack because of our distributed nature. We do get DDoS [distributed DoS] attacks, and they are getting bigger, and bigger, and bigger, but they haven't affected us that greatly. In February 2006, we launched our Project Titan initiative, in response to our growing legitimate services and to handle DDoS attacks in the multiple tens of gigabytes. Our goal was to fortify the infrastructure to over 10 times the predicted infrastructure needed. Project Titan will increase bandwidth 10,000 times the 2000 levels by 2010. It's already at 1,000 times the size today [as compared to the 2000 levels], and will be another 10 times today's level in the next two years. It will be able to handle 4 trillion queries a day.

Q: Why are DNSSec and any of the other "advanced" DNS security proposals slow to gain more widespread acceptance?

A: These are complicated technologies, and you have to agree to get the entire world to agree on the standard, what makes up the standard, and do it at the same time. That alone makes it difficult.

Q: Users have a tendency to ignore or bypass digital certificate errors, undermining the whole system of trust. What can be done to improve the user's security experience in light of that fact? What are browser vendors missing?

A: VeriSign has been working closely with browser vendors to improve the user experiences, but there isn't enough real estate in the browser to do it perfectly. But many vendors, especially Microsoft, are doing innovative things like Extended Validation (EV) certificates. When a user browses to an EV-protected Web site, an EV-enabled browser [such as Microsoft Internet Explorer 7, Mozilla Firefox 2, and Opera 9.5] will turn the address bar green, identifying that the site as trusted using the strongest assurance we can offer today. Users can trust EV certificates. It is proven that sites that use EV certificates have much lower abandonment rates than sites without EV. For example, Overstock.com found users were abandoning their shopping cart at the point at which they were supposed to put in their credit card information ... at the moment they really needed to trust the vendor. Overstock.com start using EV certificates and saw a 16,000 times return on investment.

Q: Critics say that Extended Validation is really asking consumers to pay more for the trust assurance that they were originally promised in normal Class 3 Web site certificates. How do you respond?

A: EV gives the certification authority vendor more time to do the proper validation. With EV, we do a complete background investigation, including a financial check, articles of incorporation, and verifying their identity.

Q: But that's included with the normal Class 3 certs. What's different?

A: We ensure the subject is who they say they are and that they own the domain.

Q: Again, VeriSign does this with Class 3 certificates, so what's different?

A: VeriSign has always done a high-quality assurance job, but more time to conduct the background investigation means improved security for everyone. Plus, prior to EV, each CA [certification authority] could determine what processes were performed to provide assurance. A user could not be assured about whether a CA vendor did the same high-quality checks without reading the assurance statements. EV defines what assurance processes must be accomplished prior to the issuance of an EV certificate. An EV certificate means consistent, standard assurances across CA vendors.

Q: How will Web services, SaaS (software as a service), and cloud computing affect VeriSign and DNS over the next 10 years?

A: Any new Web functions, like Web 2.0, will impact us. Today, it's normal for a single Web site page to generate 20 DNS queries. [Our challenge is] not only scaling, but making sure that services are always reliable, especially with services such as TV and telephony coming over the Internet. With some new services, we have created a game-changer. Our VeriSign Identity Protection Services generate a single token or one-time password on any device the customer or vendor desires (such as a cell phone or credit card). It can be used across multiple sites and vendors. You can use that one token to do a lot more in your life than you previously could using older technologies.

In the future, you might be able to say something similar to the LifeLock CEO on TV [who promotes his identity protection service by reading out his Social Security number] and say, "My real password is ..." and not minimize your security. The authentication, identity, and protection will be in the cloud. Ask yourself: Would we use bank cards as much as we do today if they only worked at your bank? No, banks created the ATM network to allow users to shop and spend nationwide and globally. We've essentially done the same thing in the online world. We allow one token or password to be used in multiple places. It's like an ATM network for the online world. Visit our new Personal Identity Portal to see the beta. It's very cool.

Q: A few years ago, VeriSign dropped Network Solutions to pick up the RFID contract resolution work. It was predicted that the RFID resolution traffic would be orders of magnitude bigger than DNS. How has that project scaled over the last few years? Is it bigger than DNS yet?

A: No, RFID is still fairly new and hasn't surpassed DNS traffic levels yet. We've seen a recent uptick in the garment industry. They use it to track inventories and to help keep inventories low. We expect the RFID work to grow, but we want to focus on our core services of DNS, SSL certificates, and identity and authentication services.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies