Hi, Here's a question for the lawyers. In certain situations, does the VeriSign SiteFinder service violate the Electronic Communications Privacy Act (AKA, ECPA)? Here's the actual text of the ECPA: http://www4.law.cornell.edu/uscode/18/pIch119.html With my packet sniffer, I noticed that the VeriSign SiteFinder Web server happily accepts POST form data which is intended for another Web server. This situation will occur if the domain name is misspelled in the action URL of a form. Without SiteFinder in the picture, the HTTP POST operation is never done since the DNS lookup fails. Here's an example POST HTTP request which was misdirected by VeriSign: POST /cgi-bin/mail.pl HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us,ru;q=0.5 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) Host: www.atypodomainthatismisdirectedbyverisign.com Content-Length: 240 Connection: Keep-Alive Cache-Control: no-cache toaddr=rms@computerbytesman.com&fromaddr=dbrown@lawyers.com&message=Rich ard%2C%0D%0A%0D%0ACan+you+give+me+a+call+right+away+on+my+cellphone%3F++ I+have+some+news+about+your+pending+lawsuit.%0D%0A%0D%0AThanks%2C%0D%0AD avid+Browm%2C+Esq.%0D%0A And here's the misleading response from the SiteFinder server: HTTP/1.1 302 Found Date: Sat, 20 Sep 2003 16:29:41 GMT Server: Apache Location: http://sitefinder.verisign.com/lpc?url=www.atypodomainthatismisdirectedb yverisign.comPOST%20/cgi-bin/mail.pl&host=www.atypodomainthatismisdirect edbyverisign.com Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Richard M. Smith http://www.ComputerBytesMan.com
