> The point I think Mr. Smith is trying to make is that Verisign seems > to *want* to intercept this private information and use it to their > own commercial advantage. Respectable sysadmins do not wish to receive > form data intended for other sites. As an aside, I find it very curious that people characterize HTTP traffic done in the clear (i.e. unencrypted) on the public internet as private data. If I shout my Social Security Number out loud in public, I am surely to blame for any losses I might incur from this act. HTTP traffic on the net is nominally analogous. Now, if they were using some sort of wildcard SSL cert (technically, this is doable. Most browsers support a wildcard CN cert, but curiously Verisign is one of the CAs that DOESN'T issue them.) then it'd be a different story. Something to consider is if I've got a website foobar.com and it's a secure site, what happens if I accidentally direct traffic to foobarrr.com, which is actually SiteFinder+SSL. Hopefully the browser will alert the user that they are connecting to a different site with a different cert. However, it's quite likely that won't happen. (and if it does, I'm betting it's one of the popups that most users disable.) I'd be careful making legal arguments, but I suspect that if Verisign is doing anything with this data they are justifying it as being "Public" and that if people are foolish enough to transmit "Private" data in a "Public" medium they can't be held liable. (But of course, that's for the courts to decide, and I wouldn't shed a tear if a judge disagreed with that interpretation.) --jeh
