Wednesday, February 5, 2003

Two (More) Reasons to Hate Verisign

At Fight.Boredom...we hate Verisign.

It's a barely rational hatred. It's a visceral thing. It swells in our bile ducts and screeches between our gritted teeth. We are full of hate for that company. Every email we get from them elicits curses...every call to their tech support prompts feigns toward alcoholism.

And what is the source of this hatred? Verisign's incompetence? Their persistence? Their insulting marketing? No.

It's the fact that we really have no choice but to work with them.

Which brings me to this issue's case in point: two reasons we hate Verisign (and we have full confidence that this could become an ever-expanding topic for discussion among similar internet communications firms and clients).

Reason 1: Verisign Domain Name Renewal Reminders

Take a look at this renewal reminder sent to Cloudjammer Studio by Verisign. In early January, we received this reminder alerting us to renew our domain name January 29, in fact. We shouldn't be time to renew yet, should it?

Well it isn't. Look at the small print. The domain expires in December 2003. A year from now. I get annoyed when Newsweek sends me renewal notices two months before my expiration...but a year! That is simply dishonest.

To Verisign's credit, they don't simply take your money and restart the subscription clock. They credit the payment to the period after the genuine expiration date. They just want their money now.

Verisign owns Network Solutions, the premiere site for domain name registration. Network Solutions is very agreeable site – it's easy to use, easy to find a domain name and buy it. It's even easy to manage your domain name and, of course renew it. Indeed, the Verisign/Network Solutions domain name renewal process is very simple and easy to use. It's just that their renewal marketing is so...insulting.

And irony of ironies? When I recently renewed a site on Network Solutions the Verisign security certificate failed.

Reason 2: Verisign Secure Certificates

If you aren't already familiar with Verisign's bevy of services, I challenge you to visit their website and figure it out. If you are familiar with Verisign, I challenge you to explain Verisign's services to the uninitiated. I exaggerate (a little) to make a point: Verisign and it's products are hopelessly cryptic. We have come to believe that this is the nature of their success.

Exemplary is Verisign's security certificate, arguably the most trusted security certification online (which still isn't saying that much). E-commerce and sensitive information sites often certify themselves to protect data in transit. You can tell when you hit a page or site thus secured: a key icon often appears somewhere on your browser frame, the web address is prefixed https instead of http, or an alert tells you when you are leaving such an area. Data submitted in such a protected area is safer and better guarded then data at-large. So what's the problem?

The problem is setting up one of these certificates. Here's the rough and dirty:

You approach your hosting provider or Verisign to buy a certificate. You have to prove your own legitimacy using an awkward approval system – Dunn and Bradstreet or something similar – and then generate a CSR (a certificate request) specific to your server format (Unix, Linux, NT, etc.). You then acquire your certificate, usually a file, but sometimes not, and, using the previously generated CSR, install it on your site. If any mistake is made along the way, you need to start over.

And pay again.

And don't lose the CSR, certificate, or the mysterious public/private key. You'll have to start over and pay again.

And don't use any variation of your company of site name. You'll have to start over and pay again.

And don't get an idiot in your hosting companies SSL (Secure Server) department to install it wrong. You'll have to start over and pay again.

And that is the source of the hatred in this case. If you do anything wrong you'll have to start over and pay again. And neither the hosting companies's or Verisign's technical support seem to really know what is going on. They each have their own way of doing things and they each want you to buy through their company...if you purchase through the wrong company? You'll have to start over and pay again.

Half a dozen times in the last year we have spent days on the phone with hosts and Verisign trying to work this out. There is no consistent approach that we have been able to discern. There is no consistency of advice. Mistakes have been made. We have complained. Certificates have been lost (or never sent). And in the end? You guessed it. We had to start over and pay again.

So what's the point of this rant? It's really a call for change. But Verisign is a big company that has been inept in these regards for a long time. Unfortunately, I doubt any change should be expected.

Maybe we should take the advice of one of Cloudjammer's clients. Exasperated with Verisign, they told us we should develop a painless (or at the least, a less painful) alternative to Verisign certification. In the mean time, we'll pray for relief...perhaps from the Sherman Anti-trust act or a decent competitor.

Hating Verisign is like hating the phone company. What other choice do you have? fb

No comments: