DNS expert Paul Vixie, who is the president  of the nonprofit Internet Systems Consortium, says the problem Kaminisky found isn't with the core internet protocols, which he could fix, but instead is a "problem exacerbated by inappropriate monetization of certain DNS features."

Vixie compared this ISP behavior to Verisign's 2003 Site Finder project, which it unilaterally launched in September 2003 and then shut down a month later.

In that case, VeriSign, which controls the sales of .com and .net top-level domains through a contract with the U.S. government, began directing users who mistyped domains names to its own servers, where it presented paid search results.

The move outraged the technical community and eventually led to an ICANN commission report (.pdf) condemning the practice and an unsuccessful VeriSign lawsuit against ICANN.

"Sitefinder showed that [Non-Existent] domain re-mapping is bad for the community," Vixie said. "This would be an example of why it is bad."

While Barefruit fixed the immediate JavaScript hole, the underlying problem -- that large ISPs are ignoring a core internet practice to make money and pretending to be sites that don't exist -- means every site on the net remains vulnerable in ways they have no control over, according to Kaminsky.

Kaminsky said he'd talked this week to many internet companies who were pissed, though not at him.

"I can't secure the web as long as ISPs are injecting other content into web pages," he said.

The hole shows the risks of allowing ISPs to violate Net Neutrality principles that seek to keep the internet a series of dumb pipes, according to Kaminsky.

"There's no contractual obligation for ISPs not to change content and inject ads," Kaminsky notes.

For its part, Earthlink says the Barefruit ad pages are useful to users.

"We offer DNS error functionality for our customers through Barefruit to enhance our users' experience, and we work closely with Barefruit to provide a safe and convenient way for them to find the destination they're looking for online," Earthlink spokesman Chris Marshall said via e-mail. "We believe that the service provides a positive experience for our Internet users."

Barefruit echoes the sentiment.

"Barefruit endeavors to ensure online security while providing an improved internet user interface by replacing unhelpful and confusing error messages with alternatives relevant to what the user was seeking," Barefruit's Dave Roberts said via e-mail.

For Vixie, however, the issue is simple.

"I really feel if someone goes to a website that does not exist, they ought to see an error message," Vixie said.

Earthlink customers who do not wish to use the service can instead use different Earthlink DNS servers. Anyone can also use OpenDNS, a start-up that also provides ad pages on domains that don't resolve, but does so without pretending to be the other site.

The news of the massive security breach by compromising net neutrality for profit comes just two days after the Federal Communication Commission held a hand-wringing public forum at Stanford University over whether it should punish Comcast for its violation of standard internet practices. The broadband provider was caught sending fake packets to its users in order to reduce the bandwidth consumed by peer-to-peer applications.

Kaminsky is demoing the hole publicly on Saturday at the Toorcon security conference in Seattle.

Kaminsky, a well-respected security expert, is perhaps best known for cleverly proving that a spyware rootkit Sony included on music CDs infected computers in more than half a million computer networks in 2005.