[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?
Bear
bear at sonic.net
Thu Oct 9 17:01:34 EDT 2014
Here is an amusing/infuriating example of an otherwise pretty good
ISP getting security exactly wrong:
https://forums.sonic.net/viewtopic.php?f=10&t=1866
Sonic implemented and deployed DNSSEC - and put it on their shiny
new servers along with an 'RBZ service' that censors supposed malware
and phishing sites. And while they told their customers about
DNSSEC, they didn't mention the 'RBZ service.'
They didn't get prior informed consent from their customers. In fact
they didn't inform their customers, beyond quietly putting up a few
mentions on webpages their customers normally have no reason to look
at.
They didn't provide a click-through link enabling customers to get the
content anyway.
And they diverted traffic to a page that does not mention who is doing
the diversion, how, or why, or how to opt out.
And they aren't providing DNSSEC in any form that doesn't have this
'service' (coughATTACKcough) imposed.
Black hats immediately found a way to get sites they dislike onto
the list of supposed malware and phishing sites.
Among the blocked sites:
Local democratic party campaigners (first post).
Financial services and markets - at a crucial time. (page 4).
Software development sites (apparently some devs use the same
utility network libraries used by malware devs, so the
unknown-because-todays-compilation executables have code
in common with known malware and aren't on the whitelist...)
I had occasionally been annoyed by the 'mousetrap page' on software
dev sites, but never annoyed enough to finally eliminate all other
suspects and track it down -- too much trouble, right?
But after personally taking a hit on the 'financial services' thing,
I tracked this down to sonic.net -- I'd been assuming that it was
some overeager plugin that had defaulted to 'ON' and I just hadn't
figured out which one and how to turn it OFF. But it kept happening
even with all plugins uninstalled.
It turned out to be the very same attack that I had switched to
DNSSEC specifically to avoid. And it was performed by the very
same ISP that I'd been relying on to protect me from it.
I have rarely been so angry.
As I understand the law, "common carriers" are protected from
prosecution when crimes are committd using their services because
they aren't in the business of determining what traffic moves via
those services.
But Sonic.net, by failing to conform to the standards of care for
filtering services (no prior consent, no clickthrough link, no
identification of blocking agency, no basic notification, no
provision of DNSSEC service without the blockage) appears to me
to have no claim to common carrier status for DNSSEC. They DID
make the decision, based on content, what traffic they would
carry on DNSSEC. As a result, didn't they become liable for
damages from crimes committed by the abuse of that service?
Bear
More information about the cryptography
mailing list