[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?

Bear bear at sonic.net
Thu Oct 9 17:01:34 EDT 2014

Here is an amusing/infuriating example of an otherwise pretty good 
ISP getting security exactly wrong:


Sonic implemented and deployed DNSSEC - and put it on their shiny 
new servers along with an 'RBZ service' that censors supposed malware
and phishing sites.  And while they told their customers about 
DNSSEC, they didn't mention the 'RBZ service.'

They didn't get prior informed consent from their customers.  In fact
they didn't inform their customers, beyond quietly putting up a few 
mentions on webpages their customers normally have no reason to look 

They didn't provide a click-through link enabling customers to get the 
content anyway.

And they diverted traffic to a page that does not mention who is doing
the diversion, how, or why, or how to opt out. 

And they aren't providing DNSSEC in any form that doesn't have this 
'service' (coughATTACKcough) imposed. 

Black hats immediately found a way to get sites they dislike onto 
the list of supposed malware and phishing sites. 

Among the blocked sites: 
  Local democratic party campaigners (first post). 

  Financial services and markets - at a crucial time. (page 4). 

  Software development sites (apparently some devs use the same 
     utility network libraries used by malware devs, so the 
     unknown-because-todays-compilation executables have code 
     in common with known malware and aren't on the whitelist...)

I had occasionally been annoyed by the 'mousetrap page' on software
dev sites, but never annoyed enough to finally eliminate all other 
suspects and track it down -- too much trouble, right?  

But after personally taking a hit on the 'financial services' thing, 
I tracked this down to sonic.net -- I'd been assuming that it was 
some overeager plugin that had defaulted to 'ON' and I just hadn't
figured out which one and how to turn it OFF.  But it kept happening
even with all plugins uninstalled. 

It turned out to be the very same attack that I had switched to 
DNSSEC specifically to avoid.  And it was performed by the very 
same ISP that I'd been relying on to protect me from it. 

I have rarely been so angry.

As I understand the law, "common carriers" are protected from 
prosecution when crimes are committd using their services because 
they aren't in the business of determining what traffic moves via
those services.  

But Sonic.net, by failing to conform to the standards of care for
filtering services (no prior consent, no clickthrough link, no 
identification of blocking agency, no basic notification, no 
provision of DNSSEC service without the blockage)  appears to me 
to have no claim to common carrier status for DNSSEC.  They DID 
make the decision, based on content, what traffic they would 
carry on DNSSEC.  As a result, didn't they become liable for 
damages from crimes committed by the abuse of that service?


More information about the cryptography mailing list