[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?

John Ioannidis ji at tla.org
Fri Oct 10 11:06:08 EDT 2014


On Thu, Oct 9, 2014 at 5:01 PM, Bear <bear at sonic.net> wrote:
> Here is an amusing/infuriating example of an otherwise pretty good
> ISP getting security exactly wrong:
>
> https://forums.sonic.net/viewtopic.php?f=10&t=1866
>
> Sonic implemented and deployed DNSSEC - and put it on their shiny
> new servers along with an 'RBZ service' that censors supposed malware
> and phishing sites.  And while they told their customers about
> DNSSEC, they didn't mention the 'RBZ service.'
>
> They didn't get prior informed consent from their customers.  In fact
> they didn't inform their customers, beyond quietly putting up a few
> mentions on webpages their customers normally have no reason to look
> at.
>
> They didn't provide a click-through link enabling customers to get the
> content anyway.
>
> And they diverted traffic to a page that does not mention who is doing
> the diversion, how, or why, or how to opt out.
>
> And they aren't providing DNSSEC in any form that doesn't have this
> 'service' (coughATTACKcough) imposed.
>
> Black hats immediately found a way to get sites they dislike onto
> the list of supposed malware and phishing sites.
>
> Among the blocked sites:
>   Local democratic party campaigners (first post).
>
>   Financial services and markets - at a crucial time. (page 4).
>
>   Software development sites (apparently some devs use the same
>      utility network libraries used by malware devs, so the
>      unknown-because-todays-compilation executables have code
>      in common with known malware and aren't on the whitelist...)
>
> I had occasionally been annoyed by the 'mousetrap page' on software
> dev sites, but never annoyed enough to finally eliminate all other
> suspects and track it down -- too much trouble, right?
>
> But after personally taking a hit on the 'financial services' thing,
> I tracked this down to sonic.net -- I'd been assuming that it was
> some overeager plugin that had defaulted to 'ON' and I just hadn't
> figured out which one and how to turn it OFF.  But it kept happening
> even with all plugins uninstalled.
>
> It turned out to be the very same attack that I had switched to
> DNSSEC specifically to avoid.  And it was performed by the very
> same ISP that I'd been relying on to protect me from it.
>
> I have rarely been so angry.
>
> As I understand the law, "common carriers" are protected from
> prosecution when crimes are committd using their services because
> they aren't in the business of determining what traffic moves via
> those services.
>

ISPs are most certainly not "common carriers" in the USA, and they
don't want to be, so that they can do preferential treatment of
traffic.


> But Sonic.net, by failing to conform to the standards of care for
> filtering services (no prior consent, no clickthrough link, no
> identification of blocking agency, no basic notification, no
> provision of DNSSEC service without the blockage)  appears to me
> to have no claim to common carrier status for DNSSEC.  They DID
> make the decision, based on content, what traffic they would
> carry on DNSSEC.  As a result, didn't they become liable for
> damages from crimes committed by the abuse of that service?
>
>
> Bear

IANAL, but it would be interesting to see if this violates the CFAA,
and whether they can be sued under that.

/ji


More information about the cryptography mailing list