[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?
ji at tla.org
Fri Oct 10 11:06:08 EDT 2014
On Thu, Oct 9, 2014 at 5:01 PM, Bear <bear at sonic.net> wrote:
> Here is an amusing/infuriating example of an otherwise pretty good
> ISP getting security exactly wrong:
> Sonic implemented and deployed DNSSEC - and put it on their shiny
> new servers along with an 'RBZ service' that censors supposed malware
> and phishing sites. And while they told their customers about
> DNSSEC, they didn't mention the 'RBZ service.'
> They didn't get prior informed consent from their customers. In fact
> they didn't inform their customers, beyond quietly putting up a few
> mentions on webpages their customers normally have no reason to look
> They didn't provide a click-through link enabling customers to get the
> content anyway.
> And they diverted traffic to a page that does not mention who is doing
> the diversion, how, or why, or how to opt out.
> And they aren't providing DNSSEC in any form that doesn't have this
> 'service' (coughATTACKcough) imposed.
> Black hats immediately found a way to get sites they dislike onto
> the list of supposed malware and phishing sites.
> Among the blocked sites:
> Local democratic party campaigners (first post).
> Financial services and markets - at a crucial time. (page 4).
> Software development sites (apparently some devs use the same
> utility network libraries used by malware devs, so the
> unknown-because-todays-compilation executables have code
> in common with known malware and aren't on the whitelist...)
> I had occasionally been annoyed by the 'mousetrap page' on software
> dev sites, but never annoyed enough to finally eliminate all other
> suspects and track it down -- too much trouble, right?
> But after personally taking a hit on the 'financial services' thing,
> I tracked this down to sonic.net -- I'd been assuming that it was
> some overeager plugin that had defaulted to 'ON' and I just hadn't
> figured out which one and how to turn it OFF. But it kept happening
> even with all plugins uninstalled.
> It turned out to be the very same attack that I had switched to
> DNSSEC specifically to avoid. And it was performed by the very
> same ISP that I'd been relying on to protect me from it.
> I have rarely been so angry.
> As I understand the law, "common carriers" are protected from
> prosecution when crimes are committd using their services because
> they aren't in the business of determining what traffic moves via
> those services.
ISPs are most certainly not "common carriers" in the USA, and they
don't want to be, so that they can do preferential treatment of
> But Sonic.net, by failing to conform to the standards of care for
> filtering services (no prior consent, no clickthrough link, no
> identification of blocking agency, no basic notification, no
> provision of DNSSEC service without the blockage) appears to me
> to have no claim to common carrier status for DNSSEC. They DID
> make the decision, based on content, what traffic they would
> carry on DNSSEC. As a result, didn't they become liable for
> damages from crimes committed by the abuse of that service?
IANAL, but it would be interesting to see if this violates the CFAA,
and whether they can be sued under that.
More information about the cryptography