[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?

David Conrad drc at virtualized.org
Fri Oct 10 13:51:19 EDT 2014


On Oct 9, 2014, at 2:01 PM, Bear <bear at sonic.net> wrote:
> Sonic implemented and deployed DNSSEC - and put it on their shiny 
> new servers along with an 'RBZ service' that censors supposed malware
> and phishing sites.  And while they told their customers about 
> DNSSEC, they didn't mention the 'RBZ service.'
> They didn't get prior informed consent from their customers.  In fact
> they didn't inform their customers, beyond quietly putting up a few 
> mentions on webpages their customers normally have no reason to look 
> at. 

I'm not clear what this has to do with DNSSEC, other than it was implemented at the same time as Sonic's 'RBZ' service (by which I suspect you mean RPZ, which is BIND's "Response Policy Zone" -- a technology ISC implemented that facilitates the rewriting of responses according to (recursive operator's) policy).

> It turned out to be the very same attack that I had switched to 
> DNSSEC specifically to avoid.  And it was performed by the very 
> same ISP that I'd been relying on to protect me from it. 

If you are using your ISP's resolver, you are explicitly granting them a vast amount of trust: they (or whoever might influence them) can collect vast amounts of meta data and can have essentially complete control over any connection you might try to make. 

I sometimes get the impression that people don't fully understand the level of trust we're talking about here. If you need a refresher, see http://www.slideshare.net/dakami/dmk-bo2-k8, starting at slide 45.

It really isn't that hard to run your own DNSSEC-validating resolver. BIND or Unbound (http://unbound.net) aren't that hard to set up.

> But Sonic.net ... have no claim to common carrier status for DNSSEC.  

I don't believe ISPs in general have common carrier status (at least yet, see discussions about net neutrality).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141010/c9db0c25/attachment.sig>

More information about the cryptography mailing list