[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?
David Conrad
drc at virtualized.org
Fri Oct 10 13:51:19 EDT 2014
Hi,
On Oct 9, 2014, at 2:01 PM, Bear <bear at sonic.net> wrote:
> Sonic implemented and deployed DNSSEC - and put it on their shiny
> new servers along with an 'RBZ service' that censors supposed malware
> and phishing sites. And while they told their customers about
> DNSSEC, they didn't mention the 'RBZ service.'
>
> They didn't get prior informed consent from their customers. In fact
> they didn't inform their customers, beyond quietly putting up a few
> mentions on webpages their customers normally have no reason to look
> at.
I'm not clear what this has to do with DNSSEC, other than it was implemented at the same time as Sonic's 'RBZ' service (by which I suspect you mean RPZ, which is BIND's "Response Policy Zone" -- a technology ISC implemented that facilitates the rewriting of responses according to (recursive operator's) policy).
> It turned out to be the very same attack that I had switched to
> DNSSEC specifically to avoid. And it was performed by the very
> same ISP that I'd been relying on to protect me from it.
If you are using your ISP's resolver, you are explicitly granting them a vast amount of trust: they (or whoever might influence them) can collect vast amounts of meta data and can have essentially complete control over any connection you might try to make.
I sometimes get the impression that people don't fully understand the level of trust we're talking about here. If you need a refresher, see http://www.slideshare.net/dakami/dmk-bo2-k8, starting at slide 45.
It really isn't that hard to run your own DNSSEC-validating resolver. BIND or Unbound (http://unbound.net) aren't that hard to set up.
> But Sonic.net ... have no claim to common carrier status for DNSSEC.
I don't believe ISPs in general have common carrier status (at least yet, see discussions about net neutrality).
Regards,
-drc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141010/c9db0c25/attachment.sig>
More information about the cryptography
mailing list