[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?
drc at virtualized.org
Fri Oct 10 13:51:19 EDT 2014
On Oct 9, 2014, at 2:01 PM, Bear <bear at sonic.net> wrote:
> Sonic implemented and deployed DNSSEC - and put it on their shiny
> new servers along with an 'RBZ service' that censors supposed malware
> and phishing sites. And while they told their customers about
> DNSSEC, they didn't mention the 'RBZ service.'
> They didn't get prior informed consent from their customers. In fact
> they didn't inform their customers, beyond quietly putting up a few
> mentions on webpages their customers normally have no reason to look
I'm not clear what this has to do with DNSSEC, other than it was implemented at the same time as Sonic's 'RBZ' service (by which I suspect you mean RPZ, which is BIND's "Response Policy Zone" -- a technology ISC implemented that facilitates the rewriting of responses according to (recursive operator's) policy).
> It turned out to be the very same attack that I had switched to
> DNSSEC specifically to avoid. And it was performed by the very
> same ISP that I'd been relying on to protect me from it.
If you are using your ISP's resolver, you are explicitly granting them a vast amount of trust: they (or whoever might influence them) can collect vast amounts of meta data and can have essentially complete control over any connection you might try to make.
I sometimes get the impression that people don't fully understand the level of trust we're talking about here. If you need a refresher, see http://www.slideshare.net/dakami/dmk-bo2-k8, starting at slide 45.
It really isn't that hard to run your own DNSSEC-validating resolver. BIND or Unbound (http://unbound.net) aren't that hard to set up.
> But Sonic.net ... have no claim to common carrier status for DNSSEC.
I don't believe ISPs in general have common carrier status (at least yet, see discussions about net neutrality).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the cryptography