NNSquad - Network Neutrality Squad
[ NNSquad ] Re: [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"
The fact is that the Protect IP Act doesn't really get into the details of DNSSEC which is obscure to even most technically minded folks much less lawyers. It is not surprising that the bill didn't discuss how redirections of DNSSEC are to be handled. Given that DNSSEC hasn't been widely deployed yet and the Protect IP Act only affects sites found to be illegal by the courts, there is time to fix this issue we come to the conclusion that a secure redirect mechanism needs to be implemented. If we need secure redirection, the DNSSEC standard needs to accommodate 3rd party redirection for trusted authorities e.g., US Government. The redirected DNSSEC responses would have to be signed by a valid government certificate and hackers would not be able to perform the same type of redirection. And because the government isn't forging the site owner's certificates, there is no effort to conceal a third party presence which rules out wiretapping. George [ In other words, provide what amounts to a back-door for governments to use to subvert DNSSEC. This certainly would be in line with other professed sensibilities of our government, which has made it clear that it wants to be able to decrypt any communications on demand. The hypocrisy of this mindset is immense. We're out in the world making noises about giving people in other countries tools to bypass censorship, surveillance, and other Internet controls imposed by leaders who we consider to be enemies. But at the same time, we're proposing the same sort of control and suveillance capabilities here, not only on ostensible national security grounds, but to supposedly help protect the profit centers of Disney, et al. from a claimed vast finanical threat that in reality can't even be *realistically* quantified. And remember, any time we build such government access and control mechanisms into our infrastructure, they become available not just to government today, but to future governments as well, whether we like them or not. Of course, whatever "moral authority" we ever had to make pronouncements about how other governments shouldn't tamper with the Internet goes right out the window when our own government is hell-bent on the same sort of tampering. We will say that our motives are pure. Surprise, "our enemies" feel the same way and will make the same proclamations. It's lose-lose all the way around. -- Lauren Weinstein NNSquad Moderator ] -----Original Message----- From: nnsquad-bounces+george_ou=lanarchitect.net@nnsquad.org [mailto:nnsquad-bounces+george_ou=lanarchitect.net@nnsquad.org] On Behalf Of George Ou Sent: Tuesday, July 19, 2011 12:10 AM To: 'Richard Bennett'; nnsquad@nnsquad.org; 'Vint Cerf' Subject: [ NNSquad ] Re: [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" [ The government has repeatedly and largely unapologetically blocked innocent sites (and foreign sites arguably not under U.S. jurisdiction) in the course of implementing court-approved blocks. This means that any error conditions related to this situation must be viewed in terms of their impact on innocent and potentially innocent sites as well as on legally targeted sites. Even "guilty" sites (as per government claims) -- and especially innocent sites -- deserve to have their users properly notified of government actions. Various artificially induced error conditions are not an acceptable substitute for court-ordered blocking-related notifications to users. Also, given the fact that "unauthorized" wiretaps are an unfortunate fact of life in this country, they also are of interest in any associated analysis. -- Lauren Weinstein NNSquad Moderator ] Vint Cerf: > "George's argument seems flawed to me. Suppose you have a site that is NOT > illegal but a government wants to suppress it or even re-direct to a > counterfeit site." As Richard pointed out, this is irrelevant to the discussion since the Protect IP Act only authorizes filtering of sites that are primarily dedicated to selling counterfeit goods. Vint Cerf: > "Without DNSSEC, such re-direction is possible without > detection. With DNSSEC one of two things might happen: > 1. the site looks invalid because the DNSSEC check fails in which case > counterfeiting the site doesn't work. that's the good case I suppose except > that the government "wins" since it suppresses access to the site for those > relying on DNSSEC" If a web browser queries a newly visited website (one deemed illegal by the courts) for both DNS and DNSSEC, the DNS reply will be redirected to a takedown notification. There would be no DNSSEC response as the redirector (in this case the ISP) wouldn't have the ability to cryptographically sign DNSSEC responses. In this scenario, the use of DNS filtering required by the Protect IP Act would deny service to the entire website secured by DNSSEC or not. It does not affect legal websites not deemed illegal by the courts which means DNS filtering poses no risk to legally valid uses of DNSSEC. If a web browser queries a site whose known security profile is DNSSEC-only, then the redirection of DNS would fail in addition to the lack of a valid DNSSEC response. Even if the mandated redirection failed, a key objective of the law is still fulfilled which is to impede the counterfeit website. Again in this scenario, there is no risk to legal websites. Vint Cerf: > 2. the government produces a false but signed entry that passes the DNSSEC > check (wouldn't that mean that it had falsified a certificate containing the > public key of that domain name?) in which case the government succeeds in > re-directing even a DNSSEC-checking user." What you are talking about here would be a wire tap and the Protect IP Act would not authorize wire tapping. Therefore this is not a valid concern with regard to the Protect IP Act. Vint Cerf: > Of course, if you ignore DNSSEC and accept whatever comes back as the IP > address, you will be fooled (or denied access to the real site). This would be a flagrantly negligent implementation of DNSSEC. A DNSSEC implementation is only secure if it enforces the authentication checks. This has nothing to do with the DNS filtering aspect of the Protect IP Act. George Ou -----Original Message----- From: Richard Bennett [mailto:richard@bennett.com] Sent: Monday, July 18, 2011 1:33 PM To: nnsquad@nnsquad.org; Vint Cerf; George Ou Subject: Re: [ NNSquad ] [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" Unlike the government action in Vint's hypothetical, PROTECT IP is not about censorship of unpopular opinions. Rather, the goal of PROTECT IP is to block access to sites that sell unlicensed movies, so faking out the user who would otherwise purchase from an unauthorized seller is not in the cards. So George's point stands that PROTECT-IP accomplishes the goal and does not "break" DNSSEC. RB On 7/18/2011 10:44 AM, Lauren Weinstein wrote: > Forwarded with Vint's permission. > > --Lauren-- > > > ----- Forwarded message from Vint Cerf<vint@google.com> ----- > > > On Sun, Jul 17, 2011 at 11:59 PM, Lauren Weinstein<lauren@vortex.com>wrote: > >> Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" >> >> http://j.mp/qHnkDB (ISC) >> >> "Nevertheless the raw uncomfortable truth of the matter is that any >> form of mandated "DNS blocking'' whose goal is to make certain domain >> names unreachable will be indistinguishable from the result of a >> Secure DNS failure - and a failure is a failure is a failure." >> >> - - - >> >> It should be noted that the MPAA's response on these issues is the >> assertion that most >> users are too stupid to understand how to change their DNS (presumably even >> after >> being given step by step instructions) and that not permitting content >> owners to >> manipulate the DNS to protect their profit centers would amount to allowing >> the >> Internet to "decay into a lawless Wild West." >> >> --Lauren-- >> Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren >> Co-Founder: People For Internet Responsibility: http://www.pfir.org >> Founder: >> - Network Neutrality Squad: http://www.nnsquad.org >> - Global Coalition for Transparent Internet Performance: >> http://www.gctip.org >> - PRIVACY Forum: http://www.vortex.com >> Member: ACM Committee on Computers and Public Policy >> Blog: http://lauren.vortex.com >> Google+: http://vortex.com/g+lauren >> Twitter: https://twitter.com/laurenweinstein >> Tel: +1 (818) 225-2800 / Skype: vortex.com >> >> >> > ----- End forwarded message ----- -- Richard Bennett