[ NNSquad ] Re: [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"

["George Ou" <george_ou@lanarchitect.net>]

The fact is that the Protect IP Act doesn't really get into the details of
DNSSEC which is obscure to even most technically minded folks much less
lawyers.  It is not surprising that the bill didn't discuss how redirections
of DNSSEC are to be handled.  Given that DNSSEC hasn't been widely deployed
yet and the Protect IP Act only affects sites found to be illegal by the
courts, there is time to fix this issue we come to the conclusion that 
a secure redirect mechanism needs to be implemented.

If we need secure redirection, the DNSSEC standard needs to accommodate 3rd
party redirection for trusted authorities e.g., US Government.  The
redirected DNSSEC responses would have to be signed by a valid government
certificate and hackers would not be able to perform the same type of
redirection.  And because the government isn't forging the site owner's
certificates, there is no effort to conceal a third party presence which
rules out wiretapping.

George

   [ In other words, provide what amounts to a back-door for
     governments to use to subvert DNSSEC.  This certainly would be in
     line with other professed sensibilities of our government, which
     has made it clear that it wants to be able to decrypt any
     communications on demand.  The hypocrisy of this mindset is
     immense.  We're out in the world making noises about giving
     people in other countries tools to bypass censorship,
     surveillance, and other Internet controls imposed by leaders who
     we consider to be enemies.  

     But at the same time, we're proposing the same sort of control
     and suveillance capabilities here, not only on ostensible
     national security grounds, but to supposedly help protect the
     profit centers of Disney, et al. from a claimed vast finanical
     threat that in reality can't even be *realistically* quantified.
     And remember, any time we build such government access and
     control mechanisms into our infrastructure, they become available
     not just to government today, but to future governments as well,
     whether we like them or not.

     Of course, whatever "moral authority" we ever had to make
     pronouncements about how other governments shouldn't tamper with
     the Internet goes right out the window when our own government is
     hell-bent on the same sort of tampering.  We will say that our
     motives are pure.  Surprise, "our enemies" feel the same way and
     will make the same proclamations.

     It's lose-lose all the way around.

        -- Lauren Weinstein
           NNSquad Moderator ]


-----Original Message-----
From: nnsquad-bounces+george_ou=lanarchitect.net@nnsquad.org
[mailto:nnsquad-bounces+george_ou=lanarchitect.net@nnsquad.org] On Behalf Of
George Ou
Sent: Tuesday, July 19, 2011 12:10 AM
To: 'Richard Bennett'; nnsquad@nnsquad.org; 'Vint Cerf'
Subject: [ NNSquad ] Re: [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by
Paul Vixie - "COICA and Secure DNS"


  [ The government has repeatedly and largely unapologetically blocked
    innocent sites (and foreign sites arguably not under U.S.
    jurisdiction) in the course of implementing court-approved blocks.
    This means that any error conditions related to this situation
    must be viewed in terms of their impact on innocent and
    potentially innocent sites as well as on legally targeted sites.
    Even "guilty" sites (as per government claims) -- and especially
    innocent sites -- deserve to have their users properly notified
    of government actions.  Various artificially induced error conditions
    are not an acceptable substitute for court-ordered blocking-related
    notifications to users.  Also, given the fact that "unauthorized"
    wiretaps are an unfortunate fact of life in this country, they also
    are of interest in any associated analysis.

       -- Lauren Weinstein
          NNSquad Moderator ]


Vint Cerf:
> "George's argument seems flawed to me. Suppose you have a site that is NOT
> illegal but a government wants to suppress it or even re-direct to a
> counterfeit site."

As Richard pointed out, this is irrelevant to the discussion since the
Protect IP Act only authorizes filtering of sites that are primarily
dedicated to selling counterfeit goods.

Vint Cerf:
> "Without DNSSEC, such re-direction is possible without
> detection. With DNSSEC one of two things might happen:

> 1. the site looks invalid because the DNSSEC check fails in which case
> counterfeiting the site doesn't work. that's the good case I suppose
except
> that the government "wins" since it suppresses access to the site for
those
> relying on DNSSEC"


If a web browser queries a newly visited website (one deemed illegal by the
courts) for both DNS and DNSSEC, the DNS reply will be redirected to a
takedown notification.  There would be no DNSSEC response as the redirector
(in this case the ISP) wouldn't have the ability to cryptographically sign
DNSSEC responses.  In this scenario, the use of DNS filtering required by
the Protect IP Act would deny service to the entire website secured by
DNSSEC or not.  It does not affect legal websites not deemed illegal by the
courts which means DNS filtering poses no risk to legally valid uses of
DNSSEC.

If a web browser queries a site whose known security profile is DNSSEC-only,
then the redirection of DNS would fail in addition to the lack of a valid
DNSSEC response.  Even if the mandated redirection failed, a key objective
of the law is still fulfilled which is to impede the counterfeit website.
Again in this scenario, there is no risk to legal websites.


Vint Cerf:
> 2. the government produces a false but signed entry that passes the DNSSEC
> check (wouldn't that mean that it had falsified a certificate containing
the
> public key of that domain name?) in which case the government succeeds in
> re-directing even a DNSSEC-checking user."

What you are talking about here would be a wire tap and the Protect IP Act
would not authorize wire tapping.  Therefore this is not a valid concern
with regard to the Protect IP Act.


Vint Cerf:
> Of course, if you ignore DNSSEC and accept whatever comes back as the IP
> address, you will be fooled (or denied access to the real site).

This would be a flagrantly negligent implementation of DNSSEC.  A DNSSEC
implementation is only secure if it enforces the authentication checks.
This has nothing to do with the DNS filtering aspect of the Protect IP Act.



George Ou

-----Original Message-----
From: Richard Bennett [mailto:richard@bennett.com] 
Sent: Monday, July 18, 2011 1:33 PM
To: nnsquad@nnsquad.org; Vint Cerf; George Ou
Subject: Re: [ NNSquad ] [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by
Paul Vixie - "COICA and Secure DNS"

Unlike the government action in Vint's hypothetical, PROTECT IP is not 
about censorship of unpopular opinions. Rather, the goal of PROTECT IP 
is to block access to sites that sell unlicensed movies, so faking out 
the user who would otherwise purchase from an unauthorized seller is not 
in the cards.

So George's point stands that PROTECT-IP accomplishes the goal and does 
not "break" DNSSEC.

RB

On 7/18/2011 10:44 AM, Lauren Weinstein wrote:
> Forwarded with Vint's permission.
>
> --Lauren--
>
>
> ----- Forwarded message from Vint Cerf<vint@google.com>  -----
>
>
> On Sun, Jul 17, 2011 at 11:59 PM, Lauren
Weinstein<lauren@vortex.com>wrote:
>
>> Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"
>>
>> http://j.mp/qHnkDB  (ISC)
>>
>>     "Nevertheless the raw uncomfortable truth of the matter is that any
>>      form of mandated "DNS blocking'' whose goal is to make certain
domain
>>      names unreachable will be indistinguishable from the result of a
>>      Secure DNS failure - and a failure is a failure is a failure."
>>
>>   - - -
>>
>> It should be noted that the MPAA's response on these issues is the
>> assertion that most
>> users are too stupid to understand how to change their DNS (presumably
even
>> after
>> being given step by step instructions) and that not permitting content
>> owners to
>> manipulate the DNS to protect their profit centers would amount to
allowing
>> the
>> Internet to "decay into a lawless Wild West."
>>
>> --Lauren--
>> Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
>> Co-Founder: People For Internet Responsibility: http://www.pfir.org
>> Founder:
>>   - Network Neutrality Squad: http://www.nnsquad.org
>>   - Global Coalition for Transparent Internet Performance:
>> http://www.gctip.org
>>   - PRIVACY Forum: http://www.vortex.com
>> Member: ACM Committee on Computers and Public Policy
>> Blog: http://lauren.vortex.com
>> Google+: http://vortex.com/g+lauren
>> Twitter: https://twitter.com/laurenweinstein
>> Tel: +1 (818) 225-2800 / Skype: vortex.com
>>
>>
>>
> ----- End forwarded message -----

-- 
Richard Bennett