Internet-security researchers are saying Senate antipiracy legislation that would dramatically increase the government's legal power to disrupt and shutter websites dedicated to infringing activity "raises serious technical and security concerns."
In a white paper published this month, the researchers take shots at a measure in the Protect IP Act allowing the Justice Department to obtain court orders requiring American internet service providers to stop rendering the DNS for an infringing website under the .com, .org and .net domains.
"Mandated DNS filtering would be minimally effective and would present technical challenges that could frustrate important security initiatives. Additionally, it would promote development of techniques and software that circumvent use of the DNS. These actions would threaten the Domain Name System's ability to provide universal naming, a primary source of the internet's value as a single, unified, global communications network," according to Steve Crocker of Shinkuro, David Dagon of Georgia Tech, Dan Kaminsky of DKH, Danny McPherson of Verisign and Paul Vixie of Internet Systems Consortium.
The paper is titled* Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the Protect IP Bill*.
The Protect IP Act (.pdf) is stalled on the Senate floor for political, not technical reasons. Sen. Ron Wyden (D-Oregon) placed a hold on the measure, saying last week the bill "represents a threat to our economic future and to our international objectives." The measure, however, was hailed by the content industry.
The researchers said that requiring that "nameservers return different results than others for certain domains" would place the United States on the same censorship path as China and "some Middle Eastern countries."
They said that it would also undermine Domain Name System Security Extensions, or DNSSEC, a security protocol to "demand verification" from the domain name system.
The Protect IP Act, they wrote, "would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global internet."
The legislation also grants content owners and the government the right to seek court orders instructing online ad services and credit card companies from partnering with infringing sites.
The government is already manipulating internet domains by invoking an asset-forfeiture law to seize generic top-level domains of infringing websites under a program called "Operation in Our Sites." Since last year, the Department of Homeland Security has targeted 128 sites. Some of the seized sites direct to a government-backed message that the site was seized.
But others do not, which underscores a point the researchers make in their paper. An add-on for the Firefox browser redirects traffic from some of the seized domains to other domains outside the United States' reach.
Mozilla, the maker of the Firefox browser, declined to accede to a DHS request to remove the add-on. Mozilla said it did not comply, because the request raised the question of when should "intermediaries accede to government requests that have a censorship effect and which may threaten the open internet."
Illustration: richard winchell/Flickr
See Also:
- Black Hat: DNS Flaw Much Worse Than Previously Reported
- Details of DNS Flaw Leaked; Exploit Expected by End of Today
- Geez, Google Wants to Take Over DNS, Too
- Kaminsky on How He Discovered DNS Flaw and More
- DNS Provider Mistakenly Caught in WikiLeaks Saga
- Internal Twitter Credentials Used in DNS Hack, Redirect
- Experts Accuse Bush Administration of Foot-Dragging on DNS
- ISPs' Error Page Ads Let Hackers Hijack Entire Web
