4 David Sohn DNS and Cybersecurity

Uploaded by gwCSPRI on 03.05.2012

>> David Sohn: I think that Leslie and Paul covered a lot of ground,
but let me try to offer a picture of why my organization, the Center for Democracy
and Technology, opposed DNS filtering really from the start of its inclusion
into the legislation, which dates back to a bill that Paul mentioned, which was quite a year ago
and then PIPA and SOPA this year.
I should say, so, I understand the appeal, what Paul is saying goal wise.
Certainly, there is plenty of illegal stuff on the internet, including,
but not limited to, infringements.
And it's an appealing idea that maybe we could find a way to make that difficult to access,
either block access or at least make it hard enough to access that it signals
to users that the content is legitimate.
But as appealing as that goal might be, when you actually start looking at the consequences
of trying to use the internet's addressing system, the DNS system, to do that,
it turns out there are a number of problems.
Ultimately, when we looked at it, we decided it was both largely ineffective in terms
of having much prospect of a lasting impact to reduce infringement, and then carried risks
of collateral damage in a number of areas.
One of which is cyber security, and I'll try to focus mostly on that here, but I'll touch also
on what a couple of other areas are where we saw potential problems.
So quickly, the issue of why it's ineffective, I think,
has been largely covered by both Leslie and Paul.
There are lots of ways to circumvent it.
When you're using DNS, the bad content, the bad guy who has put up this website full
of infringing stuff, doesn't actually get disconnected to the internet.
He's still there.
It's still accessible.
It's just one particular way of finding him is being interfered with.
And, of course, on the internet, there are lots of ways for users to find him.
And Paul actually took you through a couple of the circumvention techniques that are possible.
I think that the most likely result if DNS filtering is used against websites
that are actually popular and have a big following, which it's certainly true of some
of these piracy sites, is that the evasion techniques will quickly go viral.
The users who don't know how to do it initially will quickly be instructed in how to do it,
or they'll be provided with tools and browser plug-ins that make it easy.
They'll be given something that says, hey, click here if you want
to make sure you never lose access to your favorite sites again.
And, you know, will users actually do that?
I think a good point of reference is the different peer-to-peer networks.
Napster got shut down.
Other subsequent peer-to-peer networks were shut down.
Did the user bases of those networks say, oh, gosh,
well now that I realize it's illegal, I guess I'll just stop using it?
No, they tended to transition to the other peer-to-peer networks.
So they actually took the step of downloading the alternative peer-to-peer client and started
to use that, and I think that's kind of comparable to what we're talking right here.
Yeah, you have to download some kind of browser plug-in or something to keep access
to your sites, but I think there's pretty good evidence
that an awful lot of people would still do that.
And so I think, in the long-term, you don't end up with much of a lasting reduction in piracy.
Well let's talk about why using DNS can actually be harmful,
and I'll start off on cyber security grounds.
So as Paul said, for a long time, the legislation had the idea of redirection.
In other words, DNS would be used, not to just block a user from getting to the site
but to actually redirect them to a department of justice warning site that would say,
the site you've tried to reach has been declared by a court
to be distributing unlawful material or something to that effect.
That is just in flat conflict with DNSSEC,
That kind of redirection can't happen in a DNSSEC world.
It took a while to get that recognition across, but we did eventually, in the debate,
get to a place where I think proponents of the legislation recognized
that redirection was no longer going to be possible.
So the fallback answer, as Paul said, well let's try other kinds of answers where the ISP,
instead of redirecting the user somewhere, simply tries to make the request not resolved
so that no IP address comes back, there's basically just no answer.
It turns out that that kind of solution poses cyber security problems
as well for a couple of reasons.
Focusing first on DNSSEC, DNSSEC actually has a secure way of telling a user that there is no
such domain, so that's just kind of NXDOMAIN idea.
So if we move to a world where DNSSEC is implemented and users are using it,
they will be using a new generation of secure browsers and applications that will rely
on DNSSEC for end-to-end authentication and will be expecting signed responses.
They'll be expecting the cryptographic signatures that signal that, in fact,
there has not been any security intrusion here.
When they don't get that, they're not going to just accept the answer.
They'll go looking to another DNS server to try to get a secure answer.
So what this means at the end of the day is that it's very hard because for ISPs to not respond,
the DNSSEC standard simply does not give them a way to issue a non-response,
a refusal to response in a way that is cryptographically signed as DNSSEC expects.
So the browsers that the users are using once you have end-to-end DNSSEC simply aren't going
to be able to take refusal to respond as an answer.
That will look to the browser, because it's not signed, that will look to the browser
like there's been some kind of hack or, at least,
will look identical to if there had been a hacker.
So what all this means, I think, when you step back,
is that trying to use the Domain Name System to force ISPs to do non-responses ends
up really undermining the potential of DNSSEC because the point of DNSSEC is,
it's a technology that will be a platform for the next generation of secure applications.
And those applications will look to DNSSEC and its signatures
to determine when there is a security risk.
And when they see unsigned, unsecure answers, the whole point is
that they're not supposed to accept those answers.
Those answers indicate that there may be a security breach,
and so they'll try to route around them.
That's where you want to get with DNSSEC.
And the problem is, if you start introducing ambiguity into the system so that now
because of government-mandated DNS filtering,
a non-secure response can either mean there's a security problem,
or it could mean that there's been a court order.
Well the secure applications don't know how to deal with that.
If they build their systems so that they route around insecure responses,
which you'd want to do to defeat hackers,
all those same responses will also defeat the filtering and query whether makers of browsers
and other applications can really be in the business of building these secure applications
that are going to be routing around court ordered blocking.
I think their legal departments will have a serious problem building in a feature
that they are told is going to not just defeat the hacker
but will also defeat the government ordered blocking of illegal sites.
So I think you create a strong disincentive to actually create browsers and applications
that use the DNSSEC capability end to end because they can no longer rely
on the signals that DNSSEC gives.
I think a second way that you run into problems with DNSSEC is just a question
of what this would mean for DNSSEC deployment.
ISPs and other entities in the domain name ecosystem are not required to deploy DNSSEC.
It's certainly just hoped that ISPs will choose to do so.
Comcast recently was the first big US ISP to announce that it's rolling out DNSSEC.
But think about what mandated DNS filtering by ISPs means for the ISP.
It means that in some cases, they're not going to be able to answer their user's query.
If they're not going to be able to answer the query, certainly the ISPs preference is going
to be to provide a good explanation for why.
They would like to be able to tell the user, well, we're not able to answer your query
because there's been a court order in this case, and the site you're trying
to reach is not a legitimate site.
That's what makes for a good user experience.
If they can't do that because of DNSSEC...once they deploy DNSSEC,
they can no longer give an explanation to the user.
At that point, all they can do is not answer.
Well that's a pretty cruddy user experience.
The user's getting error messages or hangs, and so it looks to the user like something's broken.
From the ISP's perspective, that means service calls, saying, hey,
how come my system isn't working properly.
It seems to me, it creates a strong incentive for ISPs, if they're going to have
to do DNS filtering to reserve themselves the capability to do it in a way
that preserves a good user experience, which would be to direct the users
to some webpage that gives them an explanation.
Of course, they can't do that if they do DNSSEC, so you put the ISPs
in a position where they have to choose.
You can implement DNSSEC and keep your good user experience...excuse me.
You can implement DNSSEC and improve security, or you can delay your DNSSEC implementation
and retain for a while longer your ability to preserve a good user experience
when you're ordered to do domain name filtering.
So it's an incentive to drag our feet on DNSSEC deployment, and DNSSEC has been
in development since the late 90s.
This is a multi, multi-year process as probably many of you know.
It's got some good momentum now, and there is a real concern that you start mandating things
that are inconsistent with DNSSEC and you're going to stall that momentum.
So those are security issues.
Let me touch on a couple other issues
that my organization was concerned about with DNS filtering.
One is the impact internationally.
The United States State Department has been the world's leading voice in favor
of a single global open internet that looks the same no matter what country you access it from.
We urge other countries not to have blacklists, not to block websites.
If the US goes and embraces a technique like DNS filtering,
it's essentially embracing the principle that it is appropriate for governments to try
to exercise technical control over what websites are available,
what foreign websites are available in your country.
And, indeed, if DNS filtering were to become an accepted norm for how you deal
with bad behavior, I think we can expect other countries to follow the example
and to expand the kind of blocking they do, and this really paves a way
for a much more balkanized internet.
I think you can expect that when other countries follow the example and use DNS blocking,
it wouldn't necessarily just be for copyright infringement, the president will be set
that when there are foreign websites that violate a country's domestic laws,
it's appropriate for the country to create a blacklist of sites
and stop its citizens from going there.
This is exactly what our state department is telling other countries not to do.
And I think in the end a lot of the sites that would be targeted
by other countries would probably end up being American sites.
Our first amendment allows for a much more freewheeling form
for speech than many other countries do.
Many other countries get frustrated with the stuff that appears on American sites
and is protected under our first amendment.
I think you can expect that other countries would be doing more blocking of US sites.
And, of course, as the mechanisms for this kind of site blocking become more common
and accepted, I think in many countries you would have a risk
of suppression of political speech as well.
So we think there's a very dangerous international precedent that will get set.
A third area where we have concerns is just the risk of impact on lawful speech accidentally.
Domain name filtering is actually a pretty blunt instrument.
If you look at existing law under the Digital Millennium Copyright Act,
it encourages companies to have a notice and takedown regime
where they remove infringing material when they're notified about it.
But under that regime, what the ISPs are notified about, what the content hosts,
I should say, are notified about and what they take down are specific URLs, in other words,
specific pieces of infringing content.
So it's a video on YouTube that is infringing,
it's not all of YouTube, it's not YouTube's domain name.
So domain name filtering really is a much blunter instrument than that.
It's not going at specific pieces of infringing content.
It's going at entire websites.
And it turns out that in many cases, domain names can be shared between multiple users.
And if you start trying to interfere with the resolution of that domain name,
it can affect all the users, not just the ones who are engaged
in piracy or other unlawful activity.
In addition, and I think Leslie hinted at this, domain names aren't just
for the worldwide website, although that's one thing that they commonly refer to,
they also cover things like email servers.
So when you interfere with a domain name resolution, you can interfere not just
with the public-facing website but with other things like email servers
that may not be public-facing, but which may well carry a great deal of lawful speech
in addition to whatever unlawful stuff may be on the website.
So there's a variety of ways that DNS filtering can end up accidentally impairing lawful speech
as well as unlawful, and it isn't really a surgical tool.
The last reason why that's the case is something Paul alluded to,
which is the due process question, which I think is probably beyond the scope here,
but I'll just say briefly, one of the things we're concerned about in the legislation is
that it envisioned a process where foreign websites get accused in US courts.
It's entirely predictable that many foreign websites won't be familiar
with the US legal system, won't have lawyers here, won't really be interested
or maybe have the money to hire lawyers here, and therefore won't show up.
So you're probably talking as a practical matter about a one-sided process rather
than an adversarial process where the prosecution or the plaintiff, whoever it is,
under whatever system we've set up, makes the case that the site's a bad site.
The site doesn't really show up to defend itself, and as a result,
the entire site is interfered with through domain name blocking.
And I think there's a real risk of sites...of mistakes being made
when you don't have adversarial process, and indeed, we've seen that several times already
in operation in our sites, which is what ICE has been doing so far to do domain name seizures
as opposed to filtering, but they've already made some mistakes
as in the case of...there was a site called moo.com,
which turns out that is shared between many many registrants.
It's not necessary obvious in a lot of these cases that a domain name may be shared.
There's no directory of subdomain.
There's no, you know, obvious place to look, but they ended up having impact on lots
of registered users, not just the particular subdomain user.
In that case, it was involved in child pornography.
So anyway, stepping back, what all of this says to us is, there's a lot of value
in having a reliable internet addressing system that tells the truth and is secure
against hacking and just kind of works for the purpose for which it was designed.
And when you try to inject DNS filtering into that mix to make it try
to prevent illegal content, the cost and benefits just don't pencil out.
There's a variety of reasons why it can cause problems.
The end...the effectiveness is limited at best.
So we would say from a policy perspective, if you do a cost-benefit there,
it's not an avenue worth pursuing.