Pro-SOPA Comcast uses SOPA-incompatible DNSSEC

DNSSEC stops simple hijack of web traffic, but is incompatible with SOPA-required redirects

If you've been following the debate over the Stop Online Piracy Act (SOPA) adored by music companies, broadcasters and hardly anyone else, you'll have noticed bipartisan coalitions in Congress are among the least strange bedfellows – not to mention other odd conditions or changes – on both sides of the bill.

[ Free download: Patents and the lessons learned from Web 2.0 ]

It's pretty interesting to follow the money trails between companies hoping to make more money if SOPA passes, in fact, and the politicians supporting it.

A group described as the "fathers of the Internet" opposeed SOPA in a letter to Congress, which is good because if they appear to testify, they may be able to explain how both SOPA and the Internet work to supporters in Congress who appear not to understand either one.

Even enthusiastic supporters such as GoDaddy have reversed themselves on SOPA (though apparently more through lip service designed to mollify customers, not a chance of stance significant enough to do anything to counteract all the work they did in support of the bill).

Though the reversal made GoDaddy a refugee from bedfellowship with itself, social-networking news site Reddit appears ready to abandon the web itself, at least for 12 hours, and encourage other major sites to do the same in what Reddit users call an illustration of what the web will be like after SOPA surpresses their favorite content.

All those things may be confusing, inconsistent or self-defeating, but at least they obey the laws of physics.

Not so Comcast's iron-backed support for the restrictions in SOPA despite admissions that incompatibilities with technology to which Comcast has already committed would make Comcast unable to comply with the requirements of SOPA or the equally restrictive PIPA bill, should either pass.

Comcast announced yesterday it is the first major ISP to complete a DNS Security rollout across its entire network.

Comcast also announced, as pointed out by TechDirt, that it is shutting down the Domain Helper service it launched in 2009 to help users who misspell or mistype URLs. Rather than returning a 404 error, Comcast's Domain Helper suggests alternatives and redirect users to them.

DNS "response modification tactics" such as suggesting alternative sites or automatically redirecting users to a corrected URL is "technically incompatible with DNSSEC and/or create conditions that can be indistinguishable from malicious modifications of DNS traffic (including DNS cache poisoning attacks)," according to Comcast's announcement.

Securing DNS network even against effort to secure the Internet

DNSSEC is an IETF security specification designed to eliminate a gaping flaw in the security of the DNS system on which the Internet depends. It allows website owners to certify the physical addresses of their servers and require authentication from any source trying to change the targets to which DNS directs http requests. That makes it more difficult for hackers to replace information in the DNS network so that every attempt to contact would be directed to sites that would download malware or steal users' login credentials instead.

Requests to DNS servers are unencrypted and largely unfiltered, making it easy for hackers to plant erroneous information that could circulate quickly through large chunks of the DNS network.

Even legitimate redirects such as those from DNS Helper should be rejected by DNSSEC-enabled servers as hack attempts if they lack the certificates and authentication data that should be available only from the domain-name owners.

Tell me again how SOPA makes web sites disappear?

Having the DNS network itself reject fake redirects and other hacks would go a long way toward thwarting the increasing number of DNS-poisonings and other spoofs in phishing emails, scams circulating on social-network sites and web ads directing users to malicious sites rather than to the sites where they wanted to go.

SOPA and PIPA, however, rely on web redirects as a primary enforcement mechanism.

Under SOPA, if the Dept. of Justice endorses the complaint of a copyright owner and decides to take down a "pirate" site, it doesn't send G-men to batter down the door of some provincial data center.

It removes the web sites' entries in the DNS directory, orders the ISP to remove it, or simply requires the ISP to redirect user requests to an innocuous site announcing the "pirate" site had been removed.

According to Comcast's own announcement, DNSSEC is incompatible with that kind of trial-free deletion of an offending web site.

If the owners of the pirate site aren't even notified, they can't provide the passwords needed to make legitimate DNSSEC changes, so the DoJ's own changes should be rejected by any DNSSEC-supporting ISPs or DNS network segments.

Which leaves Comcast – as TechDirt said – in the position of enthusiastically endorsing both a technology designed to make the Internet less vulnerable to hackers and a set of censorship rules the enforcement of which is directly contradictory to and incompatible with the new networked security.

How awkward.

Amidst a forest of railroad spikes, SOPA requires piledriver to tap in a thumbtack

That doesn't mean SOPA/PIPA can't be amended to require different approaches to enforcement, at least for the relatively small percentage of the 'net currently protected by DNSSEC

It does mean that the people who came up with the harsh, rigid, civil-right-violating rules in the bill don't really know how the Internet they're trying to restrict actually works, what efforts others are making to stop fraud, identity theft and other crimes or how SOPA procedures will conflict with technology or policies designed to stop problems far more important ethically, economically and technically than anything addressed in SOPA.

As has become typical of SOPA supporters, however, Comcast has decided it doesn't care that its SOPA support will conflict with its DNSSEC.

In the same way, SOPA's sponsors don't seem to care that the problem they're trying to squash is so small compared to bank robbery, cyberespionage, international cyberattacks, identity theft that it looks like a thumb tack amongst railroad spikes.

Thumb tacks and pirates are both colorful, so it might not be hard for SOPA enforcers to find their targets, but they're going to look ridiculous trying to pound it in using those giant sledgehammers, especially if they have to pick their way among all the Internet's actual security problems in order to do it.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon