In this diary, Kos noted that PROTECT IP/SOPA could destroy the social web. That's true, but it's actually even worse: the blocking mechanism used would make it impossible to close a big security hole. And to add insult to injury, it wouldn't even be that hard to get around.
How is this true? See below the fold.
Leaving aside the general issue of freedom of speech (which shouldn't be left aside, but I want to focus on the technical issues here), PROTECT IP and SOPA would prevent a long-standing security hole from ever being closed, and it wouldn't even work.
For a primer: every Internet host has both a name (such as www.dailykos.com) and a numerical address (such as 184.108.40.206). There is no telephone directory-style central database of all names and addresses. Instead, there is a hierarchy of names (the "domain name system", or DNS). So for example, there is a "name server" that has a database of everything at the top level of .com (for example, dailykos.com). If you want to find the address of "www.dailykos.com", you first request the address of the name server for dailykos.com from .com. That returns you the address of dailykos.com's name server, and you then ask it for the address of www.dailykos.com.
(There's another little problem there: how do you find the address of the very top level server? In this case, there are some fixed names and addresses to let you start the chain of recursion. Otherwise you could never get started.)
There's a problem here: how do you know that the response you got from, say, .com's name server really came from that server? You send a message to, say, a.root-servers.net (which is one of the top level servers), but somebody down the line could intercept that request and send you back a reply saying that something else is really the server for dailykos.com. That something else could return an incorrect answer for dailykos.com, which then serves a fake dailykos.com site that looks like the real thing but actually captures your password, say. The opportunities for mischief with this kind of spoofing should be obvious.
So there's a new protocol, "DNSSEC" (DNS Secure), that solves this problem by having every answer be authenticated. I don't know exactly the mechanism, but I suspect that what happens is that when you request a lookup, you receive an encrypted reply. The encryption is likely public key, so that anybody can (in this case) decrypt the response, but only the valid sender can encrypt it. When you request the address of a nameserver, you're presumably given the public key of that second nameserver. As long as the root nameservers and their keys can be trusted, you have an unbreakable chain of trust. That, and the delegated name servers themselves aren't compromised...
So here's the problem with PROTECT IP. One of the mandates is that DNS records for violating web sites be blocked. Maybe that doesn't sound so hard, but here's where the distributed nature of DNS is a problem. The top level domain servers only go down as far as e. g. dailykos.com. However, the violating web site could be named something like my.warez.fr. The server for warez.fr (and, for that matter, warez.fr) might not be in the US, and therefore not subject to the court's jurisdiction. (I'm not trying to pick on anyone with that made-up domain name, which would be a French one; just pointing out that the name server might not be subject to the jurisdiction of the US.) So the only way to enforce this kind of order would be to intercept requests for that domain and return a spoofed response — exactly what DNSSEC is intended to block.
The benefit of DNSSEC is that you can be sure that an address really does match up with the hostname it purports to be, so someone can't spoof you by intercepting host name lookups. Think about the kind of mischief that could ensue if I could make mail for Barack Obama be forwarded silently and undetectably to Newt Gingrich, and I could fake replies. That is what DNSSEC prevents. Giving up this protection so that copyright holders can more easily go after accused violators is not acceptable.
But wait, there's more! Remember that I said that there are ways around it? So how would you like to give up the possibility of deploying DNSSEC...to not even "protect" anything? There are plenty of ways of getting around DNS redirection:
- Alternate nameservers — it's possible to configure your computer to use alternate nameservers outside of the US, beyond the reach of any US court order. This means that you have to trust these alternate nameservers, which could be dangerous. But your ISP could block the DNS port, so...
- VPN, or virtual private network — this is a way to allow secure communication on unsecured networks. Many companies use this to allow their employees to access their secure internal networks from insecure public networks. It looks like you're connected directly to the secure network. If the other end of the VPN connection is outside of the country, then again, it isn't subject to any US court order. And again, you're throwing yourself on the mercy of the overseas VPN server. I doubt Congress would try to ban the use of VPN, if for no other reason than a lot of executives at big companies find it extremely convenient to be able to connect to their business from the road or from home.
- TOR, or The Onion Router — much the same kind of deal, except distributed.
- Hard-coded addresses — rather than putting my.warez.fr into your browser's URL bar, you might put 220.127.116.11, or whatever the address of the interesting site is. Or, you might put it in your hosts file (/etc/hosts in Linux and UNIX). You'll have to update it when it changes, but if you're that insistent on getting your fill of warez, you'll happily do so.
- Other creative people can come up with more ideas...
It turns out that Rep. Zoe Lofgren also doesn't like the idea of DNS hijacking, and asked Sandia National Labs for its assessment. Sandia has a long history with the Internet and its predecessor, the ARPAnet. Anyway, Rep. Lofgren asked a number of questions that were very on point, and Sandia responded. You can see the response here. One gets the feeling that the good scientists at Sandia were most pleased to give her a most thorough and helpful response ("One staff member characterized the proposed DNS filtering mandate as a 'whack-a-mole' approah that would only encourage users and offending websites to resort to low cost workarounds").
In summary, PROTECT IP and SOPA would not only likely result in the destruction or at least grave damage to the Internet as a means for peer to peer communication (as opposed to top down spoon feeding of so-called entertainment), it would threaten the future of the Internet for secure commerce and communication of all sorts, and it wouldn't even work. Please contact your senators and representatives today to ask them to withhold their support for this atrocious piece of legislation.
5:48 PM PT: DavidSegal's diary provides a convenient way for you to help out. Sen. Ron Wyden has put a hold on the Senate version of the bill and is mounting a real filibuster. You can have your name read on the Senate floor in opposition to this bill.
6:28 PM PT: First time on the reclist! Thanks!