Skip to main content

In this diary, Kos noted that PROTECT IP/SOPA could destroy the social web.  That's true, but it's actually even worse: the blocking mechanism used would make it impossible to close a big security hole.  And to add insult to injury, it wouldn't even be that hard to get around.

How is this true?  See below the fold.

Leaving aside the general issue of freedom of speech (which shouldn't be left aside, but I want to focus on the technical issues here), PROTECT IP and SOPA would prevent a long-standing security hole from ever being closed, and it wouldn't even work.

For a primer: every Internet host has both a name (such as and a numerical address (such as There is no telephone directory-style central database of all names and addresses. Instead, there is a hierarchy of names (the "domain name system", or DNS). So for example, there is a "name server" that has a database of everything at the top level of .com (for example, If you want to find the address of "", you first request the address of the name server for from .com. That returns you the address of's name server, and you then ask it for the address of

(There's another little problem there: how do you find the address of the very top level server? In this case, there are some fixed names and addresses to let you start the chain of recursion. Otherwise you could never get started.)

There's a problem here: how do you know that the response you got from, say, .com's name server really came from that server? You send a message to, say, (which is one of the top level servers), but somebody down the line could intercept that request and send you back a reply saying that something else is really the server for That something else could return an incorrect answer for, which then serves a fake site that looks like the real thing but actually captures your password, say. The opportunities for mischief with this kind of spoofing should be obvious.

So there's a new protocol, "DNSSEC" (DNS Secure), that solves this problem by having every answer be authenticated. I don't know exactly the mechanism, but I suspect that what happens is that when you request a lookup, you receive an encrypted reply. The encryption is likely public key, so that anybody can (in this case) decrypt the response, but only the valid sender can encrypt it. When you request the address of a nameserver, you're presumably given the public key of that second nameserver. As long as the root nameservers and their keys can be trusted, you have an unbreakable chain of trust. That, and the delegated name servers themselves aren't compromised...

So here's the problem with PROTECT IP. One of the mandates is that DNS records for violating web sites be blocked. Maybe that doesn't sound so hard, but here's where the distributed nature of DNS is a problem. The top level domain servers only go down as far as e. g. However, the violating web site could be named something like The server for (and, for that matter, might not be in the US, and therefore not subject to the court's jurisdiction. (I'm not trying to pick on anyone with that made-up domain name, which would be a French one; just pointing out that the name server might not be subject to the jurisdiction of the US.) So the only way to enforce this kind of order would be to intercept requests for that domain and return a spoofed response — exactly what DNSSEC is intended to block.

The benefit of DNSSEC is that you can be sure that an address really does match up with the hostname it purports to be, so someone can't spoof you by intercepting host name lookups. Think about the kind of mischief that could ensue if I could make mail for Barack Obama be forwarded silently and undetectably to Newt Gingrich, and I could fake replies. That is what DNSSEC prevents. Giving up this protection so that copyright holders can more easily go after accused violators is not acceptable.

But wait, there's more!  Remember that I said that there are ways around it?  So how would you like to give up the possibility of deploying not even "protect" anything? There are plenty of ways of getting around DNS redirection:

  • Alternate nameservers — it's possible to configure your computer to use alternate nameservers outside of the US, beyond the reach of any US court order. This means that you have to trust these alternate nameservers, which could be dangerous. But your ISP could block the DNS port, so...
  • VPN, or virtual private network — this is a way to allow secure communication on unsecured networks. Many companies use this to allow their employees to access their secure internal networks from insecure public networks. It looks like you're connected directly to the secure network. If the other end of the VPN connection is outside of the country, then again, it isn't subject to any US court order. And again, you're throwing yourself on the mercy of the overseas VPN server.  I doubt Congress would try to ban the use of VPN, if for no other reason than a lot of executives at big companies find it extremely convenient to be able to connect to their business from the road or from home.
  • TOR, or The Onion Router — much the same kind of deal, except distributed.
  • Hard-coded addresses — rather than putting into your browser's URL bar, you might put, or whatever the address of the interesting site is. Or, you might put it in your hosts file (/etc/hosts in Linux and UNIX).  You'll have to update it when it changes, but if you're that insistent on getting your fill of warez, you'll happily do so.
  • Other creative people can come up with more ideas...

It turns out that Rep. Zoe Lofgren also doesn't like the idea of DNS hijacking, and asked Sandia National Labs for its assessment. Sandia has a long history with the Internet and its predecessor, the ARPAnet. Anyway, Rep. Lofgren asked a number of questions that were very on point, and Sandia responded.  You can see the response here. One gets the feeling that the good scientists at Sandia were most pleased to give her a most thorough and helpful response ("One staff member characterized the proposed DNS filtering mandate as a 'whack-a-mole' approah that would only encourage users and offending websites to resort to low cost workarounds").

In summary, PROTECT IP and SOPA would not only likely result in the destruction or at least grave damage to the Internet as a means for peer to peer communication (as opposed to top down spoon feeding of so-called entertainment), it would threaten the future of the Internet for secure commerce and communication of all sorts, and it wouldn't even work.  Please contact your senators and representatives today to ask them to withhold their support for this atrocious piece of legislation.

5:48 PM PT: DavidSegal's diary provides a convenient way for you to help out.  Sen. Ron Wyden has put a hold on the Senate version of the bill and is mounting a real filibuster.  You can have your name read on the Senate floor in opposition to this bill.

6:28 PM PT: First time on the reclist!  Thanks!

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

doc2, Renee, Alumbrados, shari, paradox, RF, Phoenix Woman, jexter, Joan McCarter, badger, theboz, PeterHug, wytcld, LynChi, CleverNickName, Calee4nia, Troutfishing, xynz, Doctor Who, opinionated, cskendrick, RabidNation, highacidity, Xapulin, mkfarkus, pedrito, greenomanic, sngmama, fumie, Cedwyn, revsue, kharma, scorpiorising, Getreal1246, hangingchad, ManhattanMan, pat bunny, crankypatriot, churchylafemme, newore, joan reports, lcrp, wordwraith, Dave925, JayBat, zerelda, Kitsap River, randallt, Mosquito Pilot, Steven D, Emmy, sb, davidincleveland, G2geek, humphrey, sandblaster, NoMoreLies, Unit Zero, liberalcheesehead, OpherGopher, ChemBob, YucatanMan, ratzo, lennysfo, farmerchuck, jimreyn, SJerseyIndy, lotlizard, stevemb, CompaniaHill, Sandino, LivesInAShoe, Rogneid, bently, Jim P, LeftOverAmerica, Showman, BachFan, BalanceSeeker, ukit, BlueInARedState, tobendaro, tonyahky, Catesby, Magnifico, triv33, nonnie9999, Rosaura, gooderservice, SadieSue, real world chick, JVolvo, joe shikspack, Turbonerd, DemocraticLuntz, James Hepburn, Clive all hat no horse Rodeo, MadMs, bstotts, The House, markthshark, AntKat, tegrat, pale cold, One Pissed Off Liberal, pgm 01, Polacolor, terabytes, LamontCranston, DWG, Unbozo, bnasley, quadmom, leonard145b, skod, Zydekos, craiger, MKinTN, mconvente, gzodik, VelvetElvis, JeffW, flowerfarmer, ferment, wayoutinthestix, Senor Unoball, elwior, Mr Rick, mikeconwell, Calamity Jean, Lujane, tofumagoo, Cassandra Waites, temptxan, Horsefeathers, J V Calin, glendaw271, petulans, aigeanta, Robobagpiper, briefer, Futuristic Dreamer, statsone, legendmn, rubyclaire, cybrestrike, arendt, Dirtandiron, aufklaerer, nchristine, Scott Wooledge, The Dead Man, bsmechanic, Baldur, dark daze, Gorilla in the room, mkor7, unspeakable, MKSinSA, Keith Pickering, Knarfc, nancat357, Randtntx, ohmproject, commonmass, flitedocnm, roadbear, Johnnythebandit, The Free Agent, fidellio, eb23, angelajean, Garfnobl, teklanika, samanthab, Kristina40, drjat42, Betty Pinson, Otteray Scribe, HistoryInAction, slice, Jane Lew, Colorado is the Shiznit, Oldowan, sostos, poorbuster, squidflakes, asterkitty, thariinye, BarackStarObama, beka, worldlotus, yaque, PhilJD, MinistryOfTruth, Hayate Yagami, just another vortex, bluck, googie, SouthernLiberalinMD, No one gets out alive, absdoggy, papa monzano, Cordyc, anodnhajo, greenbastard, Siri, Citizenpower, IndieGuy, Ultranaut, kait, Mr Robert, peachcreek, Pilkington, TBug, BusyinCA, MartyM, qannabbos, Brown Thrasher, Kinak, FrY10cK, BreadGod, artmanfromcanuckistan, George3, katiec, M E C, glorificus, poopdogcomedy

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site