SOPA undermines security while not solving any problems

US Congress in sessionA new piece of American legislation, SOPA (Stop Online Piracy Act) has been getting a lot of attention the last few weeks. The purpose of the bill is to put a dent in online piracy by allowing the US government to dictate ISPs block access to sites hosting copyrighted materials.

The US Congress seems to have a huge misunderstanding of how the internet works and is looking more and more to simply be following the wishes of the entertainment industry.

It’s not that I don’t believe in copyright or that copyright holders don’t have the need to enforce their rights (Sophos included), but doing so at the expense of free speech is going too far.

Let’s start with the fact that it wouldn’t work.

Asking service providers to maintain a list of blocked DNS names and to prevent their customers from gaining access would be a gargantuan effort.

People seeking to illegally obtain copyrighted materials would simply point their DNS resolvers at publicly available services in other jurisdictions.

BitTorrent logoOK, so we tell ISPs they must also block the IP addresses of offending websites. Pirates will simply use services like Tor, BitTorrent or offshore VPN services that again will subvert the US government controls.

Having the ability to take away anyone’s speech without a court order will have a chilling effect on the internet. Only innocent people will pay the price, thieves will simply outmaneuver.

What does this have to do with security? Well monkeying with DNS and intentionally making it dysfunctional will hamper real efforts at providing a safer online experience.

As pointed out in a paper by Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson and Paul Vixie it would have serious security ramifications:

  • Filtering DNS will drive people seeking copyrighted content to configure their computers to use non-US DNS servers, likely on advice of the pirates. These servers could be used to perform all sorts of man-in-the-middle and phishing attacks greatly increasing the threat surface.
  • ISPs will lose critical insight into botnet activity and other network security issues. Many service providers are able to analyze DNS traffic to determine which customers may be infected, or which systems may be participating in denial of service attacks.
  • Having DNS resolve to incorrect addresses will break DNSSEC and will hamper its adoption. This law would have people be redirected to a page warning them of the dangers of piracy. If DNSSEC is in use, they would get nothing and not know why the page isn’t coming up. DNSSEC is considered by many to be an important tool for preventing man-in-the-middle attacks and a key part of the US government’s strategy for a more secure internet.

I won’t even go into the danger of collateral damage when you take entire DNS entries offline, nor the ability for people to abuse the rules to intentionally create a denial of service condition for websites they don’t like.

SOPA is not going to end piracy, and to be fair our energy would be a lot better spent on stopping the deluge of scams and malware victimizing millions of Americans rather than helping to protect a few multi-billion dollar media companies.