How SOPA will destroy Internet security

Last week's SOPA hearings were punctuated by facepalming moments in which learned members of the House Judiciary Committee dismissed the distinguished engineers who say the bill weakens Internet security. They said things like, "I'm no nerd, but I just don't believe it."

Well, you don't have to be a "nerd" to understand a) what DNSSEC is; b) why we desperately need it (or something like it) before the Internet collapses along with the creaking public key infrastructure; and c) how the insanity in SOPA will tank that effort. Stewart Baker at the Volokh Conspiracy lays it out in small, easy-to-understand words.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites. SOPA envisions the AG telling ISPs to block the address of So the browsers get no information about from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address. Eventually, it will find a server in, say, Canada. Free from the Attorney’ General’s jurisdiction, the server will provide a signed address for, and the browser will take its user to the authenticated site.

That’s what the browser should do if it’s dealing with a hijacked DNS server. But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.

The latest version of SOPA will feed that view. It allows the AG to sue “any entity that knowingly and willfully provides …a product … designed by such entity or by another in concert with such entity for the circumvention or bypassing of” the AG’s blocking orders.

SOPA-Rope-a-dope (via Interesting People)


  1. How come none of the anti-SOPA congressmen called them on it? Why didn’t they just say “Well, honorable gentleman from Texas, how about you explain to us exactly why you think the security problems won’t apply? Don’t worry about getting too technical, I’ve got this engineer from Cisco here to fact check you.”

    1. I think their attitude is “I don’t know but I don’t care, I’ve been paid to make sure this passes so stop talking.” They sure acted like that was the partyline.

    1. They are not idiots. They are just so skilled in getting elected (= their campaigns funded), that they suck at everything else. The german word for this is “Fachidiot” (plural: “Fachidioten”)

  2. As a slashdot headline read this week, it just isn’t fucking funny any more that our national lawmakers are technology ignoramuses.  It is time they start getting called on it and voted against if they a tech idiots.

    1. The problem is the US doesn’t get to pick and choose like that. The UK is the same. You have to pick the lesser of two evils. In a perfect world voters would have the ability to individually select an expert for each issue. Imagine a world where public support meant the experts behind the internet got 95% of the decision making power on this issue! I’ll ignore the realistic conclusion of that line of thinking, which is Oprah Winfrey and the cast of America’s Got Talent controlling every aspect of our lives…

      1. It’s nothing like as bad as that in the UK: we have multiple political parties (at least 3 major ones), and when one of them fucks up badly, the others have to adjust their policies to try to hoover up a share of the disillusioned voters.  None of them can expect to sit back complacently and get those votes without at least giving the appearance of addressing the issues.

        Also, independent candidates don’t need a multi-millions campaign fund to get elected.  They just need to front up a 500 quid deposit and a thousand signatures, and they often get elected on their own merits when the public get sick of party politics.

        In Scotland it’s even better: the parties with seats in the parliament are the SNP, Labour, Liberal Democrats, Conservative and Green (and one independent).  It’s still mostly a 2-horse race but the horses are different than in the UK parliament, so we get to keep the bastards on their toes.

        1. We have two parties, both desperate to be as broadly accepted as possible resulting in two identical leaders with big smiles and dark hair that only differ on major ideological issues (same as US). The third party plays the role of forward thinking and progressive in a desperate attempt to gain the vote of the currently non-voting youth. As soon as they get near power they abandon all their ideals just so they can join in with the big boys. The Green party is like the BNP, in that it has one issue to push and has no place controlling all of government. The SNP lives off of the “we hate the English” vote and honestly is worse then the BNP. It wants power for itself at the expense of it’s country. And yes I am vastly oversimplifying but I’m afraid I cannot accept that we are better off then the US.

          1. The SNP lives off of the “we hate the English” vote and honestly is worse then the BNP.

            Yeah, they’re worse than the openly fascist BNP. Except for, you know, being progressive and supporting things like racial equality and gay marriage.

  3. I know that Upton Sinclair has been quoted on this before, but it bears repeating: it is difficult to get a man to understand something, when his salary depends upon his not understanding it.

  4. Hours of logical and factual arguments against SOPA going up against that maid from Family Guy who just says “No….no… You sign bill”. It’s so terrifying it goes beyond parody. You could throw together a comedy sketch with simple logical statements like “the Earth is a sphere” or “water is important” being met with the session clerk saying “5 for, 22 against” over and over.

  5. Have you considered that it may be very deliberate?  Maybe they don’t like all the information we can get and share.   Corporations want total control of what we know.  For example, they don’t like our product reviews. 

  6. People are actually surprised Government and Big Business want to destroy the Internet?  Really? 

    The mainstream wants everything back the way it was:  asses on couches and consumers living up to their responsibility: being a gullet that doesn’t talk, swallows advertising and shits cash.

  7. Yeah, okay, except that what’s described here isn’t remotely how browsers or DNSSEC actually behave.  First, browsers don’t just cast about to random DNS servers all over the world til they find a response; they’ll only check the 2-3 servers configured manually or through DHCP, and if the first server they check responds with “that website doesn’t exist”, it won’t check any others.

    Secondly, as the article alludes to, no current browsers or OSes independently verify DNSSEC signatures themselves.  At most they simply trust their configured DNS servers when those servers say a response is authenticated ( ).  There are browser plugins which do more, but as of right now, DNSSEC is only a consideration between DNS servers, and client consideration is purely theoretical.

  8. It may not be how it works now, but then DNSSEC hasn’t been widely implemented yet. It is how it should work. “Trusting the ISP’s DNS” is what we have now, and it isn’t good enough; and even if we are relatively sure the ISP is using DNSSEC, the only way to be confident is to confirm the authenticity of DNS data. 

    For DNSSEC to continue working, you’d have to set it up so the MPAA (through its agent, the Attorney General) can, when it feels like it, assert ownership of any domain name and replace the previous owner’s DNSSEC certificate with one of its own. Then (after a bit of latency) the DNS will be blocked (or redirected) for clients. 

    Property rights to a domain name and due process are, of course, inconsequential principles when pitted against the right of MPAA members to make money and to block sites it suspects of interfering.

    To make this work with non-US domain names and servers, you’d have to block access to non-US root servers, and probably block IP routing to the servers the MPAA thinks might be costing it sales. China does this all the time, and we all know how effective that is, to say nothing of how hypocritical it would be for us to criticize China’s Great Firewall, while helping the MPAA to build a Great Firewall around the US for its own use. 

    If the US allows the MPAA to build a Great Firewall around US territory, the MPAA will push to do the same with other markets (Australia, Japan, Europe, Russia, etc.). 

    Once the mechanism is in place for the MPAA to control a Great Firewall around the US, it will be just a matter of time before DHS, or, or some pro-Family group, or whoever,  to decide it should be able to use the same mechanism to block something it doesn’t like.  Imagine! A new business: the MPAA can sell blocking services on the Great US Firewall. This can replace its current and archaic business model, which will prove untenable in a few years even with SOPA. 

    I’m not saying MPAA doesn’t have a grievance, I’m just saying that SOPA is a sledge hammer being used to go after a spec of dust on a piece of very fine crystal glass. 

Comments are closed.