Registrar Killing Zoho Over A Few Phishing Claims Demonstrates The Ridiculousness Of Having Registrars Police The Internet
from the this-is-not-good dept
For years, we’ve pointed out the dangers of the attempts to move the “policing” function up the internet stack (or down the internet stack, depending on your perspective) from the end-user internet services deeper to infrastructure players. We just recently warned about the mess that will be created by focusing on infrastructure players. Indeed, for years, we’ve worried about targeting domain registrars with takedown notices. There are a variety of reasons for this: first off, registrars are not at all prepared to be in the content moderation business. They just run a database. But, more importantly, their only tool to deal with these things is incredibly blunt: to effectively turn off an entire site by not allowing the URL to resolve.
And yet, there’s increasing pressure for registrars to police the internet. This is mostly because of people (starting with the legacy copyright players, but others as well) over-hyping the fact that if some content/services are taken down, it just pops back up somewhere else. So, those who focus on censorship try to look further and further along the stack to see where they can block even more.
A story this week shows just how damaging this can be. Zoho is a very popular online service provider of tools for businesses. We’ve used Zoho a bunch at times, as they offer a really nice and fairly comprehensive suite of business apps at prices that are much more affordable than many of the larger players (while often being just as good, if not better). But earlier this week Zoho disappeared from the internet for a lot of users, after its registrar, Tierranet pulled the plug on their service, claiming it had received too many complaints of phishing attempts via Zoho. Zoho points out in response that (1) it had received a grand total of three reports from Tierranet of attempting phishing, and it had promptly removed the first two accounts and was in the process of investigating the third when all this went down, and (2) it received no warning that Tierranet was about to pull the plug on them and was given no way to reach out to the company in this emergency situation (leading the company to take to Twitter to try to get attention).
But, because Tierranet decided it needed to “police the internet” with its ridiculously blunt tool of completely removing an entire service from the internet — despite its millions of users who rely on it for critical business services — Zoho was put in the unenviable position of trying to explain why its entire suite of services completely disappeared. Apparently, (according to Zoho’s explanation) Tierranet will automatically cut off websites after receiving three complaints — which is astounding. It’s even more astounding that a service the size of Zoho only received three such complaints. In a detailed post mortem / apology, the company says it’s going to become its own registrar to avoid having anything like this happen again.
You have my assurance that nothing like this will ever happen again. We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.
But, really, every internet service out there shouldn’t have to be their own registrar to avoid having someone take down their whole site for no good reason. We need to rethink this idea that someone must be policing every interaction online and that if anything bad gets through, liability and blame should flow through to everyone in the stack. It’s not only a recipe for mass censorship, but for one that takes down important services by good actors.
Filed Under: domains, infrastructure, intermediary liability, phishing, points of failure, registrars
Companies: tierranet, zoho
Comments on “Registrar Killing Zoho Over A Few Phishing Claims Demonstrates The Ridiculousness Of Having Registrars Police The Internet”
Mass Censorship and Mass Surveillance go hand in hand. The movie studios would love to see vast sections of the internet taken down until nothing was left but a few walled gardens. They hate us for our freedoms!
It will end with bots automatically flagging every post and letting the repercussions fall as they may.
Given how hard it is to prove a 512(f) DMCA violation, you’d think someone might weaponize this against the movie studios — and see how much they like it then!
One doesn’t have to become their own registrar to mitigate this kind of situation. You simply diversify the dns services you use for name resolution. This also partially shields you from DDoS attacks that take down dns servers. With very long TTL values in your zones your domain name(s) will continue to resolve even if some of your dns servers stop resolving your names.
However, being your own registrar is the only way to prevent a registrar from locking down your names and poisoning or deleting the upstream pointers. Unfortunately it’s also very expensive to become your own registrar. Until we design the next iteration of the net and remove the single points of failure/responsibility from the system this will always be a problem.
In the meantime, speak with your wallet. Don’t use registrars or other services that allow this kind of crap to happen.
Re: Re: Re:
Namecoin is a proposal for readable site names. An onion-routing system like Tor can reduce the need for long-term IP addresses.
Re: Re: Re: Re:
The main question is not long or short term use, but rather unique names and addresses, and reliable mapping from name to address.
Also, a long term address assignment allows names resolution to be bypasses if necessary to bypass name resolution filtering.
Re: Re: Re:2 Re:
Namecoin makes it hard to block specific names. If one chose to point it at .onion addresses only (is that possible?) it would not need to resolve to anything blockable like an IP address.
(Tor still runs over IP, and IP addresses can be blocked; but one cannot easily see the real IP, and these are “short-term” dependencies because failed/blocked connections will automatically reroute to different IPs.)
Re: Re: Re:
NU Alternative Domain System (GADS) is an option it use personal nicknames and 6 degrees of separation domain names
Re: Re: Re: Re:
I see two problems with it:
…Which doesn’t help when someone goes after your registrar, as in this story.
That would only help users who already have it cached (or whose upstream server does), if it helps at all. It’s designed for when servers disappear, not when upstream servers are actively (and validly) replying NXDOMAIN for you.
Even if you are your own registrar, nothing prevents someone acting in bad faith from forging pointers to take you down — that’s one of the main weaknesses of the DNS system.
Every domain registrar so far is subservient to another. Zoho is under com., meaning Verisign can be targeted; for several hundred thousand dollars they could put themselves in ., the root zone, which still leaves them under IANA/ICANN. These are all US corporations.
They could instead put themselves outside of the regular DNS, e.g. by using a Tor Orion Service, but then would they really be a "registrar"?
While I don’t think hosting providers or content platforms should be treated as utilities or public squares, I think there’s an argument to make that domain name registrars should be. If there were a regulation requiring registrars to provide service to everyone and never take down a domain without a court order, I think that would be defensible.
Sounds like it is time to file a few phishing complaints against Tierranet.
Interesting–they are actually their own registrar:
Domain Name: TIERRA.NET
Registrar: TIERRANET INC. DBA DOMAINDISCOVER
Re: Re: Re:
Not enforcing their own removal policy can cause them to lose big time in a lawsuit, as Cox recently found out.
While I have some sympathy to Zoho, it appears to be a typical story where abuse handling and infrastructure security are treated as costs to be avoided by startups who are more concerned about playing on the company ping pong tables in between “disrupting” business. As someone who spends a lot of time combating phishing attacks I can tell you it is incredibly frustrating trying to get anyone to respond to a complaint. I regard registrars as the nuclear option but when you can’t get a response and thousands of victims are being created every hour sometimes that button needs to be pressed. I suspect the phishing complaints were first placed with, and ignored by, Zoho. Having a registrar handle it is an imperfect solution but I would welcome a reasonable alternative that doesn’t result in criminals being immune hiding behind a provider that doesn’t respond
And I’d be open to a solution that doesn’t punish a few million other people in order to maybe slow down the criminals for a few hours. But to each their own.
Of course, seems like the easy solution would be for you and your anti-phishing comrades to publish a usable blacklist of phishing domains a la adblockers. No need to worry about (lack of) responses from hosting companies if the attacks are blocked at the receiving end.
Sue the registrar
I wonder if it would lead anywhere suing the registrar. One could complain about losses of revenue or more generally not being able to conduct business.
Zoho and Legitimate Services
I guess I was mos surprised to see that someone was using them for legitimate servcies. Normally when I see them it is where they are promoting some sort of dodgy advertising or co-branding campaign in which they would like me to take part.
So far I have declined their “pink” invitations.
Same thing happened to JotForm a while back (2012)
Except JotForm was taken down by the federal government. It was amazingly stupid and heavy-handed and the non-profit where I work was effectively unable to take donations while it was down. Like Zoho, JotForm also serves a very useful function, making webforms super simple,so of course some idiots will use it for phishing. We still use it for several webforms including our donation form. At the time JotForm was literally forced to register a .net domain to get back up and running and now their .com and .net pages are essentially mirrored in case anyone gets another dumb idea.
But why stop so far down the stack?
Denial of Service vulnerability
> Apparently, (according to Zoho’s explanation) Tierranet will automatically cut off websites after receiving three complaints
Well. There’s a 0-day DoS vulnerability right there.
Sometimes you only get what you pay for
Registrars turn off thousands of phishing domains every day, and you never hear about it, because they don’t make very many mistakes, and the Internet would be much more unpleasant if they didn’t. No question, turning off zoho.com was a mistake, but I have to ask, what was Zoho thinking?
There are a thousand registrars (and tens of thousands of resellers) and their services vary greatly. Tierranet’s market is individuals and small businesses with low value names. They charge $12/yr for a .com. How much personal attention do you think you’ve bought for that price?
If your domain is valuable, registrars like Markmonitor and CSC will provide much more secure service at a much higher price, and won’t casually turn you off. If you don’t treat your domain like it’s valuable, why should anyone else treat it that way?
By the way, I expect that Zoho has other reasons for becoming their own registrar, like selling domains to their customers. If you just want to protect one high-value name, a name at Markmonitor is a lot cheaper than running an entire registry.