Former DHS Assistant Secretary Stewart Baker On SOPA 2.0: Still A Disaster For Cybersecurity

from the no-surprise-there dept

One of the most credible critics of SOPA -- and one whose concerns certainly got the interest of Congress during the November Judiciary Committee hearings -- is Stewart Baker, the former Homeland Security Assistant Secretary and former NSA General Counsel, who argued that it would be a disaster for online security. So now that Lamar Smith has updated the bill to supposedly take into account the concerns of experts like Baker, how does he feel about the bill? Apparently, he still thinks it's a total disaster for online security:
Unfortunately, the new version would still do great damage to Internet security, mainly by putting obstacles in the way of DNSSEC, a protocol designed to limit certain kinds of Internet crime.
Baker lays out, in plain English, the problem here:
Today, itís not uncommon for crooks to take over Internet connections in hotels, coffee shops and airports -- and then to direct users to fake websites. Users sent to a fake banking site are prompted to enter account and password data, which is used to loot the account. DNSSEC prevents such attacks by giving each website a signed credential that must be shown to the browser by the domain name system server before the connection can be completed.

Thatís a great idea, but crooks will predictably try to override it. Their best bet is to claim that the website doesnít have a signed credential Ė a claim that will be plausible at least during the transition to DNSSEC. What should a browser do if a website says it doesnít have a signed credential yet? The site might be telling the truth, or it might be a fake site backed by a DNS server thatís been tampered with. To find out, the browser needs to ask a second DNS server, and if that server doesnít give an answer, a third and a fourth server until it gets an answer. Thatís the only way to keep criminals from blocking the real DNS credentials and offering their own.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPAís scheme for blocking pirate sites. SOPA envisions the AG telling ISPs to block the address of So the browsers get no information about from the ISPís DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address. Eventually, it will find a server in, say, Canada. Free from the Attorney' Generalís jurisdiction, the server will provide a signed address for, and the browser will take its user to the authenticated site.

Thatís what the browser should do if itís dealing with a hijacked DNS server. But browser code canít tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AGís point of view, the browserís efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.
This is a pretty big problem, because SOPA has that nasty anti-circumvention clause in it. And just the very act of fraud detection is a form of circumvention, which will violate SOPA. Think about that for a second. Basically a browser that does the most secure and reasonable thing in the face of a possible man-in-the-middle attack... is now liable for breaking the anti-circumvention clause. This is pretty scary.
Itís hard to escape the conclusion that this provision is aimed squarely at the browser companies. Browsers implementing DNSSEC will have to circumvent and bypass criminal blocking, and in the process, they will also circumvent and bypass SOPA orders. The new bill allows the AG to sue the browsers if he decides he cares more about enforcing his blocking orders than about the security risks faced by Internet users. Indeed, the opaque language about ďanother in concert with such entityĒ makes perfect sense in the context of browser extensions. It allows the AG to sue not just browsers but also add-ons with this feature.
The end result, of course, is that companies will avoid implementing DNSSEC -- an important standard that's been under careful development for over a decade:
Now imagine you are Microsoft, or Google, or Apple, or Mozilla. The DNSSEC guys come to you and ask you to implement DNSSEC. It wonít increase your revenue, they admit, but it will make the Internet much safer for your users. You want to be a good internet citizen, so you think maybe you should devote some precious code-writing resources to the cause. But first you ask your lawyers whether they foresee any problems.

ďWell, yes,Ē theyíd have to say. ďIf you add code to the browser that implements DNSSEC, youíll have to add code that circumvents criminal hijackings of the DNS system. And that code can be declared illegal by the Attorney General pretty much whenever he likes. You can litigate about it, of course, but if you lose, the AG can shut down all shipments of your browser until itís been revised to the satisfaction of his staff and their advisers in Hollywood.Ē

Faced with that advice, would you implement DNSSEC?

Neither would I.
Yeah. Basically, sixteen years of hard work to build a system that will prevent man-in-the-middle attacks and keep the internet much safer... washed completely down the drain because Hollywood still can't understand basic economics of how to make money online. And folks in Congress actually think this is a good idea?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: copyright, cybersecurity, online security, sopa, stewart baker

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 15 Dec 2011 @ 11:03am

    Once the American people wake up to find the Internet censored I think that even though there a lot of "mindless consumers" still many of the younger folk growing up are or have been around Computers for at the very least a decade.
    Hopefully there will be a call to a lot more than just a tent and walking around with a poster.I am really angry and disgusted.
    SOPA/PIPA is a direct assault on this whole Country.If only I had a little more money as I would love to put a website up called boycott hollywood or something like that.
    And I am also ready to go to Washington and March on that Cancer along with millions.I do not think in the end they are really going to get away with this untouched.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.