Registrar Killing Zoho Over A Few Phishing Claims Demonstrates The Ridiculousness Of Having Registrars Police The Internet

from the this-is-not-good dept

For years, we've pointed out the dangers of the attempts to move the "policing" function up the internet stack (or down the internet stack, depending on your perspective) from the end-user internet services deeper to infrastructure players. We just recently warned about the mess that will be created by focusing on infrastructure players. Indeed, for years, we've worried about targeting domain registrars with takedown notices. There are a variety of reasons for this: first off, registrars are not at all prepared to be in the content moderation business. They just run a database. But, more importantly, their only tool to deal with these things is incredibly blunt: to effectively turn off an entire site by not allowing the URL to resolve.

And yet, there's increasing pressure for registrars to police the internet. This is mostly because of people (starting with the legacy copyright players, but others as well) over-hyping the fact that if some content/services are taken down, it just pops back up somewhere else. So, those who focus on censorship try to look further and further along the stack to see where they can block even more.

A story this week shows just how damaging this can be. Zoho is a very popular online service provider of tools for businesses. We've used Zoho a bunch at times, as they offer a really nice and fairly comprehensive suite of business apps at prices that are much more affordable than many of the larger players (while often being just as good, if not better). But earlier this week Zoho disappeared from the internet for a lot of users, after its registrar, Tierranet pulled the plug on their service, claiming it had received too many complaints of phishing attempts via Zoho. Zoho points out in response that (1) it had received a grand total of three reports from Tierranet of attempting phishing, and it had promptly removed the first two accounts and was in the process of investigating the third when all this went down, and (2) it received no warning that Tierranet was about to pull the plug on them and was given no way to reach out to the company in this emergency situation (leading the company to take to Twitter to try to get attention).

But, because Tierranet decided it needed to "police the internet" with its ridiculously blunt tool of completely removing an entire service from the internet -- despite its millions of users who rely on it for critical business services -- Zoho was put in the unenviable position of trying to explain why its entire suite of services completely disappeared. Apparently, (according to Zoho's explanation) Tierranet will automatically cut off websites after receiving three complaints -- which is astounding. It's even more astounding that a service the size of Zoho only received three such complaints. In a detailed post mortem / apology, the company says it's going to become its own registrar to avoid having anything like this happen again.

You have my assurance that nothing like this will ever happen again. We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.

But, really, every internet service out there shouldn't have to be their own registrar to avoid having someone take down their whole site for no good reason. We need to rethink this idea that someone must be policing every interaction online and that if anything bad gets through, liability and blame should flow through to everyone in the stack. It's not only a recipe for mass censorship, but for one that takes down important services by good actors.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Gary (profile), 28 Sep 2018 @ 12:07pm

    Mass

    Mass Censorship and Mass Surveillance go hand in hand. The movie studios would love to see vast sections of the internet taken down until nothing was left but a few walled gardens. They hate us for our freedoms!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2018 @ 12:41pm

      Re: Mass

      It will end with bots automatically flagging every post and letting the repercussions fall as they may.

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 28 Sep 2018 @ 4:22pm

      Re: Mass

      Given how hard it is to prove a 512(f) DMCA violation, you'd think someone might weaponize this against the movie studios -- and see how much they like it then!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2018 @ 12:55pm

    One doesn't have to become their own registrar to mitigate this kind of situation. You simply diversify the dns services you use for name resolution. This also partially shields you from DDoS attacks that take down dns servers. With very long TTL values in your zones your domain name(s) will continue to resolve even if some of your dns servers stop resolving your names.

    However, being your own registrar is the only way to prevent a registrar from locking down your names and poisoning or deleting the upstream pointers. Unfortunately it's also very expensive to become your own registrar. Until we design the next iteration of the net and remove the single points of failure/responsibility from the system this will always be a problem.

    In the meantime, speak with your wallet. Don't use registrars or other services that allow this kind of crap to happen.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2018 @ 1:32pm

      Re:

      >Until we design the next iteration of the net and remove the single points of failure/responsibility from the system this will always be a problem.

      How do you propose to do that for:
      1)IP or equivalent network level addresses.
      2)Readable site names

      where uniqueness of address and name have to be guaranteed.

      ICANN like structures are the way to achieve this.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Sep 2018 @ 1:48pm

        Re: Re:

        Namecoin is a proposal for readable site names. An onion-routing system like Tor can reduce the need for long-term IP addresses.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Sep 2018 @ 2:39pm

          Re: Re: Re:

          The main question is not long or short term use, but rather unique names and addresses, and reliable mapping from name to address.

          Also, a long term address assignment allows names resolution to be bypasses if necessary to bypass name resolution filtering.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 28 Sep 2018 @ 3:05pm

            Re: Re: Re: Re:

            Namecoin makes it hard to block specific names. If one chose to point it at .onion addresses only (is that possible?) it would not need to resolve to anything blockable like an IP address.

            (Tor still runs over IP, and IP addresses can be blocked; but one cannot easily see the real IP, and these are "short-term" dependencies because failed/blocked connections will automatically reroute to different IPs.)

            reply to this | link to this | view in chronology ]

      • identicon
        tom sparks, 28 Sep 2018 @ 3:52pm

        Re: Re:

        [NU Alternative Domain System (GADS)](https://gnunet.org/schanzen2012thesis) is an option it use personal nicknames and 6 degrees of separation domain names

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 Sep 2018 @ 2:25am

          Re: Re: Re:

          I see two problems with it:

          • Last time I looked, it was ultra complicated to integrate into your app and it was still in 0.x after years of development.
          • It requires intervention from the user. Requiring intervention for technical things is bad for widespread adoption, as can be seen with PGP.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Sep 2018 @ 2:33pm

      Re:

      You simply diversify the dns services you use for name resolution.

      ...Which doesn't help when someone goes after your registrar, as in this story.

      With very long TTL values in your zones your domain name(s) will continue to resolve even if some of your dns servers stop resolving your names.

      That would only help users who already have it cached (or whose upstream server does), if it helps at all. It's designed for when servers disappear, not when upstream servers are actively (and validly) replying NXDOMAIN for you.

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 28 Sep 2018 @ 4:24pm

      Re:

      Even if you are your own registrar, nothing prevents someone acting in bad faith from forging pointers to take you down -- that's one of the main weaknesses of the DNS system.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Sep 2018 @ 12:58pm

    Good luck

    We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.

    Every domain registrar so far is subservient to another. Zoho is under com., meaning Verisign can be targeted; for several hundred thousand dollars they could put themselves in ., the root zone, which still leaves them under IANA/ICANN. These are all US corporations.

    They could instead put themselves outside of the regular DNS, e.g. by using a Tor Orion Service, but then would they really be a "registrar"?

    reply to this | link to this | view in chronology ]

  • icon
    Thad (profile), 28 Sep 2018 @ 2:29pm

    While I don't think hosting providers or content platforms should be treated as utilities or public squares, I think there's an argument to make that domain name registrars should be. If there were a regulation requiring registrars to provide service to everyone and never take down a domain without a court order, I think that would be defensible.

    reply to this | link to this | view in chronology ]

  • icon
    tom (profile), 28 Sep 2018 @ 2:33pm

    Sounds like it is time to file a few phishing complaints against Tierranet.

    reply to this | link to this | view in chronology ]

  • icon
    Primo Geek (profile), 28 Sep 2018 @ 6:44pm

    While I have some sympathy to Zoho, it appears to be a typical story where abuse handling and infrastructure security are treated as costs to be avoided by startups who are more concerned about playing on the company ping pong tables in between "disrupting" business. As someone who spends a lot of time combating phishing attacks I can tell you it is incredibly frustrating trying to get anyone to respond to a complaint. I regard registrars as the nuclear option but when you can't get a response and thousands of victims are being created every hour sometimes that button needs to be pressed. I suspect the phishing complaints were first placed with, and ignored by, Zoho. Having a registrar handle it is an imperfect solution but I would welcome a reasonable alternative that doesn't result in criminals being immune hiding behind a provider that doesn't respond

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Sep 2018 @ 11:18am

      Re:

      And I'd be open to a solution that doesn't punish a few million other people in order to *maybe* slow down the criminals for a few hours. But to each their own.

      Of course, seems like the easy solution would be for you and your anti-phishing comrades to publish a usable blacklist of phishing domains a la adblockers. No need to worry about (lack of) responses from hosting companies if the attacks are blocked at the receiving end.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Sep 2018 @ 1:56am

    Sue the registrar

    I wonder if it would lead anywhere suing the registrar. One could complain about losses of revenue or more generally not being able to conduct business.

    reply to this | link to this | view in chronology ]

  • icon
    Tanner Andrews (profile), 29 Sep 2018 @ 10:53am

    Zoho and Legitimate Services

    I guess I was mos surprised to see that someone was using them for legitimate servcies. Normally when I see them it is where they are promoting some sort of dodgy advertising or co-branding campaign in which they would like me to take part.

    So far I have declined their "pink" invitations.

    reply to this | link to this | view in chronology ]

  • identicon
    Not.You, 29 Sep 2018 @ 11:48am

    Same thing happened to JotForm a while back (2012)

    Except JotForm was taken down by the federal government. It was amazingly stupid and heavy-handed and the non-profit where I work was effectively unable to take donations while it was down. Like Zoho, JotForm also serves a very useful function, making webforms super simple,so of course some idiots will use it for phishing. We still use it for several webforms including our donation form. At the time JotForm was literally forced to register a .net domain to get back up and running and now their .com and .net pages are essentially mirrored in case anyone gets another dumb idea.

    reply to this | link to this | view in chronology ]

  • identicon
    Ed, 29 Sep 2018 @ 3:10pm

    Brilliant idea

    But why stop so far down the stack?
    Ban .mp4
    Then .avi
    Then...
    No piracy!

    reply to this | link to this | view in chronology ]

  • identicon
    √Čibhear, 1 Oct 2018 @ 2:42am

    Denial of Service vulnerability

    > Apparently, (according to Zoho's explanation) Tierranet will automatically cut off websites after receiving three complaints

    Well. There's a 0-day DoS vulnerability right there.

    reply to this | link to this | view in chronology ]

  • icon
    spamvictim (profile), 1 Oct 2018 @ 10:57am

    Sometimes you only get what you pay for

    Registrars turn off thousands of phishing domains every day, and you never hear about it, because they don't make very many mistakes, and the Internet would be much more unpleasant if they didn't. No question, turning off zoho.com was a mistake, but I have to ask, what was Zoho thinking?

    There are a thousand registrars (and tens of thousands of resellers) and their services vary greatly. Tierranet's market is individuals and small businesses with low value names. They charge $12/yr for a .com. How much personal attention do you think you've bought for that price?

    If your domain is valuable, registrars like Markmonitor and CSC will provide much more secure service at a much higher price, and won't casually turn you off. If you don't treat your domain like it's valuable, why should anyone else treat it that way?

    By the way, I expect that Zoho has other reasons for becoming their own registrar, like selling domains to their customers. If you just want to protect one high-value name, a name at Markmonitor is a lot cheaper than running an entire registry.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.