from the taking-down-security-certs-is-bad dept
A little over a year ago, Matt Holt, who created the Caddy Server that helps make it easier to protect websites with HTTPS encryption, posted a hypothetical blog post, from the year 2022, in which he worried that enterprising and persistent copyright lawyers would have continued moving up the stack with their DMCA notices, and started to use the process to get HTTPS security certificates removed.
A lawyer need only be successful in convincing one of those four ?choke points? by threatening legal action in order to suffocate the site. (There are others, like ISPs, which operate more generally, and we skip them for brevity.) These entities totally control the site?s availability, which is one crucial dimension of secure systems. Here they are again:
- Site owner. He or she can voluntarily remove the site/content.
- Web host. They can destroy the site owner?s account or files.
- Domain registrar. They can cancel or transfer ownership of the domain name.
- DNS provider. They can make the site inaccessible via hostname.
Now that it?s 2022, a site needs HTTPS in order to be trusted by browsers. At very least, this means they show an indicator above the page. Maybe it even means the browser shows a warning before navigating to the site. Either way, HTTPS is critical to a site?s availability and integrity.
DMCA lawyers are clever, and they realize this emerging trend. They contact a site?s CA and demand the site be disconnected for violating the law (despite lack of a court case). The CA, operating without policy for such requests and afraid of legal ramifications, revokes the site?s certificate.
Within hours, browsers begin to refuse connecting to the site on port 443 and warning flags fly instead, scaring users away. Browsers don?t revert to port 80 anymore because HTTPS is expected and using HTTP is effectively a downgrade attack. Visitors aren?t sure what to do, and the site goes offline around the globe.
We’ve raised some questions in the past about this process of copyright holders moving up the stack — and not just targeting the content hosts, but companies further upstream, including ad providers, domain registers and registrars, and the like. There are serious issues with each of these, but going after security certificates seems especially pernicious.
But Matt was a bit off in his predicted timing on this. After his article ran, we learned of at least a few examples of copyright holders going after security certificate providers. Take for example this copyright notice that was sent to Squarespace (the host), Tucows (the domain register), and Let’s Encrypt (the security certificate provider).
And now TorrentFreak notes that Comodo has revoked Sci-Hub’s HTTPS certificate.
?In response to a court order against Sci-Hub, Comodo CA has revoked four certificates for the site,? Jonathan Skinner, Director, Global Channel Programs at Comodo CA informed TorrentFreak.
?By policy Comodo CA obeys court orders and the law to the full extent of its ability.?
Comodo refused to confirm any additional details, including whether these revocations were anything to do with the current ACS injunction. However, Susan R. Morrissey, Director of Communications at ACS, told TorrentFreak that the revocations were indeed part of ACS? legal action against Sci-Hub.
?[T]he action is related to our continuing efforts to protect ACS? intellectual property,? Morrissey confirmed.
We’ve obviously covered a lot about the Sci-hub story over the years, and the weird quixotic focus by some to take down a site focused on (of all things) better sharing academic knowledge (especially to academics in the developing world). It’s already sickening enough the level to which some copyright holders have gone to effectively shut down a library, but going after the security certificate is beyond the pale.
The DMCA allows for approaching a variety of different intermediaries, from network communications, to hosts, to caching, to “information location tools” (i.e. search engines), but I have a very difficult time seeing how any of that applies to security certificate providers (or, for that matter, to domain registers).
Even more bizarre is that going after the security certificate doesn’t stop any actual infringement — it just makes users a lot less safe. And yet, it’s coming from the very same copyright holders who keep trying to tell people they shouldn’t pirate content because it exposes them to malware and viruses and dangerous computers and the like. But removing security certificates would make that a much more serious problem. And yet, here we have a case where ACS went after a security certificate, a judge okayed it, and Comodo played along. That’s dangerous for the way the internet works and is kept secure. If they want to go after the hosts, go after the hosts. Destroying the ability to protect users by encrypting the traffic is just evil.