This document tries to explain on a non-technical level how SOPA will not be able to do what it is intended for but will also break DNSSEC at the same time. Forward this to anybody you know to convince them to express their support to SOPA resistance.
1. Is SOPA worth the sacrifice of a secure internet?
On October 26th 2011, the “Stop Online Piracy Act” (SOPA) was introduced to the
U.S. congress with the intent to curb the proliferation of copyright infringement and the
piracy of intellectual property. The goals of SOPA are clear and understood. The means by
which the proposed bill will try to achieve these goals are, however, not without a far-
fetching negative impact on the stability and the security of the internet. This documents
intends to clarify the repercussions of SOPA and how the bill contradicts earlier U.S.
commitment to internet security and the protection of online U.S. assets.
When an individual is looking for information, purchasing goods or doing business on
the internet she uses a computing device that, either through a web browser or another
applications, allows her to interact with assets on the internet. Today she can use a phone, a
tablet, a laptop, a PC or a fridge for this purpose. The assets she interacts with can be
anywhere in the world. While her user experience is smooth and everything seems to go back
and forth automatically there is a lot of technology involved. Technology that is not relevant
to the end user. Technology that is ubiquitous and trivial, until it breaks. The main
technology enabling people to send mails, buy presents, write blogs, etc. etc. is the Domain
Name System (DNS). Where all assets on the internet are known by their ‘Internet Protocol
addresses’, the DNS translates these weird numbers to human-readable addresses.
www.facebook.com, www.whitehouse.gov and www.google.com are all examples of such
DNS names. They are easy to remember, easy to use and easy to share. The DNS is, and will
remain to be, what makes the internet user-friendly for most of it’s users and thus a crucial
part of our online life.
Internet users are, on a daily basis, targeted by online criminals who abuse several
weaknesses in the DNS. Online criminals impersonate social networks, banks and legitimate
online businesses. The weaknesses allow viruses to be installed on the devices used by our
citizens, they facilitate identity theft and the abuse of credit cards. As online crime has
soared over the past years, impacting citizens and businesses alike, several counter-measures
have been evaluated and most of them have been proven to fall short in re-establishing the
trust in the internet. The only solution, build on the DNS, that maintains the flexibility of
today’s internet while adding the required robustness is DNSSEC : Domain Name System
Security Extensions. DNSSEC is so much of a necessity for a secure internet that it has been
supported and promoted by the highest levels of the U.S. government since the Clinton
administration. George W. Bush included securing the DNS among national cybersecurity
priorities and when DNSSEC roll-out started in 2010, the Obama administration called it “a
major milestone for internet security”. This all underlines the importance of the DNS as a
technology supporting the internet and the crucial part it plays in enabling and securing
online business.
2. DNSSEC guarantees the authenticity of a DNS name. When a user requests the DNS
name associated with an ‘Internet Protocol’ address from a DNS server using DNSSEC, she
can trust the response as the cryptographic signature associated with the DNS name can not
be forged or changed. This blocks any attempt by online criminals to impersonate online
assets, secures the internet from the ground up and re-establishes trust in running
businesses online.
SOPA, at it’s core, contains a provision to filter traffic between the internet user and a
website hosting pirated content using the DNS. This would empower the Department of
Justice, with a court order, to require operators of DNS servers to redirect traffic for a
specific website to a specific textual notice developed by the Attorney General thus
rendering the pirated content unavailable.
The first problem with using this counter-measure to protect intellectual property is
that it will not prevent internet users that want to access pirated content from doing so.
There are 10 million DNS servers, a minority of those operated by U.S. organizations, on the
internet that those users can connect to instead of the DNS servers that have filtering
implemented. Moreover they can connect to the servers hosting the pirated content using
their ‘Internet Protocol’ addresses, thus completely circumventing the DNS (and rendering
the filtering useless). SOPA’s DNS filtering provision will (and can) not prevent internet
users who are looking for pirated content from accessing it.
The second, and more serious, problem is that SOPA will undermine the trust
between consumers who use online services and businesses who offer their services online.
Online trust has been eroding over the past decade as no technology was able to prevent
criminals from stealing identities, other personal information or impersonate popular or
high profile websites. Just like in the real world, where consumers tend to do business with
those entities that they can trust, the online world needs a system that can guarantee that a
specific website is the website that the consumer intends to do business with. We, as
humans, tend to avoid buying bread from those bakeries that are suspected from messing
with the ingredients in their products. We take our business to other butchers once we get a
hunch that ours is selling us second grade meat. We buy from those that we trust and the
economy soars when trust is honored.
DNSSEC, as it is in the process of being rolled out, is supported by the U.S.
government and the only solution to guarantee online users that they are dealing with the
online entity they intended to deal with. It works very much like an online identity store,
maintained by it’s owner, listing all the names of online resources that are allowed to
represent it’s brand name. When a DNSSEC enabled application requests such a resource,
the answer is basically signed by the owner’s CEO, giving the user the guarantee that it’s ok
to conduct business. As more and more applications start supporting DNSSEC, any attempt
to redirect a user to a resource she didn’t intend to access will no longer happen without
3. notice thus preventing online criminals from using the simplest tool available without being
detected.
The DNS filtering provision in SOPA relies on the same technique that online
criminals use to steal from our citizens. If we accept this provision to become law, we do not
only give those criminals a waiver to keep doing damage to our citizens and businesses but
we also call a stop to a joint effort to secure the internet. We have been going forward with
great strides. The U.S. government, (inter)national corporations and internet users have
joined hands allowing DNSSEC to gain traction and get up to speed. We can not allow a
provision that doesn’t have the capacity to prevent what it’s intended to prevent to
undermine online trust, render the internet insecure forever and wipe away an
unprecedented effort - made possible by citizens, the government and corporations - in one
go.