[jdong]

>(This isn't a particularly idle concern. Amazingly Microsoft once got a court to let it take operational control of the domain no-ip.org — that is, to actually hijack the domain — a dynamic DNS service used by countless people — simply because one user was apparently using it for malware-related purposes.)

What a dishonest take. Microsoft didn't wasn't granted this court order because there was one bad no-ip user, Microsoft was granted the court order because there was a bad no-ip user that no-ip wouldn't take action against.

Oh, and it wasn't one bad user. It was 22000 different hostnames.

[hlandau]

Author here.

If the sought action of the court case, and the outcome were, "the domain were taken down" that would be one thing. Domains get suspended by court cases all the time, that's not the issue.

What makes the no-ip.org case extraordinary is that Microsoft a) persuaded the court that the domain was being used for malware, and then b) persuaded the court that because of this, rather than doing something normal like compelling its operator to take down the afflicted subdomains, or failing that compelling a third party to suspend the domain, that they should be allowed to take over DNS service for the domain.

Microsoft is not the law and they have no special legal status. If a domain is being used for cybercrime it's one thing, it doesn't mean any random party should get to walk into court, complain about it, and then offer to "solve" the issue by randomly appointing itself DNS provider. Microsoft essentially hijacked and MitM'd the domain via court order, again demonstrating that the registries/registrars will always be a risk here.

The result I might add was a massive outage for a massive number of innocent no-ip.org users.

[huggingmouth]

I think the fundamental issue here is that the court actually granted Microsoft's rediculus request. The only valid ruling here was for the court to order the suspension of the domain.

Seeing that Microsoft are an unrelated third-party, what was the judge's reasoning for granting them specifically ownership of the defendant's property? Wouldn't it have made more sense to assign ownership to a government organization instead?

Did Microsoft reimburse the domain owner the value of the domain or did they just steal it without payment?

[hlandau]

It all got reversed eventually after massive negative press coverage. I don't think Microsoft took "ownership" of the domain, but simply got the court to make them the nameservers, though I may be wrong.

I do feel like the only way this request was granted was due to total ignorance on the part of the court of anything about how the internet works.

[naniwaduni]

> I do feel like the only way this request was granted was due to total ignorance on the part of the court of anything about how the internet works.

It sounds like the court, unlike you, has the power to make the internet work the way it thinks it does, and is thereby right about how it works.

[jdong]

It's not like Microsoft just convinced a single judge about this either.

https://techcrunch.com/2022/04/08/microsoft-seizes-domains-r...

https://arstechnica.com/information-technology/2021/12/micro...

https://securityaffairs.co/wordpress/132002/apt/microsoft-se...

https://virtualizationreview.com/articles/2022/11/22/ms-digi...

https://techcrunch.com/2020/07/07/microsoft-domains-covid-19...

https://www.geekwire.com/2019/microsoft-seized-network-50-do...

https://www.gizmodo.com.au/2018/08/microsoft-seizes-domains-...

https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-...

Since 2010 Microsoft alone has seized over 16k individual domain names in more than 24 court cases.

Microsoft is not alone in this, https://storage.googleapis.com/gweb-uniblog-publish-prod/doc...

https://about.fb.com/wp-content/uploads/2022/02/2022.02.08-D...

You'd have to be deeply delusional to think that this is not how the internet works, as this very clearly is exactly how the internet works.

[rosnd]

It's a completely reasonable request that has been granted countless of times now.

>I do feel like the only way this request was granted was due to total ignorance on the part of the court of anything about how the internet works.

This is absurd. The court ideologically disagrees with you about how the internet should work, not about how the internet works. This does not suggest that the court is ignorant of anything.

[rosnd]

>What makes the no-ip.org case extraordinary is that Microsoft a) persuaded the court that the domain was being used for malware, and then b) persuaded the court that because of this, rather than doing something normal like compelling its operator to take down the afflicted subdomains, or failing that compelling a third party to suspend the domain, that they should be allowed to take over DNS service for the domain.

This is a completely normal measure, simply taking down a domain is not nearly as effective anti-malware measure than sinkholing it. A sinkhole could in some cases uninstall the malware from affected computers, or at least identify their IP-addresses for notification purposes.

>Microsoft is not the law and they have no special legal status.

Exactly.

>If a domain is being used for cybercrime it's one thing, it doesn't mean any random party should get to walk into court, complain about it, and then offer to "solve" the issue by randomly appointing itself DNS provider

Microsoft is not a random party, it's a party whose business is directly affected by these illegal malware campaigns and has been repeatedly held to have standing in these cases.

>The result I might add was a massive outage for a massive number of innocent no-ip.org users.

Turns out that possibly most no-ip users were malicious https://umbrella.cisco.com/blog/on-the-trail-of-malicious-dy...

[huggingmouth]

Regardless of whether you think it's dishinest or not, his point still stands: tls mitm is not and cannot be mitigated via DNS.

[tptacek]

Nor with DNSSEC: the same government that gave Microsoft control over this zone has de jure control over DNSSEC key management for that zone.

[huggingmouth]

I wish there was wide support for public-key-addressable servers (like tor adresses). It won't solve the issue of memorable names, but it could solve this bootstrapping problem.

Perhaps le should look into encorperating tor into its domain verification process.

[teddyh]

“[…] you cannot have a namespace which has all three of: distributed (in the sense that there is no central authority which can control the namespace, which is the same as saying that the namespace spans trust boundaries), secure (in the sense that name lookups cannot be forced to return incorrect values by an attacker, where the definition of "incorrect" is determined by some universal policy of name ownership), and having human-usable keys.”

— Zooko Wilcox-O'Hearn: https://en.wikipedia.org/wiki/Zooko%27s_triangle

[ameliaquining]

Zooko's conjecture predates the invention of Bitcoin, and the article goes on to explain that blockchain-based systems can in fact have all three properties.

[huggingmouth]

I don't think we would need to deal with zooko's triangle in the case of automated systems like let's encrypt. Human legibility need not apply.

[ameliaquining]

It's not that anything in the verification protocol needs to be human-readable, it's that domain names themselves need to be human-readable and therefore can't just be derived from public keys. Which means you have to have some kind of system for deciding who controls which names, that doesn't just come down to who possesses a particular key. Zooko conjectured that this couldn't be done in a way that was both decentralized and cryptographically secure. He turned out to be wrong about that, although the DNS that everyone actually uses remains centralized.

[survirtual]

Actually, you can.

[survirtual]

I like the downvotes here for stating a fact.

The current CA system is horrendous in its centralization. It is completely possible to make a new mechanism using hashed-addresses and using traffic + user choice as the allocation mechanism for namespaces.

Instead of namespaces being fought for financially, users assign namespaces to site addresses (hashes) which represent a pub key of a keypair and identity of a server. The namespaces, say “search” is then assigned to the address hash with the most users by default. If a user likes a different one, they link the “search” namespace to a different hash and that counts as a vote for that location being the default.

This can be done using just traffic as an indicator for the defaults, in the event unique humanness cannot be established properly for an identity.

One summary of a frictionless scheme without central control that circumvents just about every shortcoming of the current system, and has all three properties.

There are other schemes, btw.

Also, in the event it isn’t clear: tls comes natively to this scheme because the addresses are pub keys. There can’t be a mitm for this scheme unless they have the priv key, or find a way to direct traffic through them and acquire a majority stake for a namespace and phish the original site. Whoever has the priv key controls the properties of the address hash, which is where all the records go.

This would make the internet significantly more democratic and less prone to bad actors. It would eliminate domain name squatting completely, and would enable new technologies which more closely match a namespace than old ones to have a chance, promoting innovation and meaningful competition.

[hn_go_brrrrr]

How do you handle key rotation?

[josephg]

When you connect to the service, the client tells the server which public key (key A) its expecting the server to prove that it has ownership of.

If the key A is still valid, the server can use the corresponding private key to sign a challenge.

If the key has been rotated out, the server instead presents the new key, and a signature. Eg, the server responds by naming key B, and presents a certificate of key B, signed by key A (the presented key). Instead of just a single key rotation the server could present a chain of certificates from A to B to C (the key the server wants to use). And optionally, a message saying "from now on, please make further requests using key B as key A has expired".

[dolni]

This falls apart if keys are ever compromised.

[Zamicol]

Publish merkle roots on global ledgers like blockchains.

[withinboredom]

Handshake (namebase.io) comes to mind.

[dane-pgp]

DNSSEC doesn't protect you against the American government if you have a .org domain, but I doubt an American court could give Microsoft control over a domain registered under a ccTLD like .de or .ru or .za for example.

I suspect Microsoft would also have trouble taking control of a domain registered under a gTLD run by a company based outside the US, but it would be interesting to see how the agreements between the gTLDs and ICANN would work out in practice.

[dcomp]

Technically they could force root nameservers (based in the US) to intercept/proxy the whole gtld.

So all except n (netnod (EU)) and i (WIDE (JP))

[rosnd]

>So all except n (netnod (EU)) and i (WIDE (JP))

US could just drop the records for those.

[belorn]

No, the US could not do that and there is multiple reasons for it. The root zone is rather special in that operating system semi-hard code the root servers. The operating system also have full control here and the number of name servers at the root zone changes very slowly. Operating systems developed by people not bound by US courts could just ignore it.

The other reason is political. If they were to cut out eu or asia from the list then the risk of a split would increase massively. It would be suicide. If they did that people might even split internet further by splitting iana (Internet Assigned Numbers Authority), in which case a computer in EU would be unable to communicate with an computer in US, and then the concept of a global internet would no longer exist. A split is a exceedingly dangerous concept.

[rosnd]

>DNSSEC doesn't protect you against the American government if you have a .org domain, but I doubt an American court could give Microsoft control over a domain registered under a ccTLD like .de or .ru or .za for example.

What? Obviously they could. ICANN is subject to US law.

[xorcist]

This control is indistinguishable from a domain transfer, so this is trivially true.

Zones not under their control, however, are not vulnerable to this. So compared to the current system it would be an improvement.

[throwaway0x7E6]

so fucking what? it's an equivalent of a corporation invading and seizing control of an entire country because some people living there are doing it harm

[Rygian]

That's like your landlord handing the keys to your condo to the bully upstairs because you have a cockroach problem.

[dotancohen]

More like your landlord handing the keys to your condo to the bully upstairs because somebody else on your floor has a cockroach problem.

[RobotToaster]

Or to be more precise, the keys to every condo in the building.

[rosnd]

It's like a judge ordering you to hand over your keys to the person living underneath because you have a water leak you refuse to fix.

Perhaps the water leak was caused by someone else, but it's still in your apartment.

[Dylan16807]

1. That would still be ridiculous.

2. The water leak isn't actually in the apartment if we're keeping this accurate to domains. Maybe the only phone the plumber will listen to is in the apartment.

3. As someone else already said, the judge is handing over the keys to the entire building.

[rosnd]

>1. That would still be ridiculous.

How would it be ridiculous? A water leak in your flat is causing damage to the flat below yours, it's your duty to address this. If you do not address this, someone will in fact go to court and take control of your flat.

This is something that happens all the time in cases where compliance with specific performance orders seems unlikely.

[Fatnino]

I have a domain on no-ip.org

I remember when this happened and I was trying to debug why I couldn't reach my home server.