Wednesday, January 18, 2012
8 Technological Reasons to Stop SOPA & PIPA
There’s legislation in the House and Senate right now that is very troubling to me. In the House, it’s called the Stop Online Piracy Act (abbreviated SOPA); in the Senate, it’s called PROTECT IP (or PIPA). The goal of the legislation is to stop online piracy, which is definitely a problem. The Senate will be voting on it later this month, and for the last couple of weeks, I’ve been in awe at the absurdity of this legislation while trying to find a proper way to respond to it. Here at Uphold Liberty I’m a freedom loving, Constitution defending, small government guy who writes my own personal opinion about politics (which, for the record, may or may not always be the view of my employer). My day job (the one that actually pays bills) is as a systems administrator for a very large company. I’ve spent the vast majority of the last 13 years since my college graduation dealing with the technology of the Internet, and I know it quite well. My career in IT and my fondness for liberty make me one of a relatively small number of political bloggers qualified to address this issue from both the technological and political points of view. Today I am discussing the technological issues around this legislation; tomorrow I’ll post the political problems with it. This weekend I spent a lot of time poring over this legislation, blog posts, and white papers about it. I made my own notes and then merged my concerns of this legislation with those I found elsewhere on the Internet. This post is a fairly exhaustive list of the technological problems with SOPA and PIPA. When a domain is seized, the pirated content still exists on the server. Additionally, it can still be accessed by its IP address. There is nothing, outside of draconian national firewall rules, that can be done to stop Americans from accessing this content. SOPA and PIPA can be easily circumvented by sending DNS traffic to DNS servers outside the United States. This legislation gives the government authority to hijack the DNS record of web sites suspected of piracy. Using international DNS servers would completely thwart every attempt at stopping piracy online. Making this change is as easy as changing your computer’s network settings or installing a browser plugin like DeSopa. ISPs will not be able to proactively identify denial of service (DoS) attacks. Large companies and ISPs monitor their DNS traffic. One of the reasons for doing this is to identify problems on the network. DNS traffic that flows out of the normal trend can be an indication of a problem. With all of that traffic going to servers outside of the United States, ISPs will not be able to monitor it, and DoS attacks will not be recognized and stopped as quickly as they are today. SOPA and PIPA break security efforts that have been added to DNS. The way DNS works is, quite honestly, brilliant; security (not an issue at the time) was left out of the initial designs, and over the past several years, developers have been working to secure DNS queries. The solution is called DNSSEC, and the DNS queries (to get the IP address of a web site) are digitally signed. When the government seizes a web site, it would change the DNS record for the site. This new record would not be digitally signed, meaning SOPA and PIPA would void the security fixes for DNS that programmers have been developing for years. Innocent, non-targeted sites could be inaccessible because of virtual hosting. ”Virtual hosting” is when a hosting company uses one IP address for multiple web sites. It’s extremely common. Uphold Liberty is on my own dedicated server, and I use virtual hosting to provide hosting for some of my friends’ sites. Once a site is seized by the government, blocking further traffic to that site (one of the differences between SOPA and PIPA) would have to be done by IP address. Blocking web traffic to an IP address will block all web sites hosted at that IP address. The Internet will get slower. Many sites, large and small, use global server load balancing (GSLB) and content distribution networks (CDNs) to make their web sites faster. This is done with DNS by answering users’ queries with IP addresses of servers geographically close to them. For instance, if a web site’s images are on a CDN, a user in Atlanta would want to request those images from a server in Atlanta, rather than one in Los Angeles. GSLB and CDNs make this possible. When users’ DNS is moved internationally (as mentioned above), the speedy delivery service will break. For example, users in Atlanta who request a site using a Toronto DNS server would get an IP address of a server geographically close to Toronto instead of the optimal Atlanta server’s IP address. The result is a slower Internet browsing experience. Seizing one domain could also break services provided to other domains. For all of my domains, I host my own web sites, but I use Google for email. If Google’s domains that provide me with email services are seized, my email will no longer work. Beyond email services, this extends to DNS queries which use CNAME records for name resolution. As mentioned earlier, hosting images for a web site is very common. Usually a CDN’s server name is long and cryptic, and it is common for a site to use a CNAME record so that a name like “images.upholdliberty.org” always resolves to the CDN’s server name. A site owner who does this would see his web site break (no images would appear) when the CDN’s domain is seized. Foreign DNS servers can open users up to security threats. When you use a DNS server, you trust it to give you the right IP address for the requested web site. If you use a DNS server you just happened to find posted online, you won’t know if it’s managed by trustworthy people or not. It’s very easy for a server administrator to give forged results for DNS requests. The risk? You go to ebay.com, amazon.com, or your bank’s web site, but it’s really just a site designed to look like what you wanted and collect your passwords. The bottom line on this issue is that the proposed legislation will not have the intended effect of stopping online piracy, but it will most definitely have a negative impact on the speed, reliability, security, and safety of the Internet. I urge each of you to call your senators and congressmen today and demand that they oppose this horrible legislation.