Re: Nxdomain redirect revenue
On Sat, Sep 24, 2011 at 9:33 PM, Cameron Byrne wrote: > Just an fyi for anyone who has a marketing person dreaming up a big nxdomain > redirect business cases, the stats are actually very very poor... it does > not make much money at all. > > It is very important to ask the redirect partners about yields... meaning, > you may find that less than 5% of nxdomain redirects can be actually served > an ad page because 95%+ of nxd are printer lookups and such that cannot be > served an ad page. Then from that less than 5% pool, the click through > rates are around 1% > > Net net, no free money of any meaningful value. But, ymmv... but I don't > think by much. > that's some interesting data points, thanks! > Cb >
Re: Nxdomain redirect revenue
On Sat, Sep 24, 2011 at 8:33 PM, Cameron Byrne wrote: > Just an fyi for anyone who has a marketing person dreaming up a big nxdomain > redirect business cases, the stats are actually very very poor... it does > not make much money at all. > It is very important to ask the redirect partners about yields... meaning, > you may find that less than 5% of nxdomain redirects can be actually served Not to take any position on there being a "business case" for NXDOMAIN redirect, or not butthe percentage of NXdomain redirects that actually serve ads isn't too important. It's absolute numbers that matter, even if it's just 1% of NXDOMAINS by percent. The rest of the 99% are referred to as "noise" and aren't relevant for justifying or failing to justify. The important number is at what frequency the _average_ user will encounter the redirect while they are surfing.If a sufficient proportion of their users see the ads at a sufficient rate, then they will probably justify whatever cost they have for the ad serving. When they are doing this crappy stuff like redirecting google.com DNS to intercept search requests; I have little doubt that they are able to inject sufficient volume of ads to make some sort of "business case" behind thehijacking evilness. Regards, -- -JH
Re: Nxdomain redirect revenue
On Sunday 25 Sep 2011 04:09:22 Jimmy Hess wrote: > On Sat, Sep 24, 2011 at 8:33 PM, Cameron Byrne wrote: > > Just an fyi for anyone who has a marketing person dreaming up a big nxdomain > > redirect business cases, the stats are actually very very poor... it does > > not make much money at all. > > It is very important to ask the redirect partners about yields... meaning, > > you may find that less than 5% of nxdomain redirects can be actually served > > Not to take any position on there being a "business case" for > NXDOMAIN redirect, > or not butthe percentage of NXdomain redirects that actually > serve ads isn't too important. > It's absolute numbers that matter, even if it's just 1% of > NXDOMAINS by percent. > > The rest of the 99% are referred to as "noise" and aren't relevant > for justifying or failing > to justify. > > The important number is at what frequency the _average_ user will > encounter the redirect > while they are surfing.If a sufficient proportion of their users > see the ads at a sufficient rate, > then they will probably justify whatever cost they have for the ad serving. > > When they are doing this crappy stuff like redirecting google.com DNS > to intercept > search requests; I have little doubt that they are able to inject > sufficient volume of ads to > make some sort of "business case" behind thehijacking evilness. > > > Regards, > > -- > -JH I think a special mention should go to hardware vendors who adopt this dreadful practice in network equipment. I recently encountered an enterprise-grade WLAN router from vendor D that has the horrible habit of intercepting some % of queries to its local DNS cache resolver and forwarding to an affiliate Yahoo! search page, lousy with ads, under vendor D's control. This includes things like www.google.co.uk. I don't manage this device and therefore have opened a ticket with those who do to get them to turn the damn thing off, while in the meantime adding *.[vendor D]search.com 127.0.0.1 to my /etc/hosts. I must admit to being tempted to "fault" it with something heavy in order to force its replacement:-) But if anyone from vendor-D is on the list: congratulations, you've managed to invent a network device that is by definition untrustworthy, and I will never buy anything from your company. -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them signature.asc Description: This is a digitally signed message part.
Re: Nxdomain redirect revenue
On 25/09/2011 12:39, Alexander Harrowell wrote: > I think a special mention should go to hardware vendors who adopt this > dreadful practice in network equipment. I recently encountered an > enterprise-grade WLAN router from vendor D that has the horrible habit It is not libellous to associate a vendor's real name with calmly stated matters of objective fact concerning their products. I'd be interested to know the particular model that you're referring to here - like you, to put it on a list of kit that I will never buy. Re: "enterprise-grade" - did you mean this as a compliment or an insult? Nick
Re: Nxdomain redirect revenue
On Sun, Sep 25, 2011 at 5:37 PM, Nick Hilliard wrote: > On 25/09/2011 12:39, Alexander Harrowell wrote: >> I think a special mention should go to hardware vendors who adopt this >> dreadful practice in network equipment. I recently encountered an >> enterprise-grade WLAN router from vendor D that has the horrible habit > > It is not libellous to associate a vendor's real name with calmly stated > matters of objective fact concerning their products. > I would guess he is referring to this "Advanced DNS Security" misfeature : http://www.dslreports.com/forum/r25921912-DLINK-Router-Advanced-DNS-Setup-Causing-Issues- -- -JH
Re: Nxdomain redirect revenue
On Sunday 25 Sep 2011 23:37:20 Nick Hilliard wrote: > On 25/09/2011 12:39, Alexander Harrowell wrote: > > I think a special mention should go to hardware vendors who adopt this > > dreadful practice in network equipment. I recently encountered an > > enterprise-grade WLAN router from vendor D that has the horrible habit > > It is not libellous to associate a vendor's real name with calmly stated > matters of objective fact concerning their products. > > I'd be interested to know the particular model that you're referring to > here - like you, to put it on a list of kit that I will never buy. > > Re: "enterprise-grade" - did you mean this as a compliment or an insult? > > Nick > It's D-Link, if you hadn't guessed, and it's the DIR series. Regarding "enterprise", these devices are not service provider kit but they're not under-the-TV-set either, and our use-case is basically typical of a branch-office set up. In which the DIR works really well, if it didn't do demented things with DNS. -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them signature.asc Description: This is a digitally signed message part.
Re: Nxdomain redirect revenue
* Cameron Byrne: > It is very important to ask the redirect partners about yields... meaning, > you may find that less than 5% of nxdomain redirects can be actually served > an ad page because 95%+ of nxd are printer lookups and such that cannot be > served an ad page. Then from that less than 5% pool, the click through > rates are around 1% Is this with strict NXDOMAIN rewriting, or were existing names redirected as well? (AFAIK, most platforms do the latter, hijacking bfk.de, for example.) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Re: Nxdomain redirect revenue
On Sep 26, 2011 1:29 AM, "Florian Weimer" wrote: > > * Cameron Byrne: > > > It is very important to ask the redirect partners about yields... meaning, > > you may find that less than 5% of nxdomain redirects can be actually served > > an ad page because 95%+ of nxd are printer lookups and such that cannot be > > served an ad page. Then from that less than 5% pool, the click through > > rates are around 1% > > Is this with strict NXDOMAIN rewriting, or were existing names > redirected as well? (AFAIK, most platforms do the latter, hijacking > bfk.de, for example.) > I have no experience with hijacking real names, which others have noted is evil. Cb > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstraße 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99
Re: Nxdomain redirect revenue
On Mon, Sep 26, 2011 at 10:25 AM, Cameron Byrne wrote: > On Sep 26, 2011 1:29 AM, "Florian Weimer" wrote: >> >> * Cameron Byrne: >> >> > It is very important to ask the redirect partners about yields... > meaning, >> > you may find that less than 5% of nxdomain redirects can be actually > served >> > an ad page because 95%+ of nxd are printer lookups and such that cannot > be >> > served an ad page. Then from that less than 5% pool, the click through >> > rates are around 1% >> >> Is this with strict NXDOMAIN rewriting, or were existing names >> redirected as well? (AFAIK, most platforms do the latter, hijacking >> bfk.de, for example.) >> > > I have no experience with hijacking real names, which others have noted is > evil. I'm curious, is there some belief that the use of hte nxdomain hijacking/rewriting is actually of use to 'users' ? (I'd seen folk claim that the revenue was super-nice, and also it's super beneficial to users...) I don't happen to believe either of these reasons, cameron's note about checking for the right set of numbers before signing contracts seems to indicate that the revenue wasn't there either... -chris
Re: Nxdomain redirect revenue
On Mon, 26 Sep 2011 10:36:51 EDT, Christopher Morrow said: > I'm curious, is there some belief that the use of hte nxdomain > hijacking/rewriting is actually of use to 'users' ? "of use to users" is, in general, incompatible with "race to the bottom". pgpmyfEAAQ3sZ.pgp Description: PGP signature
Re: Nxdomain redirect revenue
On Mon, Sep 26, 2011 at 2:11 PM, wrote: > On Mon, 26 Sep 2011 10:36:51 EDT, Christopher Morrow said: > >> I'm curious, is there some belief that the use of hte nxdomain >> hijacking/rewriting is actually of use to 'users' ? > > "of use to users" is, in general, incompatible with "race to the bottom". my point is that on the one hand the marketeers say: "This is a great help to your users who are confused by the missing dns entries! They like it! It is a benefit and a comfort to them!" and on the other hand: "You will make lots of mullah from the nxdomain rewriting! it's wonderful!" (plus some mumbling about, why would you want to give that money away to the content providers of the world for free?) -chris (I don't believe that it's a great help, nor that customers actually WANT it, nor that it makes great gobs of money... but I'm willing to be educated)
Re: Nxdomain redirect revenue
On Mon, Sep 26, 2011 at 2:17 PM, Christopher Morrow wrote: > On Mon, Sep 26, 2011 at 2:11 PM, wrote: >> On Mon, 26 Sep 2011 10:36:51 EDT, Christopher Morrow said: >> >>> I'm curious, is there some belief that the use of hte nxdomain >>> hijacking/rewriting is actually of use to 'users' ? >> >> "of use to users" is, in general, incompatible with "race to the bottom". > > my point is that on the one hand the marketeers say: "This is a great > help to your users who are confused by the missing dns entries! They > like it! It is a benefit and a comfort to them!" > > and on the other hand: "You will make lots of mullah from the nxdomain > rewriting! it's wonderful!" s/mullah/moolah/ :( context switch fail. > (plus some mumbling about, why would you want to give that money > away to the content providers of the world for free?) > > -chris > (I don't believe that it's a great help, nor that customers actually > WANT it, nor that it makes great gobs of money... but I'm willing to > be educated) >
Re: Nxdomain redirect revenue
On 9/26/11 4:29 AM, Florian Weimer wrote: Is this with strict NXDOMAIN rewriting, or were existing names redirected as well? (AFAIK, most platforms do the latter, hijacking bfk.de, for example.) Has anybody tried bringing a criminal complaint for interference with computer (network) data? Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? Arguably, substituting a false reply for NXDOMAIN would be, too. It's time to find a champion to lead the charge. Maybe Google?
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 3:57 AM, William Allen Simpson wrote: [snip] > Certainly, hijacking google.com NS records to JOMAX.NET would be a > criminal interference. After all, that's all DNSsec signed now, > isn't it? I would rather see DNSSEC and TLS/HTTPS get implemented end to end. The last thing we need is a court to step in and say "It's not legal for an ISP to blacklist, block, or redirect traffic, to any hostname or IP address." Most likely the ISPs' lawyers were smart enough to include a clause in the ToS/AUP allowing the ISP to intercept, blackhole, or redirect access to any hostname or IP address. The name for an ISP intercepting traffic from its own users is not "interference" or "DoS", because they're breaking the operation of (er) only their own network. The solution is to spread their name as widely as possible, so consumers can make an informed choice if they wish to avoid service providers that engage in abusive practices, and bring it attention to regulators if the service providers are acting as an abusive monopoly in regards to their interception practices. -- -JH
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess wrote: > On Tue, Sep 27, 2011 at 3:57 AM, William Allen Simpson > wrote: > [snip] >> Certainly, hijacking google.com NS records to JOMAX.NET would be a >> criminal interference. After all, that's all DNSsec signed now, >> isn't it? > > I would rather see DNSSEC and TLS/HTTPS get implemented end to end. how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning) > The solution is to spread their name as widely as possible, so > consumers can make an informed > choice if they wish to avoid service providers that engage in abusive > practices, > and bring it attention to regulators if the service providers are > acting as an abusive monopoly in regards to their interception > practices. sadly, not everyone has a choice in providers :(
Re: Nxdomain redirect revenue
On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said: > On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess wrote: > > I would rather see DNSSEC and TLS/HTTPS get implemented end to end. > > how does tls/https help here? if you get sent to the 'wrong host' > whether or not it does https/tls is irrelevant, no? (save the case of > chrome and domain pinning) Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended up at the wrong host... pgpKfrJMB4jDb.pgp Description: PGP signature
Re: Nxdomain redirect revenue
On 9/27/11 7:50 AM, Jimmy Hess wrote: On Tue, Sep 27, 2011 at 3:57 AM, William Allen Simpson wrote: [snip] Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? I would rather see DNSSEC and TLS/HTTPS get implemented end to end. They are. The last thing we need is a court to step in and say "It's not legal for an ISP to blacklist, block, or redirect traffic, to any hostname or IP address." Don't distort my words. It amuses me when so-called conservative cyber-libertarians hate the idea of courts stepping in to enforce laws, except the laws governing their own contracts enforcing payments regardless of the quality of their goods. The cable and satellite industry forced through digital protection acts -- to protect their revenue streams. Now, it's time to use those acts against them. It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. It's not legal for a vendor to sell or give away equipment that aids interception and modification of data. That's a criminal offense. Most likely the ISPs' lawyers were smart enough to include a clause in the ToS/AUP allowing the ISP to intercept, blackhole, or redirect access to any hostname or IP address. It's not legal to insert a clause allowing criminal conduct. There's no safe haven for criminal conduct. The name for an ISP intercepting traffic from its own users is not "interference" or "DoS", because they're breaking the operation of (er) only their own network. No, they're breaking the operation of my network and my computers. My network connects to their network. The solution is to spread their name as widely as possible, so consumers can make an informed choice if they wish to avoid service providers that engage in abusive practices, and bring it attention to regulators if the service providers are acting as an abusive monopoly in regards to their interception practices. There are no choices. They *are* abusive monopolies. Why are "regulators" better than courts? After all, the regulators will also involve courts.
Re: Nxdomain redirect revenue
On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: > It's not legal for an ISP to modify computer data. Especially > digitally signed data. That's a criminal offense. Citation? Hint - a *big* chunk of ISPs have NAT deployed, and that's messing with packet headers. Much as many of us would like to see NAT go away, I don't think we want an environment where deploying NAT gets us a new roommate and best friend named Bubba. Oh, and if you're not modifying the TTL field, you're Doing It Wrong. > It's not legal for a vendor to sell or give away equipment that aids > interception and modification of data. That's a criminal offense. Again, citiation? Meanwhile, CALEA *requires* you to have a network that aids in at least the interception of data. What's a poor ISP to do? pgplsnprrfd4A.pgp Description: PGP signature
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 10:19 AM, wrote: > On Tue, 27 Sep 2011 09:27:00 EDT, Christopher Morrow said: >> On Tue, Sep 27, 2011 at 7:50 AM, Jimmy Hess wrote: > >> > I would rather see DNSSEC and TLS/HTTPS get implemented end to end. >> >> how does tls/https help here? if you get sent to the 'wrong host' >> whether or not it does https/tls is irrelevant, no? (save the case of >> chrome and domain pinning) > > Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the > provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and > TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended > up at the wrong host... to paraphrase mo: "this will not scale" (you can't possibly pin everyone that matters (to all users) inside the binary) It's a cute intermediate trick until the CA problem is resolved/executed and DNSSEC arrives in full (on the service AND client side). -chris
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 11:48 AM, wrote: > On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: > >> It's not legal for an ISP to modify computer data. Especially >> digitally signed data. That's a criminal offense. > > Citation? Could tampering with DNSSEC and/or TLS fall into DMCA grounds ? Rubens
RE: Nxdomain redirect revenue
Paxfire gets sued: http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.html http://www.courthousenews.com/2011/08/08/38796.htm http://www.pcmag.com/article2/0,2817,2390529,00.asp Paxfire files counter suit: http://www.techdirt.com/articles/20110809/17305215460/paxfire-responds-says-it-doesnt-hijack-searches-will-seek-sanctions-against-lawyers.shtml http://www.techdirt.com/articles/20110906/03371515808/paxfire-sues-lawyers-individual-who-filed-class-action-lawsuit-over-its-search-redirects.shtml http://www.prweb.com/releases/2011/9/prweb8765163.htm -Original Message- From: William Allen Simpson [mailto:william.allen.simp...@gmail.com] Sent: Tuesday, September 27, 2011 4:58 AM To: nanog@nanog.org Subject: Re: Nxdomain redirect revenue On 9/26/11 4:29 AM, Florian Weimer wrote: > Is this with strict NXDOMAIN rewriting, or were existing names > redirected as well? (AFAIK, most platforms do the latter, hijacking > bfk.de, for example.) > Has anybody tried bringing a criminal complaint for interference with computer (network) data? Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? Arguably, substituting a false reply for NXDOMAIN would be, too. It's time to find a champion to lead the charge. Maybe Google?
Re: Nxdomain redirect revenue
On 9/27/2011 11:41 AM, Rubens Kuhl wrote: On Tue, Sep 27, 2011 at 11:48 AM, wrote: On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. Citation? Could tampering with DNSSEC and/or TLS fall into DMCA grounds ? Doubtful. DMCA (the C is Copyright) protects copyright owners. I have never seen anyone claim copyright over their DNS records. Interesting thought, but copyright law is a tangled mess that I would guess is probably the wrong tactic if someone were planning to legally oppose/attack service providers using NXDOMAIN redirection. Also, only the 'owner' of a copyright can bring suit. -DMM
Re: Nxdomain redirect revenue
On 9/26/11 4:29 AM, Florian Weimer wrote: Is this with strict NXDOMAIN rewriting, or were existing names redirected as well? (AFAIK, most platforms do the latter, hijacking bfk.de, for example.) I responded: Has anybody tried bringing a criminal complaint for interference with computer (network) data? Certainly, hijacking google.com NS records to JOMAX.NET would be a criminal interference. After all, that's all DNSsec signed now, isn't it? Arguably, substituting a false reply for NXDOMAIN would be, too. It's time to find a champion to lead the charge. Maybe Google? On 9/27/11 12:34 PM, Schiller, Heather A top posted: Paxfire gets sued: http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.html http://www.courthousenews.com/2011/08/08/38796.htm http://www.pcmag.com/article2/0,2817,2390529,00.asp Paxfire files counter suit: http://www.techdirt.com/articles/20110809/17305215460/paxfire-responds-says-it-doesnt-hijack-searches-will-seek-sanctions-against-lawyers.shtml http://www.techdirt.com/articles/20110906/03371515808/paxfire-sues-lawyers-individual-who-filed-class-action-lawsuit-over-its-search-redirects.shtml http://www.prweb.com/releases/2011/9/prweb8765163.htm Thanks, Heather, I didn't know/remember about the civil suit. Good start. But I'm talking about criminal. They're different.
Re: Nxdomain redirect revenue
On 9/27/11 11:41 AM, Rubens Kuhl wrote: On Tue, Sep 27, 2011 at 11:48 AM, wrote: On Tue, 27 Sep 2011 10:20:25 EDT, William Allen Simpson said: It's not legal for an ISP to modify computer data. Especially digitally signed data. That's a criminal offense. Citation? Could tampering with DNSSEC and/or TLS fall into DMCA grounds ? Good thought, but I was thinking more along the lines of UETA and E-SIGN, along with the usual criminal penalties for forgery and fraud (and intent to defraud). I'm pretty sure those are state by state. On the US Federal level, there's 18 USC 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited. In any case, there's plenty of law to choose, we simply need a solid test case. Family members are Wide Open West (WOW) subscribers, and they are listed among the miscreant companies that Heather linked. I'd happily be a plaintiff based on my use of their network, but we probably need some actual affected subscribers.
Re: Nxdomain redirect revenue
>It's not legal for an ISP to modify computer data. Especially >digitally signed data. That's a criminal offense. It is indeed illegal to break into someone's else's computer and tamper with the data therein. It is frankly ridiculous to try to apply that law to data in your own equipment. If you think computer tampering laws apply to the operation of one's own DNS cache, provide case law. For case law confirming that similar language in the Stored Communication Act doesn't apply to data on your own equipment, see the recently dismissed cases of Holomaxx vs. Microsoft and Holomaxx vs. Yahoo. R's, John PS: Can we stop playing Junior Lawyer now?
Re: Nxdomain redirect revenue
On 27/09/2011 19:31, John Levine wrote: > For case law confirming that similar language in the Stored > Communication Act doesn't apply to data on your own equipment, see the > recently dismissed cases of Holomaxx vs. Microsoft and Holomaxx > vs. Yahoo. In Europe, things are slightly different. Traffic snooping is considered to be a breach of consumer data protection directives and is treated accordingly. One of the more interesting cases was BT + Phorm: > http://en.wikipedia.org/wiki/Phorm#European_Commission_case_against_UK_over_Phorm While the case never went to court, all parties backed down and there hasn't been a similar case since then. There is another aspect to this: european IP service providers can claim "mere conduit" status (similar to US "common carrier") under the terms of the Electronic Commerce Directive 2000/31/EC (as transcribed into local legislation), provided during the process of transmission they do "not select or modify the information contained in the transmission". It would seem possible that changing DNS packets in transit could come under the scope of "select or modify", thereby leaving the IP service provider liable for the information transmitted. This can act as a deterrent to service providers who feel that modifying data in-flight is a good idea. Nick
Re: Nxdomain redirect revenue
On 27/09/11 7:20 AM, William Allen Simpson wrote: Most likely the ISPs' lawyers were smart enough to include a clause in the ToS/AUP allowing the ISP to intercept, blackhole, or redirect access to any hostname or IP address. It's not legal to insert a clause allowing criminal conduct. There's no safe haven for criminal conduct. I'm not sure that it's *illegal to insert a clause* for conduct that is forbidden by law. I'm pretty sure you can claim almost anything in the contract. What is illegal is enforcement of an illegal clause. Law trumps contract terms - that's WHY we have civil laws - to protect people from unscrupulous business dealings. And that's why most contracts have a clause that says if a particular clause in the contract is found invalid the rest of the contract still stands - because so many contracts DO have invalid clauses. For example, many employment contracts have non-compete clauses that forbid the employee from going to work for a competitor. But in many states these clauses violate the state's right-to-work laws. The company lawyers KNOW the clause is illegal, but they insert it in the employment contracts anyway, to try to fool employees into thinking they will get sued if they go to work for a competitor. The name for an ISP intercepting traffic from its own users is not "interference" or "DoS", because they're breaking the operation of (er) only their own network. No, they're breaking the operation of my network and my computers. My network connects to their network. But you have no recourse, their network, their rules. (Right?) You *might* have recourse if they were modifying traffic you sent to their customer, but in this case they are modifying traffic that originates FROM their customer. I'm not convinced that redirecting this traffic is any different from blocking it (e.g. firewall to prevent employees from accessing facebook or torrents). I believe the only entity who has recourse is the entity who is paying them for service - e.g. their (paying) customer. jc
Re: Nxdomain redirect revenue
> From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Tue Sep 27 15:54:37 > 2011 > Date: Tue, 27 Sep 2011 13:54:26 -0700 > From: JC Dill > To: NANOG list > Subject: Re: Nxdomain redirect revenue > > On 27/09/11 7:20 AM, William Allen Simpson wrote: > > > > > >> Most likely the ISPs' lawyers were smart enough to include a clause > >> in the ToS/AUP allowing > >> the ISP to intercept, blackhole, or redirect access to any hostname or > >> IP address. > >> > > It's not legal to insert a clause allowing criminal conduct. There's > > no safe haven for criminal conduct. > > > I'm not sure that it's *illegal to insert a clause* for conduct that is > forbidden by law. I'm pretty sure you can claim almost anything in the > contract. What is illegal is enforcement of an illegal clause. Law > trumps contract terms - that's WHY we have civil laws - to protect > people from unscrupulous business dealings. And that's why most > contracts have a clause that says if a particular clause in the contract > is found invalid the rest of the contract still stands - because so many > contracts DO have invalid clauses. For example, many employment > contracts have non-compete clauses that forbid the employee from going > to work for a competitor. But in many states these clauses violate the > state's right-to-work laws. The company lawyers KNOW the clause is > illegal, but they insert it in the employment contracts anyway, to try > to fool employees into thinking they will get sued if they go to work > for a competitor. > > > >> The name for an ISP intercepting traffic from its own users is not > >> "interference" or "DoS", > >> because they're breaking the operation of (er) only their own network. > >> > > No, they're breaking the operation of my network and my computers. My > > network connects to their network. > > But you have no recourse, their network, their rules. (Right?) You > *might* have recourse if they were modifying traffic you sent to their > customer, but in this case they are modifying traffic that originates > FROM their customer. I'm not convinced that redirecting this traffic is > any different from blocking it (e.g. firewall to prevent employees from > accessing facebook or torrents). > > I believe the only entity who has recourse is the entity who is paying > them for service - e.g. their (paying) customer. In the specific case of 'falsifying' a DNS return for what would have been a NXDOMAIN, that is "mostly' correct. but consider whqat happens when you get into the situation of querying a DNSBL operator -- where an 'error' result _is_ a desired return value. Now, when the provider returns 'false and misleading' data for what would be, under normal conditions, a SUCCESSFUL query -- say, returning a 'bogus' address for a well-known search-engine, so as to bee able to manipulate the results -- then the party whose traffic is being 'stolen', and sent to the bogus server, THAT party may well have grounds for a civil suit for 'tortuous interference with a business relationship'. In this situation, there are also possible criminal sanctions, under 'wiretapping' prohibitions, among others.
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow wrote: > how does tls/https help here? if you get sent to the 'wrong host' > whether or not it does https/tls is irrelevant, no? (save the case of > chrome and domain pinning) Because the operator of the "wrong host"cannot obtain a SSL certificate for the right host's domain from a legitimate CA. When the user types in '[therightdomain].com' and their browser immediately sends them to https://therightdomain.com the HTTPS request will fail and show the user an error message if the site is the wrong one, instead of allowing the wrong server to produce a response. To be clear, I am suggesting HTTPS should be the default, all servers should support it, and once a browser learns that a site supports HTTPS, it should maintain a memory of that fact in a hash table, and refuse to access the site over HTTP unless specifically requested (in order to prevent downgrade attacks) and refuse to try HTTP first when a new domain is entered. The http:// schema should be removed/deprecated, and replaced with insecurehttp:// And plain HTTP only used first if the user types that. That is, HTTPs should become assumed. Regards, -- -JH
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 17:08, Jimmy Hess wrote: > That is, HTTPs should become assumed. As much as that would be wonderful from a security standpoint, IMO it's not realistic to expect every mom-and-pop posting a personal Web site to pay extra for a static/dedicated IP address from their hosting company (even if IPv6 were widely deployed, Web hosts probably would charge extra for this just on principle), and to pay extra for an SSL certificate, even a "weak" one that only verifies the domain name. If a given Web site's developers think their content is "important" (however they define the term), they certainly can add SSL to the site; in the grand scheme of things the cost is pretty small. But assuming everyone can/should do this is probably a step too far. That said, there's nothing wrong with browser extensions that try HTTPS first, and I'd wager that sooner or later one of the big browsers will make that a built-in option. David Smith MVN.net
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 5:29 PM, David E. Smith wrote: > On Tue, Sep 27, 2011 at 17:08, Jimmy Hess wrote: >> That is, HTTPs should become assumed. > As much as that would be wonderful from a security standpoint, IMO > it's not realistic to expect every mom-and-pop posting a personal Web > site to pay extra for a static/dedicated IP address from their hosting > company (even if IPv6 were widely deployed, Web hosts probably would Thanks to TLS SNI (server name indication), a dedicated IP address is no longer necessarily, RFC 3546, 3.1. Yes, it is realistic to expect every mom-and-pop posting a personal web site to utilize a provider that implements SNI, and the sooner they do it. It's also realistic to expect them to buy one of those $15 SSL certificates. Heck 1 year .COM registration used to cost a lot more than that. We're not talking about huge recurring costs here. -- -JH
Re: Nxdomain redirect revenue
On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote: > On Tue, Sep 27, 2011 at 5:29 PM, David E. Smith wrote: >> On Tue, Sep 27, 2011 at 17:08, Jimmy Hess wrote: >>> That is, HTTPs should become assumed. >> As much as that would be wonderful from a security standpoint, IMO >> it's not realistic to expect every mom-and-pop posting a personal Web >> site to pay extra for a static/dedicated IP address from their hosting >> company (even if IPv6 were widely deployed, Web hosts probably would > > Thanks to TLS SNI (server name indication), a dedicated IP address is > no longer necessarily, > RFC 3546, 3.1. > Except when it is. > Yes, it is realistic to expect every mom-and-pop posting a personal > web site to utilize a provider that implements SNI, and the sooner > they do it. > No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public. > It's also realistic to expect them to buy one of those $15 SSL certificates. > Heck 1 year .COM registration used to cost a lot more than that. > Meh... I disagree. I don't think there's any reason to encrypt web sites that don't use authentication and are not providing personally identifying information or other "secret" data. I run several web servers virtual and real on one of my systems. Some of them have SSL, some of them don't. Even the ones that have SSL don't encrypt everything. There's no reason to encrypt that which does not need encryption and it's just an extra cost in terms of server resources and client resources to do so. > We're not talking about huge recurring costs here. > That depends. If it's a popular web site that delivers a lot of content, the additional CPU horsepower just to do the cryptography and the additional power to drive it could actually be very significant. For the average mom and pop, no, it's not a huge cost, but, neither is it necessarily a cost worth bothering with. Frankly, I don't expect static (or at least static-enough) addresses to cost extra in IPv6. You can already get a /48 from Hurricane Electric for free as long as you have IPv4 access. I suspect that eventually other IPv6 providers will have to at least match that standard. Owen
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 7:29 PM, David E. Smith wrote: > On Tue, Sep 27, 2011 at 17:08, Jimmy Hess wrote: >> That is, HTTPs should become assumed. > > As much as that would be wonderful from a security standpoint, IMO > it's not realistic to expect every mom-and-pop posting a personal Web > site to pay extra for a static/dedicated IP address from their hosting > company (even if IPv6 were widely deployed, Web hosts probably would > charge extra for this just on principle), and to pay extra for an SSL > certificate, even a "weak" one that only verifies the domain name. Self-signed certificates published thru DNSSEC using CAA/DANE can cost nothing. (And somebody else pointed out SNI to have TLS work without exclusive IP requirement) Rubens
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 6:09 PM, Owen DeLong wrote: > On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote: > > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public. That's OK. You're kind of mincing security objectives here. In regards to preventing tactics such as domain hijacking bt service providers, the goal behind this would be integrity, not confidentiality. The objective of using SSL is not to strongly encrypt data to keep it secret, it's to apply whatever is necessary to provide a level of integrity assurance. The SSL cipher can almost be the null cipher, for all it matters, but at least RC4 56-bit or so would be needed, because the null cipher doesn't have message digests in TLS. -- -JH
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 04:09:03PM -0700, Owen DeLong wrote: > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public. And speaking https to a per-domain ip address reveals nothing about browsing habits?
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 05:08:42PM -0500, Jimmy Hess wrote: > On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow > wrote: > > > how does tls/https help here? if you get sent to the 'wrong host' > > whether or not it does https/tls is irrelevant, no? (save the case of > > chrome and domain pinning) > > Because the operator of the "wrong host"cannot obtain a SSL > certificate for the right host's domain from a legitimate CA. Oh, if only 'twere true... even without control of the DNS for the domain, there have been plenty of certificates erroneously issued. With DNS control, doing the necessary validation steps required for the issuance of a certificate is child's play. Then, of course, there's the issues with what constitutes a "legitimate" CA; the list of CAs that I'd never want to trust, but which are in my browser by default, is long and notorious. - Matt
Re: Nxdomain redirect revenue
Once upon a time, Owen DeLong said: > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public. If you don't want even the site you are browsing public, HTTPS is not the solution. Without SNI, HTTPS is one-site-per-IP (nobody uses the subjectAltName to host multiple different sites on the same IP in practice), so all somebody has to do it fetch the certificate from the same IP/port and look at the CN/subjectAltName. Either that's the site you went to, or you accepted the host/cert mismatch (and are a target for spoofing). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Nxdomain redirect revenue
On Sep 27, 2011, at 4:55 PM, Jimmy Hess wrote: > On Tue, Sep 27, 2011 at 6:09 PM, Owen DeLong wrote: >> On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote: >> >> No, it isn't because it requires you to send the domain portion of the URL >> in clear text and it may be that you don't necessarily want to disclose even >> that much information about your browsing to the public. > > That's OK. You're kind of mincing security objectives here. > In regards to preventing tactics such as domain hijacking bt service > providers, > the goal behind this would be integrity, not confidentiality. > > The objective of using SSL is not to strongly encrypt data to keep it > secret, it's > to apply whatever is necessary to provide a level of integrity assurance. > > The SSL cipher can almost be the null cipher, for all it matters, > but at least RC4 56-bit or so would be needed, because > the null cipher doesn't have message digests in TLS. > > -- > -JH As has been pointed out... SSL certs do almost nothing for integrity. Owen
Re: Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 04:09:03PM -0700, Owen DeLong wrote: > > > Yes, it is realistic to expect every mom-and-pop posting a personal > > web site to utilize a provider that implements SNI, and the sooner > > they do it. > > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public. That's what happens without SNI. Without SNI, the IP address of the server is sent in the clear; anyone who captures that traffic knows the IP address, and, without SNI, anyone who want s to translate the IP address to a domain name need only connect to the server and see what certificate is presented. -- Brett
Re: Nxdomain redirect revenue
On Tue, 27 Sep 2011 16:09:03 PDT, Owen DeLong said: > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public. If that's an actual concern, I suggest you talk to the nice people at https://www.torproject.org/ - and remember that tor was originally designed by the US government so our spooks could fly under the wire, so it's patriotic to run a tor relay. ;) pgpYiap2iTXcj.pgp Description: PGP signature
Re: Nxdomain redirect revenue
Jimmy, On Tue, Sep 27, 2011 at 1:50 PM, Jimmy Hess wrote: > The name for an ISP intercepting traffic from its own users is not > "interference" or "DoS", > because they're breaking the operation of (er) only their own network. This statement somehow assumes that users of said network were only intending to communicate within that same network. I think this applies to so few networks it can be ignored in the discussion. If I have a partner/customer/supplier/$foo in [common carrier/public carrier] network X, and there is no D/DoS or other form of abuse ongoing, and the operator of X willfully denies our communication, the operator of X should have pretty darn good reasons for doing so (on the order of having been ordered by the proper judicial system (which should be well-functional, but that's a bit out of scope for the discussion I guess)). Operators should take great care to not break communication, including tampering with internet architectures such as DNS, and it must be possible to hold those who do responsible for their actions. Regards, Martin
Re: Nxdomain redirect revenue
On Wed, Sep 28, 2011 at 2:26 PM, Martin Millnert wrote: Hi, I think you're echoing a common misconception here: > If I have a partner/customer/supplier/$foo in [common carrier/public > carrier] network X, and there is no D/DoS or other form of abuse ISPs are not like traditional telephone carriers. ISPs are not common carriers. They are not common carriers legally, and they are not _like_ common carriers operationally. They are empowered to provide whatever types of service and service levels to their subscriber that their properly agreed upon terms of service provides for Most end users of an ISP don't even get a SLA, let alone a promise that any IP address will be reachable.Also, thanks to peering spats and other various phenomena, it's actually an impossible promise for an ISP to make. Due to the nature of the internet ISPs _often_ make decisions that result in discrimination of traffic based on its type, its source, destination, payload contents, etc. Blackholing spammer IP addresses is a common example; and ISPs could not do that if they were common carriers. > ongoing, and the operator of X willfully denies our communication, the > operator of X should have pretty darn good reasons for doing so (on In your opinion the operator should have a "pretty darn good reason" for doing so. But in reality, the internet service subscriber's subscription agreement will state what's a "pretty darn good reason"; generally, the agreement states that any reason at all, or no reason, solely at the operator's discretion, is good enough. > Operators should take great care to not break communication, including > tampering with internet architectures such as DNS, and it must be > possible to hold those who do responsible for their actions. It occurs that an ISP deploying a custom DNS service that implements their own policies of munging redirects or producing "false" answers is not "tampering" with anyone else's server. -- -JH
Re: Nxdomain redirect revenue
On 09/27/2011 07:55 PM, Jimmy Hess wrote: the goal behind this would be integrity, not confidentiality. The objective of using SSL is not to strongly encrypt data to keep it secret, it's to apply whatever is necessary to provide a level of integrity assurance. If all you want is integrity then shouldn't you argue that every computer should operate a DNSSEC validating recursive resolver on the machine? After all that is the point of DNSSEC after all isn't it, the validation of DNS records for endpoint authenticity. Even still SNI isn't even widely supported by the major browsers as I understand it. just my 2c
Re: Nxdomain redirect revenue
+1 to the use of CAA/DANE -brian On 09/27/2011 07:34 PM, Rubens Kuhl wrote: On Tue, Sep 27, 2011 at 7:29 PM, David E. Smith wrote: On Tue, Sep 27, 2011 at 17:08, Jimmy Hess wrote: That is, HTTPs should become assumed. As much as that would be wonderful from a security standpoint, IMO it's not realistic to expect every mom-and-pop posting a personal Web site to pay extra for a static/dedicated IP address from their hosting company (even if IPv6 were widely deployed, Web hosts probably would charge extra for this just on principle), and to pay extra for an SSL certificate, even a "weak" one that only verifies the domain name. Self-signed certificates published thru DNSSEC using CAA/DANE can cost nothing. (And somebody else pointed out SNI to have TLS work without exclusive IP requirement) Rubens
