Hacker News new | comments | show | ask | jobs | submit login
The Internet Kill Switch; With Global Wiretapping Capability? (pastebay.net)
92 points by pimeys on May 5, 2012 | hide | past | web | favorite | 21 comments

Slightly off-topic, but this led me to discover whois spam:

(please don't go there and feed the spammers, thank you :-))

  $ whois facebook.com
  FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM from whois Server: whois.instra.net
  FACEBOOK.COM.LOVED.BY.WWW.SHQIPHOST.COM from Whois Server: whois.onlinenic.com
  FACEBOOK.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM from Whois Server: whois.PublicDomainRegistry.com

... how the hell do you do that? Not that I want to, just interested how those domains show up when you do a whois search.

Microsoft.com has better results IMO.

Hah, yeah



That's been around for more than 10 years, the reason is that whois is doing subtring matches.

Blackhat SEO stuff. Easy to fool google suggest also.

This is just drivel. A company is providing a service that is extremely well executed and has a great reputation. Google uses it for the same reason most people use Google - it is the best around for what they want.

If there is a single shred of evidence other than "isn't it weiirdd...." then perhaps we can discuss this.

It raises my eyebrow that a third party controls MSN, Google, and Facebook's DNS entries while also being a trusted certificate authority. This makes a man-in-the-middle SSL attack "somewhat easy". Does anyone publicly audit the DNS entries of major services? I haven't heard of any browsers alerting on SSL certificate changes (a la ~/.ssh/known_hosts).

Perhaps I like my tinfoil hat more than the average Joe, but this sounds like an excellent way to execute wiretaps. I can only imagine that http://news.ycombinator.com/item?id=3929507 reminded the submitter of this old (Feb 17th) paste.

They are the REGISTRAR of the domains - they are not hosting DNS for the domains. The fact that they manage the registration is completely irrelevant from a wiretapping point-of-view.

If true, the fact that they have a CA is what allows them to wiretap. But they don't need control of DNS to do that - just cooperation of an ISP.

The fact that they manage the registration is completely irrelevant from a wiretapping point-of-view.

As the registrar, you specify which DNS servers are authoritative for the domain. It is much easier for the registrar to quietly change a domain than any other 3rd party in the system.

That in itself isn't scary. Lots of people use(d) GoDaddy, eNom, etc. Another commenter pointed out that Last.fm likes the service because it abstracts the pain of domain registration.

But does Google care about the pain of registering Google in new TLDs? Does Facebook worry that their domain will expire due to an out of date credit card? Using a third party service introduces risk of failures out of your control. Any interruption to these major providers will cause damage far in excess of them not having to deal with spam domains.

Consolidation when consolidation is unnecessary should raise questions.

If you think it's possible for anyone, registrar or no, to "quietly" change the NS records for google.com., you're confused.

NS records often change, especially in the additive, all the time. Google could do this all day every day and no one would notice. What you meant to say is that people would notice if MarkMonitor changed them without Google's permission. But that would never happen - they would certainly have Google corporate's permission before using this power. The geeks in engineering who care would hopefully object to a massive MITM surveillance system, but with their assistance is no longer required.

And that's the beauty. Herding the cats in engineering at Google and Facebook to spy on everyone is difficult. Many of them might even quit their jobs before doing such a thing. Best to wedge a soulless anti-spam group between the happy consumer company and the Internet and get the blessing of a couple of CEOs who have been told that compliance is not optional.

Not instantly, because google.com's glue records have a 2-day TTL.

Verisign has the ability to alter DNS glue records for .com and they have the ability to issue browser-trusted certificates, except in cases of browser cert pinning functionality or extensions (like CertPatrol) that check for certs being altered before they're nearly expired.

Registrars can instruct Verisign to alter the glue records for .com domains. Are you saying Verisign has special policies in place to double check with major companies before changing their respective glue records?

Do any browsers pin certs by default? I haven't heard of CertPatrol, but alerting when a cert changes well before expiration seems like good default.

Chrome has certain google.com certificates (maybe all of them) pinned.

{accounts, mail, docs}.google.com (at least) have HSTS forced and preloaded in Chrome, but www.google.com does not.

I'd love to see where you found this information. I wasn't able to find it in Chrome's source, but I didn't have the change to do a deep dive.

At the end of the day, all the mentioned companies need to trust their domain name registrations to someone and just like normal people can use Namecheap or Gandi as their domain name registrar, big companies seem to use MarkMonitor because the services they provide are useful to them.

Last.fm also uses MarkMonitor and they explained why here: http://news.ycombinator.com/item?id=3687600

amazon.com isn't under this switch.

Some local services: yandex.com, mail.ru, vk.com, ozon.ru, rutracker.org, lenta.ru, ok.ru - are all unaffected. I bet Chinese resources are unaffected too.

What the hell is going on here? I understand that this might be a legitimate company, but I don't see Google having any need for such a thing, let alone to the point where they'd just surrender their domain name to them.

Does anyone have more information on this?

They didn't surrender their domain name - they're just using them as registrar. Google still runs their own authoritative DNS servers.

Google is also a registrar (I think just for .com/.net domains). I guess they don't want to deal with dozens of ccTLDs.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact