Hacker Newsnew | comments | show | ask | jobs | submit login

They are the REGISTRAR of the domains - they are not hosting DNS for the domains. The fact that they manage the registration is completely irrelevant from a wiretapping point-of-view.

If true, the fact that they have a CA is what allows them to wiretap. But they don't need control of DNS to do that - just cooperation of an ISP.




The fact that they manage the registration is completely irrelevant from a wiretapping point-of-view.

As the registrar, you specify which DNS servers are authoritative for the domain. It is much easier for the registrar to quietly change a domain than any other 3rd party in the system.

That in itself isn't scary. Lots of people use(d) GoDaddy, eNom, etc. Another commenter pointed out that Last.fm likes the service because it abstracts the pain of domain registration.

But does Google care about the pain of registering Google in new TLDs? Does Facebook worry that their domain will expire due to an out of date credit card? Using a third party service introduces risk of failures out of your control. Any interruption to these major providers will cause damage far in excess of them not having to deal with spam domains.

Consolidation when consolidation is unnecessary should raise questions.

-----


If you think it's possible for anyone, registrar or no, to "quietly" change the NS records for google.com., you're confused.

-----


NS records often change, especially in the additive, all the time. Google could do this all day every day and no one would notice. What you meant to say is that people would notice if MarkMonitor changed them without Google's permission. But that would never happen - they would certainly have Google corporate's permission before using this power. The geeks in engineering who care would hopefully object to a massive MITM surveillance system, but with their assistance is no longer required.

And that's the beauty. Herding the cats in engineering at Google and Facebook to spy on everyone is difficult. Many of them might even quit their jobs before doing such a thing. Best to wedge a soulless anti-spam group between the happy consumer company and the Internet and get the blessing of a couple of CEOs who have been told that compliance is not optional.

-----


Not instantly, because google.com's glue records have a 2-day TTL.

Verisign has the ability to alter DNS glue records for .com and they have the ability to issue browser-trusted certificates, except in cases of browser cert pinning functionality or extensions (like CertPatrol) that check for certs being altered before they're nearly expired.

Registrars can instruct Verisign to alter the glue records for .com domains. Are you saying Verisign has special policies in place to double check with major companies before changing their respective glue records?

-----


Do any browsers pin certs by default? I haven't heard of CertPatrol, but alerting when a cert changes well before expiration seems like good default.

-----


Chrome has certain google.com certificates (maybe all of them) pinned.

{accounts, mail, docs}.google.com (at least) have HSTS forced and preloaded in Chrome, but www.google.com does not.

-----


I'd love to see where you found this information. I wasn't able to find it in Chrome's source, but I didn't have the change to do a deep dive.

-----


http://www.imperialviolet.org/2011/05/04/pinning.html

http://blog.chromium.org/2011/06/new-chromium-security-featu...

as well as empirical Chrome behavior.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: