VeriSign Demands The Power To Take Down Websites/Domains

I was scanning the news today, and nothing much was going on. There were some half-arsed stories about Anonymous and LulzSec – but nothing really worth writing about. And then, and then I spotted this, which quite frankly scares the shit out of me.

As much as it may well have a use in law enforcement, I’m sorry but I don’t want any single organization, corporation or entity to have the power to take out domains.

It’s just plain wrong, and well the UK has already started tabling something like this back in September.

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.

Yes VeriSign do manage all the .com and .net domains, but they aren’t technically ruled under the US jurisdiction – there are plenty of .com domains that are hosted outside of the US, including the DNS infrastructure.

What I’m especially interested in, is how they plan to handle the fact that lots of things are illegal in some countries and perfectly legal in others. The part that scares me is they will be able to take down a domain without a court order, just on ‘request’ from a law enforcement agency.

To me, that opens it up to abuse – if you are going to do something like this, at least institute a due process to manage it properly.

“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

Scary thoughts really. However the malware scanning service sounds like something that would help the Internet clean up all the nasty stuff, but then again – do the registrars really care, and would they respond?

Either way, I don’t like the fact that these draconian control laws may be placed on the Internet as we know – that basically allow US law enforcement agencies to take down domains as they please.

What I’m guessing, if this is implemented, it may well become a major target for Social Engineering efforts. What’s more effective than a traditional DDoS attack? Having the domain completely killed by VeriSign – that’s what.

Source: The Register

Posted in: Legal Issues, Social Engineering, Web Hacking

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

8 Responses to VeriSign Demands The Power To Take Down Websites/Domains

  1. etcwarrionr October 12, 2011 at 3:16 pm #

    Last week’s edition of The Economist had a leader and IGF report on Internet governance that I think you would agree with.

  2. droope October 12, 2011 at 3:53 pm #

    The internet is free. They can try and attemp as much as they would like, but it will remail free and open.

    it’s just another reason not to own a .com :)

  3. Mayank October 13, 2011 at 10:27 am #

    This is scary! They’ll do anything they like in the name of good and take down sites, where do you complain when the person who owns it lives in a completely different continent? Send mails??? This is NOT good no matter how good the intentions are!

  4. xero October 13, 2011 at 2:22 pm #

    wouldnt the solution to this just be dont use .com/.net? there are plenty of international domains that are open to anyone, and not “ruled” by verisign. .NU for instance ;D

    • Darknet October 17, 2011 at 1:55 pm #

      Or :D

  5. Magick October 14, 2011 at 12:51 pm #

    The US is attempting to move from manufactured industrial goods to “Intellectual Property” as its primary export. I guess that there are some who feel that the country is “above all that dirty manufacturing of things. This group is convinced that our ideas, either patented, copyrighted or trademarked are so valuable around the world that other countries will pay outrageous sums just to use them and will also build stuff for us simply because we ask them too since we are (were) the last “Superpower” on the planet. No matter that our “power” is purely military.

    Today ICE is playing henchman for the RIAA and MPAA leaving due process, judicial review the right to confront ones accuser completely off the playing field. Those same groups (RIAA/MPAA) strong-arming American ISPs and other nations to implement draconian “Three-strikes” policies where merely being accused of copyright infringement can be grounds for losing ones ability to access the Internet. Obama signed ACTA knowing full well that it contains clauses unlawful under the Constitution and without approval of the House or Senate necessary for “Trade Agreements” and Treatise.

    The last ditch efforts of a dying economic powerhouse. One can only hope that the USA will not use its last remaining advantage, high-tech long range military terrorism in an attempt to maintain the status-quo.

    Our elected officials, especially those in the executive branch are by far the greatest threat to the Constitution of the United States and to World Peace.

  6. Bogwitch October 14, 2011 at 10:54 pm #

    The terminology of the requirement concerns me somewhat.
    “…requests of law enforcement or other governmental or quasi-governmental agency”
    So, anyone with an air of officialdom?
    when I was employed within government, could I have ‘requested’ Google, Facebook etc. be taken down due to the issues with privacy violations?
    I suspect that the endemic abuse of users will be allowed to persist as long as it keeps the $$$ rolling in from the bigger sites and it will become, along with all the current IP litigation, an environment where lawyers will get fatter while the rest of us pay a premium for the privilege.

  7. bob October 22, 2011 at 8:35 pm #

    verisign, along with similar-minded compaines and authorities, need to do less demanding and stop trying to play god over the internet. i predict that if they get this power then the number of hacker ‘activities’ will increase.