Registrar Killing Zoho Over A Few Phishing Claims Demonstrates The Ridiculousness Of Having Registrars Police The Internet

from the this-is-not-good dept

Fri, Sep 28th 2018 12:04pm — Mike Masnick

For years, we've pointed out the dangers of the attempts to move the "policing" function up the internet stack (or down the internet stack, depending on your perspective) from the end-user internet services deeper to infrastructure players. We just recently warned about the mess that will be created by focusing on infrastructure players. Indeed, for years, we've worried about targeting domain registrars with takedown notices. There are a variety of reasons for this: first off, registrars are not at all prepared to be in the content moderation business. They just run a database. But, more importantly, their only tool to deal with these things is incredibly blunt: to effectively turn off an entire site by not allowing the URL to resolve.

And yet, there's increasing pressure for registrars to police the internet. This is mostly because of people (starting with the legacy copyright players, but others as well) over-hyping the fact that if some content/services are taken down, it just pops back up somewhere else. So, those who focus on censorship try to look further and further along the stack to see where they can block even more.

A story this week shows just how damaging this can be. Zoho is a very popular online service provider of tools for businesses. We've used Zoho a bunch at times, as they offer a really nice and fairly comprehensive suite of business apps at prices that are much more affordable than many of the larger players (while often being just as good, if not better). But earlier this week Zoho disappeared from the internet for a lot of users, after its registrar, Tierranet pulled the plug on their service, claiming it had received too many complaints of phishing attempts via Zoho. Zoho points out in response that (1) it had received a grand total of three reports from Tierranet of attempting phishing, and it had promptly removed the first two accounts and was in the process of investigating the third when all this went down, and (2) it received no warning that Tierranet was about to pull the plug on them and was given no way to reach out to the company in this emergency situation (leading the company to take to Twitter to try to get attention).

But, because Tierranet decided it needed to "police the internet" with its ridiculously blunt tool of completely removing an entire service from the internet -- despite its millions of users who rely on it for critical business services -- Zoho was put in the unenviable position of trying to explain why its entire suite of services completely disappeared. Apparently, (according to Zoho's explanation) Tierranet will automatically cut off websites after receiving three complaints -- which is astounding. It's even more astounding that a service the size of Zoho only received three such complaints. In a detailed post mortem / apology, the company says it's going to become its own registrar to avoid having anything like this happen again.

You have my assurance that nothing like this will ever happen again. We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.

But, really, every internet service out there shouldn't have to be their own registrar to avoid having someone take down their whole site for no good reason. We need to rethink this idea that someone must be policing every interaction online and that if anything bad gets through, liability and blame should flow through to everyone in the stack. It's not only a recipe for mass censorship, but for one that takes down important services by good actors.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: domains, infrastructure, intermediary liability, phishing, points of failure, registrars
Companies: tierranet, zoho

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Gary (profile), 28 Sep 2018 @ 12:07pm

Mass
Mass Censorship and Mass Surveillance go hand in hand. The movie studios would love to see vast sections of the internet taken down until nothing was left but a few walled gardens. They hate us for our freedoms!
[ link to this | view in chronology ]
- Anonymous Coward, 28 Sep 2018 @ 12:41pm
  
  Re: Mass
  It will end with bots automatically flagging every post and letting the repercussions fall as they may.
  [ link to this | view in chronology ]
- Bergman (profile), 28 Sep 2018 @ 4:22pm
  
  Re: Mass
  Given how hard it is to prove a 512(f) DMCA violation, you'd think someone might weaponize this against the movie studios -- and see how much they like it then!
  [ link to this | view in chronology ]
Anonymous Coward, 28 Sep 2018 @ 12:55pm

One doesn't have to become their own registrar to mitigate this kind of situation. You simply diversify the dns services you use for name resolution. This also partially shields you from DDoS attacks that take down dns servers. With very long TTL values in your zones your domain name(s) will continue to resolve even if some of your dns servers stop resolving your names.

However, being your own registrar is the only way to prevent a registrar from locking down your names and poisoning or deleting the upstream pointers. Unfortunately it's also very expensive to become your own registrar. Until we design the next iteration of the net and remove the single points of failure/responsibility from the system this will always be a problem.

In the meantime, speak with your wallet. Don't use registrars or other services that allow this kind of crap to happen.
[ link to this | view in chronology ]
- Anonymous Coward, 28 Sep 2018 @ 1:32pm
  
  Re:
  >Until we design the next iteration of the net and remove the single points of failure/responsibility from the system this will always be a problem.
  
  How do you propose to do that for:
  1)IP or equivalent network level addresses.
  2)Readable site names
  
  where uniqueness of address and name have to be guaranteed.
  
  ICANN like structures are the way to achieve this.
  [ link to this | view in chronology ]
  - Anonymous Coward, 28 Sep 2018 @ 1:48pm
    
    Re: Re:
    Namecoin is a proposal for readable site names. An onion-routing system like Tor can reduce the need for long-term IP addresses.
    [ link to this | view in chronology ]
    - Anonymous Coward, 28 Sep 2018 @ 2:39pm
      
      Re: Re: Re:
      The main question is not long or short term use, but rather unique names and addresses, and reliable mapping from name to address.
      
      Also, a long term address assignment allows names resolution to be bypasses if necessary to bypass name resolution filtering.
      [ link to this | view in chronology ]
      - Anonymous Coward, 28 Sep 2018 @ 3:05pm
        
        Re: Re: Re: Re:
        Namecoin makes it hard to block specific names. If one chose to point it at .onion addresses only (is that possible?) it would not need to resolve to anything blockable like an IP address.
        
        (Tor still runs over IP, and IP addresses can be blocked; but one cannot easily see the real IP, and these are "short-term" dependencies because failed/blocked connections will automatically reroute to different IPs.)
        [ link to this | view in chronology ]
  - tom sparks, 28 Sep 2018 @ 3:52pm
    
    Re: Re:
    [NU Alternative Domain System (GADS)](https://gnunet.org/schanzen2012thesis) is an option it use personal nicknames and 6 degrees of separation domain names
    [ link to this | view in chronology ]
    - Anonymous Coward, 29 Sep 2018 @ 2:25am
      
      Re: Re: Re:
      I see two problems with it:
      
      Last time I looked, it was ultra complicated to integrate into your app and it was still in 0.x after years of development.
      
      It requires intervention from the user. Requiring intervention for technical things is bad for widespread adoption, as can be seen with PGP.
      
      [ link to this | view in chronology ]
- Anonymous Coward, 28 Sep 2018 @ 2:33pm
  
  Re:
  
  You simply diversify the dns services you use for name resolution.
  
  ...Which doesn't help when someone goes after your registrar, as in this story.
  
  With very long TTL values in your zones your domain name(s) will continue to resolve even if some of your dns servers stop resolving your names.
  
  That would only help users who already have it cached (or whose upstream server does), if it helps at all. It's designed for when servers disappear, not when upstream servers are actively (and validly) replying NXDOMAIN for you.
  [ link to this | view in chronology ]
- Bergman (profile), 28 Sep 2018 @ 4:24pm
  
  Re:
  Even if you are your own registrar, nothing prevents someone acting in bad faith from forging pointers to take you down -- that's one of the main weaknesses of the DNS system.
  [ link to this | view in chronology ]
Anonymous Coward, 28 Sep 2018 @ 12:58pm

Good luck

We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.

Every domain registrar so far is subservient to another. Zoho is under com., meaning Verisign can be targeted; for several hundred thousand dollars they could put themselves in ., the root zone, which still leaves them under IANA/ICANN. These are all US corporations.

They could instead put themselves outside of the regular DNS, e.g. by using a Tor Orion Service, but then would they really be a "registrar"?
[ link to this | view in chronology ]
Thad (profile), 28 Sep 2018 @ 2:29pm

While I don't think hosting providers or content platforms should be treated as utilities or public squares, I think there's an argument to make that domain name registrars should be. If there were a regulation requiring registrars to provide service to everyone and never take down a domain without a court order, I think that would be defensible.
[ link to this | view in chronology ]
tom (profile), 28 Sep 2018 @ 2:33pm

Sounds like it is time to file a few phishing complaints against Tierranet.
[ link to this | view in chronology ]
- Anonymous Coward, 28 Sep 2018 @ 3:09pm
  
  Re:
  Interesting--they are actually their own registrar:
  Domain Name: TIERRA.NET
  Registrar: TIERRANET INC. DBA DOMAINDISCOVER
  [ link to this | view in chronology ]
  - Bergman (profile), 28 Sep 2018 @ 4:26pm
    
    Re: Re:
    Not enforcing their own removal policy can cause them to lose big time in a lawsuit, as Cox recently found out.
    [ link to this | view in chronology ]
Primo Geek (profile), 28 Sep 2018 @ 6:44pm

While I have some sympathy to Zoho, it appears to be a typical story where abuse handling and infrastructure security are treated as costs to be avoided by startups who are more concerned about playing on the company ping pong tables in between "disrupting" business. As someone who spends a lot of time combating phishing attacks I can tell you it is incredibly frustrating trying to get anyone to respond to a complaint. I regard registrars as the nuclear option but when you can't get a response and thousands of victims are being created every hour sometimes that button needs to be pressed. I suspect the phishing complaints were first placed with, and ignored by, Zoho. Having a registrar handle it is an imperfect solution but I would welcome a reasonable alternative that doesn't result in criminals being immune hiding behind a provider that doesn't respond
[ link to this | view in chronology ]
- Anonymous Coward, 29 Sep 2018 @ 11:18am
  
  Re:
  And I'd be open to a solution that doesn't punish a few million other people in order to *maybe* slow down the criminals for a few hours. But to each their own.
  
  Of course, seems like the easy solution would be for you and your anti-phishing comrades to publish a usable blacklist of phishing domains a la adblockers. No need to worry about (lack of) responses from hosting companies if the attacks are blocked at the receiving end.
  [ link to this | view in chronology ]
Anonymous Coward, 29 Sep 2018 @ 1:56am

Sue the registrar
I wonder if it would lead anywhere suing the registrar. One could complain about losses of revenue or more generally not being able to conduct business.
[ link to this | view in chronology ]
Tanner Andrews (profile), 29 Sep 2018 @ 10:53am

Zoho and Legitimate Services
I guess I was mos surprised to see that someone was using them for legitimate servcies. Normally when I see them it is where they are promoting some sort of dodgy advertising or co-branding campaign in which they would like me to take part.

So far I have declined their "pink" invitations.
[ link to this | view in chronology ]
Not.You, 29 Sep 2018 @ 11:48am

Same thing happened to JotForm a while back (2012)
Except JotForm was taken down by the federal government. It was amazingly stupid and heavy-handed and the non-profit where I work was effectively unable to take donations while it was down. Like Zoho, JotForm also serves a very useful function, making webforms super simple,so of course some idiots will use it for phishing. We still use it for several webforms including our donation form. At the time JotForm was literally forced to register a .net domain to get back up and running and now their .com and .net pages are essentially mirrored in case anyone gets another dumb idea.
[ link to this | view in chronology ]
Ed, 29 Sep 2018 @ 3:10pm

Brilliant idea
But why stop so far down the stack?
Ban .mp4
Then .avi
Then...
No piracy!
[ link to this | view in chronology ]
Éibhear (profile), 1 Oct 2018 @ 2:42am

Denial of Service vulnerability
> Apparently, (according to Zoho's explanation) Tierranet will automatically cut off websites after receiving three complaints

Well. There's a 0-day DoS vulnerability right there.
[ link to this | view in chronology ]
spamvictim (profile), 1 Oct 2018 @ 10:57am

Sometimes you only get what you pay for
Registrars turn off thousands of phishing domains every day, and you never hear about it, because they don't make very many mistakes, and the Internet would be much more unpleasant if they didn't. No question, turning off zoho.com was a mistake, but I have to ask, what was Zoho thinking?

There are a thousand registrars (and tens of thousands of resellers) and their services vary greatly. Tierranet's market is individuals and small businesses with low value names. They charge $12/yr for a .com. How much personal attention do you think you've bought for that price?

If your domain is valuable, registrars like Markmonitor and CSC will provide much more secure service at a much higher price, and won't casually turn you off. If you don't treat your domain like it's valuable, why should anyone else treat it that way?

By the way, I expect that Zoho has other reasons for becoming their own registrar, like selling domains to their customers. If you just want to protect one high-value name, a name at Markmonitor is a lot cheaper than running an entire registry.
[ link to this | view in chronology ]