Registrar Killing Zoho Over A Few Phishing Claims Demonstrates The Ridiculousness Of Having Registrars Police The Internet
from the this-is-not-good dept
For years, we've pointed out the dangers of the attempts to move the "policing" function up the internet stack (or down the internet stack, depending on your perspective) from the end-user internet services deeper to infrastructure players. We just recently warned about the mess that will be created by focusing on infrastructure players. Indeed, for years, we've worried about targeting domain registrars with takedown notices. There are a variety of reasons for this: first off, registrars are not at all prepared to be in the content moderation business. They just run a database. But, more importantly, their only tool to deal with these things is incredibly blunt: to effectively turn off an entire site by not allowing the URL to resolve.
And yet, there's increasing pressure for registrars to police the internet. This is mostly because of people (starting with the legacy copyright players, but others as well) over-hyping the fact that if some content/services are taken down, it just pops back up somewhere else. So, those who focus on censorship try to look further and further along the stack to see where they can block even more.
A story this week shows just how damaging this can be. Zoho is a very popular online service provider of tools for businesses. We've used Zoho a bunch at times, as they offer a really nice and fairly comprehensive suite of business apps at prices that are much more affordable than many of the larger players (while often being just as good, if not better). But earlier this week Zoho disappeared from the internet for a lot of users, after its registrar, Tierranet pulled the plug on their service, claiming it had received too many complaints of phishing attempts via Zoho. Zoho points out in response that (1) it had received a grand total of three reports from Tierranet of attempting phishing, and it had promptly removed the first two accounts and was in the process of investigating the third when all this went down, and (2) it received no warning that Tierranet was about to pull the plug on them and was given no way to reach out to the company in this emergency situation (leading the company to take to Twitter to try to get attention).
But, because Tierranet decided it needed to "police the internet" with its ridiculously blunt tool of completely removing an entire service from the internet -- despite its millions of users who rely on it for critical business services -- Zoho was put in the unenviable position of trying to explain why its entire suite of services completely disappeared. Apparently, (according to Zoho's explanation) Tierranet will automatically cut off websites after receiving three complaints -- which is astounding. It's even more astounding that a service the size of Zoho only received three such complaints. In a detailed post mortem / apology, the company says it's going to become its own registrar to avoid having anything like this happen again.
You have my assurance that nothing like this will ever happen again. We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.
But, really, every internet service out there shouldn't have to be their own registrar to avoid having someone take down their whole site for no good reason. We need to rethink this idea that someone must be policing every interaction online and that if anything bad gets through, liability and blame should flow through to everyone in the stack. It's not only a recipe for mass censorship, but for one that takes down important services by good actors.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: domains, infrastructure, intermediary liability, phishing, points of failure, registrars
Companies: tierranet, zoho
Reader Comments
Subscribe: RSS
View by: Time | Thread
Mass
[ link to this | view in thread ]
Re: Mass
[ link to this | view in thread ]
However, being your own registrar is the only way to prevent a registrar from locking down your names and poisoning or deleting the upstream pointers. Unfortunately it's also very expensive to become your own registrar. Until we design the next iteration of the net and remove the single points of failure/responsibility from the system this will always be a problem.
In the meantime, speak with your wallet. Don't use registrars or other services that allow this kind of crap to happen.
[ link to this | view in thread ]
Good luck
Every domain registrar so far is subservient to another. Zoho is under com., meaning Verisign can be targeted; for several hundred thousand dollars they could put themselves in ., the root zone, which still leaves them under IANA/ICANN. These are all US corporations.
They could instead put themselves outside of the regular DNS, e.g. by using a Tor Orion Service, but then would they really be a "registrar"?
[ link to this | view in thread ]
Re:
How do you propose to do that for:
1)IP or equivalent network level addresses.
2)Readable site names
where uniqueness of address and name have to be guaranteed.
ICANN like structures are the way to achieve this.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
...Which doesn't help when someone goes after your registrar, as in this story.
That would only help users who already have it cached (or whose upstream server does), if it helps at all. It's designed for when servers disappear, not when upstream servers are actively (and validly) replying NXDOMAIN for you.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re:
Also, a long term address assignment allows names resolution to be bypasses if necessary to bypass name resolution filtering.
[ link to this | view in thread ]
Re: Re: Re: Re:
(Tor still runs over IP, and IP addresses can be blocked; but one cannot easily see the real IP, and these are "short-term" dependencies because failed/blocked connections will automatically reroute to different IPs.)
[ link to this | view in thread ]
Re:
Domain Name: TIERRA.NET
Registrar: TIERRANET INC. DBA DOMAINDISCOVER
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Mass
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Sue the registrar
[ link to this | view in thread ]
Re: Re: Re:
I see two problems with it:
[ link to this | view in thread ]
Zoho and Legitimate Services
So far I have declined their "pink" invitations.
[ link to this | view in thread ]
Re:
Of course, seems like the easy solution would be for you and your anti-phishing comrades to publish a usable blacklist of phishing domains a la adblockers. No need to worry about (lack of) responses from hosting companies if the attacks are blocked at the receiving end.
[ link to this | view in thread ]
Same thing happened to JotForm a while back (2012)
[ link to this | view in thread ]
Brilliant idea
Ban .mp4
Then .avi
Then...
No piracy!
[ link to this | view in thread ]
Denial of Service vulnerability
Well. There's a 0-day DoS vulnerability right there.
[ link to this | view in thread ]
Sometimes you only get what you pay for
There are a thousand registrars (and tens of thousands of resellers) and their services vary greatly. Tierranet's market is individuals and small businesses with low value names. They charge $12/yr for a .com. How much personal attention do you think you've bought for that price?
If your domain is valuable, registrars like Markmonitor and CSC will provide much more secure service at a much higher price, and won't casually turn you off. If you don't treat your domain like it's valuable, why should anyone else treat it that way?
By the way, I expect that Zoho has other reasons for becoming their own registrar, like selling domains to their customers. If you just want to protect one high-value name, a name at Markmonitor is a lot cheaper than running an entire registry.
[ link to this | view in thread ]