New flap over SOPA copyright bill: Anti-Web security?

Hollywood-backed legislation to knock suspected copyright-infringing Web sites offline could hinder efforts to secure Internet domain names, a key member of Congress said today.

Rep. Dan Lungren, who heads the Homeland Security subcommitteee on cybersecurity, said his panel has been working on ways to tighten the security of the Internet's domain names through a set of security improvements called DNSSEC.

An "unintended consequence" of the Stop Online Piracy Act, or SOPA, would be to "undercut the real effort that would practically help us secure the Internet" through DNSSEC, Lungren said during a hearing this morning. "That's bothersome to me."

The hearing, before a different committee, was supposed to evaluate whether SOPA would be a good idea, including how it would affect the Internet's domain name system. The only problem? Rep. Lamar Smith, the House Judiciary chairman, didn't invite any witnesses who knew anything about domain names or a set of security improvements called DNSSEC. (See CNET roundup of related articles.)

When the topic came up this morning, one by one, each witness -- including a lobbyist for the Motion Picture Association of America -- said they weren't qualified to discuss it or DNSSEC.

"If we're going to do it we ought to at least talk about it," said Lungren, who represents a congressional district near Sacramento, Calif. "Saying we're not going to take a position or we're not experts on this is upsetting." (DNSSEC came up at one of Lungren's Homeland Security hearings as recently as last month.)

SOPA, which was introduced last month in the House to the applause of lobbyists for Hollywood and other large content holders, is designed to make allegedly copyright-infringing Web sites, sometimes called "rogue" Web sites, virtually disappear from the Internet. It allows the Justice Department to seek a court order against an allegedly piratical Web site and serve that on Internet-related companies including search engines and domain name system (DNS) providers.

DNSSEC is intended to solve a problem that dates back to the Internet's more innocent early days, when security problems weren't the significant concern that they are today. By allowing Web sites to digitally sign their domain name entries, impersonating bank or credit card companies becomes more difficult.

That technique is designed to prevent malware from infecting computers and directing them to rogue sites, which would mean typing in bankofamerica.com would point you to a fake Web site without your knowledge. (Here's the FBI's description of how malware named DNSChanger infected approximately 4 million computers.)

For months, if not longer, technologists have been warning that SOPA and its Senate predecessor called the Protect IP Act are incompatible with DNSSEC.

An analysis (PDF) prepared by five Internet researchers this spring lists the problems with that approach. Among them: it's "incompatible" with DNSSEC, innocent Web sites will be swept in as "collateral damage," and the blacklist can be bypassed by using the numeric Internet address of a Web site. The address for CNET.com, for instance, is currently 64.30.224.118.

They say: "A legal mandate to operate DNS servers in a manner inconsistent with end-to-end DNSSEC would therefore interfere with the rollout of this critical security technology and stifle this emerging platform for innovation."

The paper was authored by Steve Crocker, a longtime member of the Internet Engineering Task Force; David Dagon, a post-doctoral researcher at Georgia Institute of Technology; security researcher Dan Kaminsky; Verisign Chief Security Officer Danny McPherson; and Paul Vixie, chairman of the Internet Systems Consortium and principal author of popular versions of the BIND DNS server software.

Andrew Lee, the chief executive of the ESET security firm's North American operations, wrote a letter to Congress yesterday urging them to reject SOPA and its Senate cousin:

More than 100 million Internet users in over 180 countries rely on ESET products to protect their personal and enterprise data systems. This gives ESET a unique perspective on the DNS filtering proposed by SOPA and PIPA. There is hardly any part of the United States economy today that does not depend upon the smooth operation of the Internet, which in turn relies upon the integrity of the Domain Name system (DNS). The DNS filtering proposed in SOPA and PIPA would seriously undermine that integrity.

For its part, the Motion Picture Association of America has argued that an Internet death penalty will not break DNSSEC.