There have been a huge uproar over SOPA lately. I thought I would weigh in on it because the Internet is so integral to my life and livelihood.
I am against SOPA because it breaks a foundational aspect of the Internet – reliability and security. In geekspeak, SOPA breaks the domain name system (DNS).
What is DNS and how does it work?
A DNS server is a computer that converts a human-readable web address (like google.com) to a string of numbers – the IP address – that corresponds to a web server (in this case, 74.125.226.52). There are millions of these DNS servers all over the world, and working together, they make the Internet accessible to everyone. The accuracy guaranteed by DNS makes the Internet a great place to express oneself and do business. By construction, DNS guarantees that wherever you are in the world, at any time, when you type in www.samuelhwong.com, you are connected to my web server, which “serves” you my blog. It’s guaranteed that you won’t be seeing something you didn’t ask for and it protects my identity on the web.
The reliability of DNS was built into the system. DNS servers all over the world replicate and cache DNS entries from each other. Only one server has the authority to make changes to a particular DNS record; the rest of the Internet must replicate and cache it. In general, DNS records have a Time To Live (TTL) of 24 hours, which means that if a domain name is modified (i.e. I want to point it to another IP address), the change will propagate worldwide within 24 hours. This is amazing stuff and makes for a very efficient, accurate, and redundant system.
How does SOPA change DNS?
SOPA changes this behaviour. A provision in SOPA would allow the Attorney General to order ISPs to block access to infringing websites. For example, if my website was blacklisted and you are a Rogers customer, samuelhwong.com would point to an FBI site (say, 111.111.111.111) instead of 208.94.116.79.
What’s so bad about this, you say? This is bad news because Rogers’ DNS record is effectively overriding mine (the authority). Within 24 hours, other DNS servers will come calling to do an “update” and they will encounter a conflict. In one case, other DNS servers will propagate 111.111.111.111, which amounts to DNS poisoning. In another case, the other DNS servers do not to trust DNS records from Rogers’ servers and don’t propagate records from them - which is equally bad because it begs the questions: whose servers can we trust? which ones are “right”?
Don’t touch my DNS!
You might think that’s it’s not such a bad idea to block infriging websites. But the manner in which we are doing it breaks a fundamental part of how the Internet works: only one server in the world has the authority to make changes to a particular DNS record and every other DNS must replicate and cache it. If any non-authoritative DNS server is given the ability to change DNS records at will, it severely compromises Internet security. If you type in paypal.com, you never know whether you’re seeing the website that PayPal Inc. intended for you to see. For all you know, it could be a scammer pretending to be PayPal and there’s goes your credit card information. Only PayPal should have control over its domain name – not the ISPs and not the government.
DNS is such a fundamental and important part of the Internet that efforts have been made to make it even more secure. DNSSEC adds security to the domain name system by digitally signing records to protect against DNS poisoning. The digital signature ensures the DNS record came from an authoritative source before it is used. Again, it upholds the basic principle that only one server in the world can be the authority for a particular DNS record. SOPA unravels the very purpose of DNSSEC.
You would think all this fiddling with DNS would stop piracy but it doesn’t. You can easily bypass DNS by typing in the IP address directly. If ISPs start blocking IP address, then we’re in really deep trouble. IP blocking amounts to firewalling and unnecessary censorship because many (innocent) websites could be hosted behind a single IP address.
The DNS issue is only one aspect of SOPA, which from my perspective, is a big one. (Yes, it’s a decidedly geek issue.) If we want to take down the pirates, there are other ways to do it, like seizing computers and freezing their revenue sources. Barring advertisers from advertising on infringing sites is a provision in SOPA that I can agree with.
Just don’t mess with my DNS.