War re Ukraine: Thread

[grarpamp]

http://market-ticker.org/akcs-www?post=245342



What could possibly go wrong with setting an example like this?

    Cogent Communications will pull the plug on its connectivity to
customers in Russia in response to President Putin's invasion of
Ukraine.

    The US-based biz is one of the planet's largest internet backbones
– the freeways of the internet – and says it carries roughly a quarter
of global 'net traffic.

Modern-day "aggregators", of which Cogent is one, often are the source
of address delegations as well.  Cogent has confirmed they're
canceling IP addresses delegated out; when you are using an aggregator
you don't actually "own" any delegations you may have as for routing
purposes the aggregator has the registration on those.  For
residential users this is not a major issue, but for commercial places
where reverse mapping is a factor it can be at least a moderate
hassle.

Much-more ominous, however, is this:

    ICANN on Wednesday rebuffed a request from Mykhailo Fedorov, First
Vice Prime Minister of Ukraine, to revoke all Russian web domains,
shut down Russian DNS root servers, and invalidate associated TLS/SSL
certificates in response to the Russian invasion of Ukraine.

First, ICANN has no ownership of DNS root servers; they're privately
owned and operated.  What they could do is remove "undesirable ones"
from the "hints" file that is publicly distributed.  Actually getting
ISPs around the globe to change their hint files is quite-possibly
another matter.  Again, this is a distributed data set and what is
distributed in terms of the root hints are suggestions, not commands.

Could ICANN revoke the .RU top-level domain?  Yes, but doing so risks a schism.

Again there is nothing that can be done to enforce upon ISPs (or for
that matter anyone willing to run their own local resolver, such as I
do here at my home) what top-level domains exist and who is the
delegated authority for them.

Back during the "domain war" times when MCSNet was operating we were
part of, and participated in, expanding the TLD space when what was to
become ICANN refused, claiming "technical impossibility without
overload problems."  I knew this was bull**** and proved it along with
others; the entire debate was in fact political and the so-called
"mavens" that were running it and exploiting domain registrations to
make an obscene, monopolist profit were claiming technical limitations
that did not exist.  I and a handful of others set it up, proved it
worked and were slowly getting adoption by ISPs around the globe when
one of the protagonists took to a bit of cyber hackery.  I left the
project immediately when I discovered it because not only was that
going to doom its acceptance but it was wildly unethical at best and
possibly felonious and I wanted nothing to do with any group
associated with that.

But eDNS, which is what we called it, studiously avoided,
intentionally, any interference with the existing TLDs.  That is, we
were an extension but never a conflict source for same and I made very
clear to all the participants that my engagement, software development
and participation was utterly dependent on same -- and if there was
any attempt to violate that by any member of the group we would
immediately and loudly walk away even though doing so would mean
abandoning a very sizeable -- maybe billion dollar or better --
business opportunity.

Non-interference in this process was and is very important for
Internet continuity for a whole host of reasons, not the least of
which is that TLD delegations, and the sub-delegations within them are
in fact tied to SSL certificates and if you can corrupt one you could
also impersonate someone with disastrous results.  Today domains can
be signed with cryptographic keys (and in fact market-ticker.org is)
but that integrity relies on the chase upward to the TLD being
single-source.  That is, if I can successfully replace ".org" and its
cryptographic zone signature then I can also replace
"market-ticker.org" and its cryptographic zone signature with a
counterfeit.  This then, in turn, means I can replace the certificate
with a counterfeit and having done so all the automated checking that
is usually done will in fact test as "good"!

That would be catastrophic for Internet data and transport security,
including every single financial transaction that flows through that
TLD since it would destroy the chain back to the root of trust and by
doing so make impersonation very possible.

ICANN wisely told Ukraine to go blow goats, but what also concerns me
is that the people in Ukraine who made the request do not understand
how this all works because in addition to asking for imposition of a
deliberate schism they also asked for all Russian TLS/SSL certificates
to be revoked.

ICANN does not issue said certificates nor does it control the
issuers, directly or indirectly, that people use as the "root of
trust" for said certificates.  As just one example ICANN has no
operational control over Verisign which is one of the many firms that
issues end-entity certificates.  If you go to PayPal's web page their
certificate is issued by DigiCert and they, and only they, are the
ones who validate that indeed they issued it and PayPal owns it.  The
various operating system firms distribute a base "trusted root" list
and there's a consortium that agrees (most of the time) on what goes
in and is removed from there; for example Google (Chrome) and Mozilla
(Firefox) both have such a list and are part of the consortium that
makes such decisions, as does Microsoft, the various Linux
distributions, Apple and FreeBSD.

Attempts to tamper with this for political reasons are extremely
unwise because while they may indeed be a "weapon" that can be used to
inflict pain on various entities for political purpose any abuse of
this sort risks a schism on the Internet as a whole and evasion of the
sanction, if undertaken and it will be by the targeted parties, wildly
increases the risk of compromise of the entire trust structure on
which secure transactions rest.  The impact of such an event will not
be localized to the sanctioned parties; by definition if you do that
the impact is likely to be global.

I don't expect we've heard the last of this, nor do I expect people to
tell the truth about what they intend and how "safe" doing it might be
either.   And yes, my considered opinion on this is from actual expert
experience.

Tampering with the roots of trust on the Internet for political
reasons, no matter how well-intended you may think it is, risks
severely damaging or even destroying the transport security literally
everyone relies on in daily life today.  Any nation or other entity
that tries this should be not only instantly rebuffed but also turned
into a permanent economic pariah as their action, no matter the
motivation, cannot be kept local to their territory and has a very
high probability of wildly screwing everyone.