Feeds

Privacy service knocked offline by 'no bullsh*t' registrar

GoogleSharing kneecapped by Gandi.net

High performance access to file storage

A recently launched anonymization service suffered a setback last week when Gandi.net, a France-based registrar that bills itself as a "no bullshit company," revoked its secure sockets layer certificate without warning.

Last week's move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie Marlinspike, the hacker who announced the anonymization proxy in mid January. It took him four days to get the site operational again, and by then, the vast majority of those users had stopped using the service.

In an email sent more than 24 hours later, a member of Gandi.net's abuse department said the certificate was revoked "due to multiple and deliberate serious breaches" of the registrar's terms of service. Specifically, the violations were incorrect information provided to Gandi.net's Whois database, a trademark violation for the unauthorized use of "google" in the domain name and the use of the certificate for unspecified "fraudulent activities."

GoogleSharing prevents Google from tracking searches and websites visited by specific individuals by mixing together requests from many different users so it's impossible to tell where the queries originate. A Firefox plugin redirects Google-bound traffic to a proxy, where requests are stripped of all identifying information and replaced with the details of a different GoogleSharing user. The Google response is them proxied back to the originating user.

"GoogleSharing thrives by being totally transparent to the end user," Marlinspike wrote in an email. "They install the addon and never have to think about it again. They don't have to do anything special or visit any special websites. By causing a four day interruption, they've likely killed the majority of our user base."

The hacker said it was true that some of information contained in the Whois database was not correct, but he insisted the service doesn't engage in fraud and that the the inclusion of "google" in his domain name is protected by the fair use doctrine.

The revocation meant in an instant people who relied on GoogleSharing to anonymize Google search requests were unable to use the service. Because the service relies on a Firefox add-on that uses an authenticated page, their connections were killed with little explanation and no recourse.

The episode demonstrates the hazards of relying on internet companies that enforce terms of service reserving the right to play judge, jury and executioner with their customers' websites. Gandi.net took the action with no warning and didn't provide an explanation for more than a day. And even then, it failed to say exactly what "fraudulent activities" GoogleSharing had carried out.

So much for Gandi.net's claims of being a "no bullshit company."

"It's a big claim to make," the company's marketing monkeys write. Among other things, it means employees "are honest about what we do; we will be straightforward in how we deal with you" and "if we're ever hypocritical we will hold our hands up and clean up."

Conspiracy-minded observers might be tempted to point out that over the past decade Marlinspike has regularly been a thorn in the side of companies who make big bucks issuing the certificates used to authenticate banks, online retailers, and other groups with sensitive websites. By demonstrating practical attacks that allow hackers to spoof the widely used credentials, his research calls into question the effectiveness of SSL certificates and the companies that issue and use them.

Already, eBay-owned PayPal has retaliated against the independent researcher for showing how the criminals could impersonate the online payments processor. Now, Gandi.net has followed a similar course.

But the consequences of the revocation are far from over. Whereas the service pushed an average of 4Mbps before, it was generating only about 300kbps after it came back online.

Which seems to suggest that if you're doing anything considered remotely controversial on the net, you're better off relying on yourself for payment and certificate services. The internet isn't a democracy, and companies with self-serving terms of service can't be counted on to deliver due process. Not even those that bill themselves as "no bullshit." ®

Update

In a sign that the "no bullshit" promise isn't a mere gimmick, Gandi COO Joe White sent us the following reply to a query we sent yesterday:

We certainly acknowledge that we could have handled this better, particularly in not contacting the customer prior to the revocation of the certificate. The reason for the certificate being revoked was because of the inaccurate whois data. Certificates really are a seal of trust, but that cannot be based on falsified whois data. It was right to revoke the certificate for this reason, but not without being in contact with the customer. We have reviewed and changed our processes to rectify this.

The other reasons given, re google, etc. were probably over zealous from the support/legal team. It's not our place to speculate about what google would or would not do about the domain name. The other issues had nothing to do with the certificate being revoked and we apologise for any confusion caused by that.

We're known in the industry for standing up for our customers rights, but it is based on mutual trust and respect. And if the whois data in falsified we don't know who are customers are and we cannot stand up for them in the same way.

Anyway, I hope that gives some better insight into why we took action. We have learned from this and changed our processes and we hope to avoid this kind of error in the future. Many thanks,

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.