Original URL: https://www.theregister.com/2010/04/05/googlesharing_cert_revoked/

Privacy service knocked offline by 'no bullsh*t' registrar

GoogleSharing kneecapped by Gandi.net

By Dan Goodin

Posted in Security, 5th April 2010 22:52 GMT

A recently launched anonymization service suffered a setback last week when Gandi.net, a France-based registrar that bills itself as a "no bullshit company," revoked its secure sockets layer certificate without warning.

Last week's move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie Marlinspike, the hacker who announced the anonymization proxy in mid January. It took him four days to get the site operational again, and by then, the vast majority of those users had stopped using the service.

In an email sent more than 24 hours later, a member of Gandi.net's abuse department said the certificate was revoked "due to multiple and deliberate serious breaches" of the registrar's terms of service. Specifically, the violations were incorrect information provided to Gandi.net's Whois database, a trademark violation for the unauthorized use of "google" in the domain name and the use of the certificate for unspecified "fraudulent activities."

GoogleSharing prevents Google from tracking searches and websites visited by specific individuals by mixing together requests from many different users so it's impossible to tell where the queries originate. A Firefox plugin redirects Google-bound traffic to a proxy, where requests are stripped of all identifying information and replaced with the details of a different GoogleSharing user. The Google response is them proxied back to the originating user.

"GoogleSharing thrives by being totally transparent to the end user," Marlinspike wrote in an email. "They install the addon and never have to think about it again. They don't have to do anything special or visit any special websites. By causing a four day interruption, they've likely killed the majority of our user base."

The hacker said it was true that some of information contained in the Whois database was not correct, but he insisted the service doesn't engage in fraud and that the the inclusion of "google" in his domain name is protected by the fair use doctrine.

The revocation meant in an instant people who relied on GoogleSharing to anonymize Google search requests were unable to use the service. Because the service relies on a Firefox add-on that uses an authenticated page, their connections were killed with little explanation and no recourse.

The episode demonstrates the hazards of relying on internet companies that enforce terms of service reserving the right to play judge, jury and executioner with their customers' websites. Gandi.net took the action with no warning and didn't provide an explanation for more than a day. And even then, it failed to say exactly what "fraudulent activities" GoogleSharing had carried out.

So much for Gandi.net's claims of being a "no bullshit company."

"It's a big claim to make," the company's marketing monkeys write. Among other things, it means employees "are honest about what we do; we will be straightforward in how we deal with you" and "if we're ever hypocritical we will hold our hands up and clean up."

Conspiracy-minded observers might be tempted to point out that over the past decade Marlinspike has regularly been a thorn in the side of companies who make big bucks issuing the certificates used to authenticate banks, online retailers, and other groups with sensitive websites. By demonstrating practical attacks that allow hackers to spoof the widely used credentials, his research calls into question the effectiveness of SSL certificates and the companies that issue and use them.

Already, eBay-owned PayPal has retaliated against the independent researcher for showing how the criminals could impersonate the online payments processor. Now, Gandi.net has followed a similar course.

But the consequences of the revocation are far from over. Whereas the service pushed an average of 4Mbps before, it was generating only about 300kbps after it came back online.

Which seems to suggest that if you're doing anything considered remotely controversial on the net, you're better off relying on yourself for payment and certificate services. The internet isn't a democracy, and companies with self-serving terms of service can't be counted on to deliver due process. Not even those that bill themselves as "no bullshit." ®

Update

In a sign that the "no bullshit" promise isn't a mere gimmick, Gandi COO Joe White sent us the following reply to a query we sent yesterday:

We certainly acknowledge that we could have handled this better, particularly in not contacting the customer prior to the revocation of the certificate. The reason for the certificate being revoked was because of the inaccurate whois data. Certificates really are a seal of trust, but that cannot be based on falsified whois data. It was right to revoke the certificate for this reason, but not without being in contact with the customer. We have reviewed and changed our processes to rectify this.

The other reasons given, re google, etc. were probably over zealous from the support/legal team. It's not our place to speculate about what google would or would not do about the domain name. The other issues had nothing to do with the certificate being revoked and we apologise for any confusion caused by that.

We're known in the industry for standing up for our customers rights, but it is based on mutual trust and respect. And if the whois data in falsified we don't know who are customers are and we cannot stand up for them in the same way.

Anyway, I hope that gives some better insight into why we took action. We have learned from this and changed our processes and we hope to avoid this kind of error in the future. Many thanks,