CNNIC, which regulates the .CN ccTLD, introduced new requirements in December 2009 on registrations which many in the security community welcomed. .CN domain names are often used for malicious purposes. McAfee has listed .CN as one of the riskiest ccTLD’s. MalwareURL.com and MalwareDomainList.com (two amazing malware/security resources) have collected numerous .CN domain names used to distribute malware. The AV company Kaspersky noted:

Over the last 3–4 years, China has become the leading source of malware. Chinese cybercriminals have shown themselves to be capable of creating such huge volumes of malware that over the last two years, antivirus companies have, without exception, put most of their effort into combating Chinese malware.

However, a lot of the malware activity coming from China is because Eastern European criminal networks moved and are now abusing Chinese infrastructure, .CN domains as well as IP addresses.

Sophos noted that the regulations were having an effect. There was a decrease in spam and Sophos attributed this to the new CNNIC regulations. Symantec noted that .CN registrations used for spam were down and .RU registrations had taken their place.

Others were unsure. StopBadWare noted that since there was a 5 day grace period that would be enough time for the malicious use of .CN domain names. Many, including Isaac Mao, also raised privacy and freedom expression issues arguing that this was a crackdown on freedom of expression.

GoDaddy is now framing their decision to “discontinue offering new .CN domain names” as a freedom of expression issue. Back in 2004 I wrote about GoDaddy’s practice of denying access to its services form certain countries. Others have also had issues with GoDaddy regarding freedom of expression. In other cases, GoDaddy (among other registrars) have been criticized for being too slow to act.

So in trying to get an understanding of what’s going on, I found portions of GoDaddy’s testimony quite interesting. In particular, I’m interested in the emphasis on “Chinese nationals.”

On February 3, 2010, CNNIC announced that it would reopen .CN domain name registrations to overseas registrars. However, the stringent new identification and documentation procedures would remain in effect. CNNIC also announced an audit of all .CN domain name registrations currently held by Chinese nationals. Domain name registrars, including Go Daddy, were then instructed to obtain photo identification, business identification, and physical signed registration forms from all existing .CN domain name registrants who are Chinese nationals, and to provide copies of those documents to CNNIC. We were advised that domain names of registrants who did not register as required would no longer resolve. In other words, their domain names would no longer work.

Now, what I am unclear on is how the requirements affects non-Chinese national who a registering malware domains, pushing rogue antivirus, sending spam and all sorts ofnasty things. These regulation seems to largely target Chinese nationals — not the nationals of other countries who may be using .CN domains for malicious purposes. GoDaddy concluded:

The intent of the new procedures appeared, to us, to be based on a desire by the Chinese authorities to exercise increased control over the subject matter of domain name registrations by Chinese nationals.

We believe that many of the current abuses of the Internet originating in China are due to a lack of enforcement against criminal activities by the Chinese government. Our experience has been that China is focused on using the Internet to monitor and control the legitimate activities of its citizens, rather than penalizing those who commit Internet-related crimes.

I’m having trouble evaluating GoDaddy’s new found (to me anyway) commitment to freedom of expression. I do welcome it and I hope they are serious about it and demonstrate their commitment by joining the Global Network Initiative. But I’m hoping that they don’t confine their interest in freedom of expression solely to China but rather evaluate and assess freedom of expression and privacy across their business operations.

UPDATE:

WP: In response to new rules, GoDaddy to stop registering domain names in China
Dancho Danchev: “With CN/RU requirement for scanned IDs in order to register a domain,underground services are already monetizing the Photoshop-ing process.”

My hotel uses OpenDNS to block access to the Tor website. Google Translate is also blocked. They are categorized as “Proxy/anonymizer”. This is one of the most annoying things about filtering. I just wanted to quickly translate some text from Russia to English and then read the Tor blog and ….

Yes, in order to block the Tor Blog, which uses HTTPS, they are MITM’ing SSL. (If you accept the bad certificate, the Tor Blog is blocked.) It doesn’t look like they are MITM’ing *all* SSL but just connections to selected IP addresses.

It’s funny, because I often recommend OpenDNS to people in order to avoid filtering, but OpenDNS also has a filtering service.

www.facebook.com (and zh-cn.facebook.com) resolves to a variety of IP addresses, 69.63.176.140, 69.63.184.11 and 69.63.178.12 and a few of them. DNS servers in China and resolving www.facebook.com properly and these IP addresses are accessible when directly accessed from China.

However, while facebook is loading you have probably seen a domain like this, static.ak.fbcdn.net or like this static.ak.facebook.com, flash by in your browser’s status bar. Domains such as these resolve to IP addresses assigned to Akamai. Akamai is a mirroring service that has servers all over the world so depending on where you are you’ll be accessing the same content but from a different server.

One scenario is that there was some temporary issue with Akamai.

Another is that Chia may have blocked one of Akamai’s IP addresses. (Pakistan, for example, once disrupted access to numerous sites because they blocked portions of the Akamai network. Apparently, they did not realize that in trying to a few sites on Akamai they ended up blocking thousands of the world’s most popular sites.)

I tested a variety of Akamai IP addresses that Chinese DNS servers resolved the “static” facebook domains too and all were acessible from multiple points in the country.

immediately clear and remove all DNS hosting records for the wikileaks.org domain name and prevent the domain name from resolving to the wikileaks.org website or any other website or server other than a blank park page, until further order of this Court.

The site is still available here: http://88.80.13.160/

The Citizen Media Law Project has the case documents and analysis and the story has now been picked up by the mass media. But what’s caught my attention is who is not talking about it. Glad to see the usual suspects raising the issue.

The other thing that stood out was that these sites did not appear to be the Voice of America. And they are not. You can lookup the registrar here. The Registrant Name is 慢速英语 which babel translates as “Slow English” which gave me a chuckle.

I did some more tweaking and voanews.com.cn is being subjected to a form of DNS tampering because it has “voanews.com” in it. It looks like China is bringing back an improved version of their old DNS spoofing. Rather than messing around with individual DNS servers, China has implemented a system which appears to operate like the RST/Keyword filtering system (see this paper for technical details).

DNS lookups for voanews.com (or voanews.com.cn) will return one or more of the following 4 IP’s:

voanews.com has address 213.169.251.35
voanews.com has address 209.36.73.33
voanews.com has address 72.14.205.99
voanews.com has address 72.14.205.104

The last two by the way are google IP addresses. Weird.

But if you sniff the connection you’ll see that what happens is after the request is made 4 spoofed results are received although eventually the correct result is received. But by the time the true result is received applications relying on a dns lookup (e.g. a web browser) have already accepted the initial spoofed result.

ME	->	CN	DNS	Standard query ANY voanews.com
CN	->	ME	DNS	Standard query response A 72.14.205.99
...
CN	->	ME	DNS	Standard query response SOA auth00.ns.uu.net MX 20 ibb2.ibb.gov MX 30 ibb1.ibb.gov MX 10 voa2.voa.gov A 128.11.143.113 NS auth00.ns.uu.net NS auth100.ns.uu.net

Domain Name System (response)
        voanews.com: type SOA, class IN, mname auth00.ns.uu.net
        voanews.com: type MX, class IN, preference 20, mx ibb2.ibb.gov
        voanews.com: type MX, class IN, preference 30, mx ibb1.ibb.gov
        voanews.com: type MX, class IN, preference 10, mx voa2.voa.gov
        voanews.com: type A, class IN, addr 128.11.143.113
        voanews.com: type NS, class IN, ns auth00.ns.uu.net
        voanews.com: type NS, class IN, ns auth100.ns.uu.net

ME	->	CN	ICMP	Destination unreachable (Port unreachable)

A variety of other domain names are affected, not just voanews.com.

So India’s new filtering is not surprising. Once again the Ministry ordered sites to be blocked, some of which are blogs hosted on Blogspot and Typepad. The ISP’s blocked the IP addresses of the sites causing all the blogs hosted on them to be blocked.

There have also been reports that ISP’s started to target circumvention sites, clearly showing the “mission creep” that occurs whenever Internet filtering is introduced.

After protests by bloggers India’s ISP association now indicates that the block on the blog services (not the specific blogs on the block list) will be lifted within 48 hours. INstructions are being circulated amongst the ISP that puport to show how to block the specific domain names on the Ministry’s block order while keeping access to other blogs hosted on Blogspot and Typepad accessible. The technique they’ve chosen in DNS poisioning:

“An advisory is being sent from ISPAI to member ISPs saying they should configure their Domain Name Servers (DNS) in such a way that they block only the sub-domains DoT wants blocked,” said Singhal, adding, “It would help if, in future, DoT could also mention the mechanism by which sites should be blocked.”

I suspect that this is a short term solution, as filtering in this way is extremely easy to circumvent. As is the case with other countries, as the list of sites to block gets longer we can expect to see the implementation of more robust commercial filtering technology and with it an increase in the amount of content filtered. (I wonder if SmartFilter and Websense reps are on a plane to Delhi right now).The mission creep will expand, the unintended consequences will continue and there will be a decrease in transparency and accountabilty. this has had, and will continue to have a negative impact on freedom of speech and expression in India.

I hope I am wrong.

A spoof website — youthforvolpe.ca — was setup in response. The spoof site encouraged children to contribute to Volpe’s campaign using mommy and daddy’s credit card.

The website was quickly shut down. The domain name was cancelled after the registrar (Canadian Domain Name Services Inc.) was alerted by a Globe and Mail reporter that the contact phone number for the domain registrant was not valid. The Canadian Internet Registration Authority (CIRA) required valid information for domain registrations and after reviewing the information for youthforvolpe.ca the registrar concluded that the information was fabricated and canceled the domain name.

The domain and website now appear to be restored.

Kazakhstan is the only country I’ve seen that filters (or has filtered) websites with its own ccTLD. (See http://www.blokada.org/en.php and as well as RSF) Starting back in 1999 Kazakh ISP began filtering websites, explaining that the websites were inaccessible for permanent “technical reasons“.

KazNIC currently operates the ccTLD and has specific rules and a dispute policy for revoking domains. In one case, KazNIC revoked the domain names of an opposition group after a court ruling. It appears to be a case about copyright infringement. (Interestingly, it seems that the domain was temorarily transfered to a new owner, but the domain is not (at least in WHOIS) back to its original owner. )