[NCAP-Discuss] Honeypot refresher
Jeff Schmidt
jschmidt at jasadvisors.com
Thu Apr 30 14:35:43 UTC 2020
We are stuck in a Groundhog Day cycle of re-litigation on ancient issues.
Some suggest (repeatedly) that Controlled Interruption was designed the way it was because we don’t like data and honeypots (redirecting colliding lookups to some Internet host controlled by “good guys”) would generate the data panacea we always wanted but never had. Suddenly all of our questions would be answered, toast would never burn, and the coronavirus would be cured. This is wrong. Honeypots create significant new risks; we concluded that the risks created by a honeypot approach were worse than the rewards and suggested (Recommendation 12) alternative approaches to gathering more data. This issue was discussed extensively in the JAS Phase 2 report.
Verisign in their public comments, agreed with us (quoting from Section 2 of their comment to the JAS Phase 2 Report):
<Verisign quote>
Verisign maintains its position that directing requesters to an internal address during the controlled interruption period is preferable to an external honeypot, because as previously stated, it avoids “controlled exfiltration” where sensitive traffic from an installed system – without the advance consent of the user or system administrator – may be drawn outside the local network. This risk is acknowledged in Google Registry’s comments advocating for the external honeypot [5]:
“Unfortunately, some protocols will send sensitive information unsolicited (e.g., login.example/login.php?user=fred and HTTP cookies). The honeypot will specifically not log this sort of information, but this doesn't change the fact that the information has been communicated over the Internet.”
</Verisign quote>
https://forum.icann.org/lists/comments-name-collision-26feb14/pdfTWUAZM3gBN.pdf
Please refer to section 3.1.6 “Alternatives to Controlled Interruption” for a detailed discussion of Honeypot (Section 3.1.8) (and other) approaches:
https://www.icann.org/en/system/files/files/name-collision-mitigation-final-28oct15-en.pdf
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ncap-discuss/attachments/20200430/a3b80015/attachment.html>
More information about the NCAP-Discuss
mailing list