Soni's Blog

The unreasonable effectiveness of poisoning

Poisoning, in computer terms, is extraneous data thrown into a data stream in order to throw off a computer system. Many folks are familiar with the term Domain Name System (DNS) Cache Poisoning, a kind of attack where an attacker sends a malicious DNS response to a DNS resolver in order to take over a domain. This kind of attack is less common these days, thanks to the advent of Transport Layer Security (TLS) and similar protocols. In this case of poisoning, the extraneous data comes from an attacker.

However, attacks aren't the only form of poisoning out there. Browser extensions like TrackMeNot and AdNauseam provide another form of poisoning. By injection of garbage data (into search queries and ad clicks, respectively), these extensions can be used to throw off their users' ad profiles, which may improve privacy.

Hypothetically, a similar technique could be extended to Extension Mechanisms for DNS (EDNS) Client Subnet (ECS). ECS Poisoning would inject randomly-generated values into ECS data in an effort to defeat attempts to require/enforce ECS, as ECS is known to be a privacy nightmare. As far as we know, this has never been tried - one of the largest DNS resolvers, Cloudflare, opts to omit ECS altogether instead of poisoning it.

What makes poisoning so effective is how it interacts with trust. Search engines and ad networks trust that you're searching and interacting with the things you're interested in. DNS resolvers trust that the response packet came from where it says it did. EDNS mostly requires the DNS server to trust the DNS resolver. Poisoning hijacks the normal functioning of the system. It's not inherently a security vulnerability (tho it can be one), but a fundamental characteristic of trust itself.

This leads us to ask where we draw the line between acceptable forms of poisoning and unacceptable ones. While it is probably possible to make a legal argument here, we are not a lawyer. Instead, we would like to approach this issue from a more... social perspective. As such, we believe the most important aspect for drawing the line is scope.

When we say scope, we are referring to the extent of impacts caused by these actions. For example, with DNS cache poisoning, the scope generally boils down to every user of a given website on a given DNS resolver, with neither the website nor the resolver being in any way associated with the poisoner. Meanwhile, if you were to use AdNauseam or TrackMeNot, the scope would be limited to merely what search engines and ad networks would present to you, personally, or the profile they would make of you. But poisoning of search engines can also be accomplished through what's known as Search Engine Optimization (SEO). SEO has a much wider scope, as it's meant to influence what search engines present to all of their users.

Even then, there are some grey areas. Individual scope is okay, global scope is not okay, but what happens when many individuals group together to implement some form of poisoning? While there didn't seem to be any major ECS-poisoning DNS resolvers at the time of writing this post, would it be acceptable to get together and just... make one? Furthermore, in the context of ActivityPub, what about poisoning as a way to improve your instance's privacy? Still in the context of ActivityPub, there are even two ways to do it, a "passive" and an "active" way, which may introduce differences in scope, while still remaining within the grey areas.

Personally, we do think the aforementioned grey areas are all acceptable - or should be. They're all directly connected to user privacy, tho there are some tradeoffs that may make them unsuitable for some kinds of users, and those should also be acknowledged and communicated to users.

All in all, poisoning is an important social tool, in that it enables us to push back against major privacy violations. At the same time, it often gets used to erode knowledge and harm others. It would probably be helpful to build a framework for analysing instances of poisoning so we can better understand them and figure out whether they are socially helpful or harmful.