This is just drivel. A company is providing a service that is extremely well executed and has a great reputation. Google uses it for the same reason most people use Google - it is the best around for what they want.
If there is a single shred of evidence other than "isn't it weiirdd...." then perhaps we can discuss this.
It raises my eyebrow that a third party controls MSN, Google, and Facebook's DNS entries while also being a trusted certificate authority. This makes a man-in-the-middle SSL attack "somewhat easy". Does anyone publicly audit the DNS entries of major services? I haven't heard of any browsers alerting on SSL certificate changes (a la ~/.ssh/known_hosts).
Perhaps I like my tinfoil hat more than the average Joe, but this sounds like an excellent way to execute wiretaps. I can only imagine that http://news.ycombinator.com/item?id=3929507 reminded the submitter of this old (Feb 17th) paste.
They are the REGISTRAR of the domains - they are not hosting DNS for the domains. The fact that they manage the registration is completely irrelevant from a wiretapping point-of-view.
If true, the fact that they have a CA is what allows them to wiretap. But they don't need control of DNS to do that - just cooperation of an ISP.
The fact that they manage the registration is completely irrelevant from a wiretapping point-of-view.
As the registrar, you specify which DNS servers are authoritative for the domain. It is much easier for the registrar to quietly change a domain than any other 3rd party in the system.
That in itself isn't scary. Lots of people use(d) GoDaddy, eNom, etc. Another commenter pointed out that Last.fm likes the service because it abstracts the pain of domain registration.
But does Google care about the pain of registering Google in new TLDs? Does Facebook worry that their domain will expire due to an out of date credit card? Using a third party service introduces risk of failures out of your control. Any interruption to these major providers will cause damage far in excess of them not having to deal with spam domains.
Consolidation when consolidation is unnecessary should raise questions.
NS records often change, especially in the additive, all the time. Google could do this all day every day and no one would notice. What you meant to say is that people would notice if MarkMonitor changed them without Google's permission. But that would never happen - they would certainly have Google corporate's permission before using this power. The geeks in engineering who care would hopefully object to a massive MITM surveillance system, but with their assistance is no longer required.
And that's the beauty. Herding the cats in engineering at Google and Facebook to spy on everyone is difficult. Many of them might even quit their jobs before doing such a thing. Best to wedge a soulless anti-spam group between the happy consumer company and the Internet and get the blessing of a couple of CEOs who have been told that compliance is not optional.
Not instantly, because google.com's glue records have a 2-day TTL.
Verisign has the ability to alter DNS glue records for .com and they have the ability to issue browser-trusted certificates, except in cases of browser cert pinning functionality or extensions (like CertPatrol) that check for certs being altered before they're nearly expired.
Registrars can instruct Verisign to alter the glue records for .com domains. Are you saying Verisign has special policies in place to double check with major companies before changing their respective glue records?
At the end of the day, all the mentioned companies need to trust their domain name registrations to someone and just like normal people can use Namecheap or Gandi as their domain name registrar, big companies seem to use MarkMonitor because the services they provide are useful to them.
Some local services: yandex.com, mail.ru, vk.com, ozon.ru, rutracker.org, lenta.ru, ok.ru - are all unaffected. I bet Chinese resources are unaffected too.
What the hell is going on here? I understand that this might be a legitimate company, but I don't see Google having any need for such a thing, let alone to the point where they'd just surrender their domain name to them.
(please don't go there and feed the spammers, thank you :-))