Discussion
Is BGP safe yet? No.
nemomarx: This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too...How many major isps would we want to implement it to be "safe" and what would that look like? Is this a regional thing? They've only listed 4 unsafe ones on the site and that doesn't seem like a major issue, but maybe they're very large somewhere.
philipwhiuk: Click show all.Major ISPs like British Telecom (core UK telephony), NTT Docomo (Japan), Vodafone Espana (showing that Vodafone isn't doing it globally), Starlink (showing it's not a old tech problem), Rogers (US ISP) are listed unsafe.I think the 31 is a misleadingly positive picture.
bilekas: Google And digital ocean are huge players here but is there a reason they would only have partial coverage?TIM is listed as insecure yet my test is successful.> Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes
chrismustcode: I'm on sky in the UK which is marked as not safe due to no RPKI.It's not on the list so imagine there is a fair few missing, would be neat to have a table you could filter by country, provider type (cloud/isp etc) based on real results from users.edit: there's a show all button to expand the table
RRRA: Google being shown as unsafe makes me think they have some internal methods for filtering?
KomoD: We want more than just major isps.They've listed way more than 4 (and those 4 are also massive), click "Show all".There's 254 operators marked as unsafe.
olivier5199: An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)
commandersaki: I think the test for BGP is Safe is when we stop using it and instead use SCION: https://en.wikipedia.org/wiki/SCION_(Internet_architecture).
wussboy: Why hasn't this happened?
NewsaHackO: > A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?
pigggg: SCION is generally considered snake oil within the network operator community. Its weird single vendor for profit company that ships it's software, the fact that no router hw asic fwding supports what they want to do and then the general scummy inclusion of block chain / crypto as well as some "green washing" for PR hype.Sure the swiss have their toy but no one is taking it seriously.
infogulch: Well if they can deceive certificate authorities that implement the ACME protocol like LetsEncrypt, then they could get a certificate for your site with the HTTP-01 challenge, see the paper Using BGP to Acquire Bogus TLS Certificates (2017) [1]. That paper suggested a mitigation they call Multiple Vantage Point Verification, which has already been implemented [2].[1]: https://petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.p...[2]: https://community.letsencrypt.org/t/validating-challenges-fr...
dsr_: If you can inject arbitrary malicious routes, you can make ACME requests for a new cert.
elashri: Any reasons on why an ISP would not implement it other than effort/cost? Just for someone like me whose networks knowledge is very naive.
maltalex: RPKI doesn't make BGP safe, it makes it safer. BGP hijacks can still happen.RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it.The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.
impl: I believe the current attempt at mitigation for this is ASPA[0]. It still has a long way to go, but there are some big names behind it.[0]: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-asp...
asveikau: I thought Rogers was Canadian.
asveikau: I got a fail on T-Mobile USA. It seems in the full list that T-Mobile is listed as both passing and failing.
tialaramex: They don't need ACME to do that, ACME is just an automation standard - the same rules apply for getting a certificate via ACME such as 3.2.2.4.19 "Agreed upon change to website - ACME" as for the manual process 3.2.2.4.18 "Agreed upon change to website v2". The ACME version is just designed for machines to automate easily (and as a result wildly more common in use today)And Multi-perspective only helps against an attacker who is merely able to influence a local route, if they can ensure all your perspectives see the same thing the attacker wins.
RyJones: T-Mobile consists of at least five distinct networks depending on when your carrier was purchased, last time I was talking with some of the network security guys in Factoria. It’s been four years - they may have converged some of them.
ck2: same T-Mobile USA, AS21928 does NOT implement BGP safely
jon-wood: For anything major you're right, you'd expect them to be on the HSTS preload list in people's browsers which forces all requests over SSL which would then pick up an invalid certificate. That doesn't make this harmless though, just being able to blackhole traffic for something is a pretty significant attack - Pakistan a few years back accidentally caused YouTube to be unavailable ~worldwide when they only intended to make it unavailable within the country. There's also a lot of sites not on the preload list, and those you could fairly easily MITM, especially if you've also got access to a tame certificate issuer and I don't doubt that a nation state could persuade someone to issue them some certificates given the proper levers.
jeroenhd: Only as long as all certificate authorities ensure that all networks they host servers on secure. If you can BGP spoof a domain-validating CA, you can get a valid certificate for any domain of your choice (unless maybe if that domain is DNSSEC-enabled, the CA does strict validation, and the domain has a CAA record for another CA that is not BGP-spoofable).Major news outlets, government websites from various countries, the American army, and many more all lack CAA records, for instance. Any CA can generate a valid certificate for those domains and it's up to the people watching the public certificate transparency logs to catch any malicious certificates.
lucasay: RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.
greyface-: RPKI isn't just ROAs anymore, and BGP hijacks can happen at other places than just the first/last hop. Why hasn't this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?
