Any plans for 1.1.1.1 to perform RPKI Origin Validation on its edges to increase the chance of queries & answers going to the correct place? Resolvers seem a great place to start ignoring RPKI Invalid announcements.
-
-
-
- you’re forever an optimist and I agree with you most of the time. Sadly
#RPKI still has a way to go before it’s ubiquitous and useful (as you already know). We enabled RPKI for some announcements; but no receive filtering (yet). cc:@OGudm@eastdakotapic.twitter.com/KQ41Lfklij
- 5 more replies
New conversation -
-
-
Redirecting DNS traffic is only the tip of it. Our recent paper “Hijacking Bitcoin: Routing Attacks on Cryptocurrencies” (see https://btc-hijack.ethz.ch ) shows how
#BGP leaks can be used to perform much larger-scale attacks against cryptocurrencies, including partitioning attacks.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I agree with
@JobSnijders that would be nice if all biggest providers began adopting RPKI policy on their side. On the other hand - BGPSec would solve the BGP leak issue definitely, but is currently not deployed at all. -
Unfortunately there are no usable BGPSec implementations - while I can (and have) done RPKI Origin Validation on BGP anycast devices. Proposal: implement what is available today. RPKI would've stopped yesterday's incident.
- 1 more reply
New conversation -
-
-
If the targeted site had HSTS configured, would it still be possible to do? (On clients with a saved HSTS config from an earlier visit)
-
You'd need a proper valid certificate. Adds more steps for the attacker to succeed as it requires to compromise a certificate authority.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.