Is BGP safe yet? - Hacker News

Posted by janandonly 8 hours ago

208 points | 72 commentspage 2

bilekas 8 hours ago|

Google And digital ocean are huge players here but is there a reason they would only have partial coverage?

TIM is listed as insecure yet my test is successful.

> Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes

kevincloudsec 7 hours ago||

rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol

betaby 1 hour ago|

Path validation is handled by ASPA https://www.ripe.net/manage-ips-and-asns/resource-management...

NetOpWibby 6 hours ago||

When was the last time this site was updated? It mentions Sprint, which hasn't existed for years.

dec0dedab0de 6 hours ago|

I think it just goes by ASN. Looks like Comcast owns the Sprint ASN now.

elashri 7 hours ago||

Any reasons on why an ISP would not implement it other than effort/cost? Just for someone like me whose networks knowledge is very naive.

dec0dedab0de 6 hours ago|

They may be worried that their larger clients don't have things configured correctly, and they don't want to break things for them.

They may have older hardware that needs to be upgraded before they can use this feature.

They might even have their own way of filtering that they think is good enough.

Though, all of those really boil down to effort/cost.

NewsaHackO 7 hours ago||

> A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.

But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?

foobiekr 7 hours ago||

BGP attacks have nothing to do with spoofed peers. They have to do with accepted peers behaving maliciously in terms of the AS Paths they advertise.

Once you control BGP you control any IP and can subvert certificate issuance that effectively uses IP to validate certificate issuance requests. For example anything that relies on a file or dns at a specific IP. Once you have done so, you ARE the site, no matter what HSTS says.

We’ve tried to solve this problem a few times with certificate pinning (dangerous) and more recently just giving up and using certificate transparency to try and mitigate the blast radius by hoping the duration can be curtailed. The whole system is incredibly fragile.

As an aside, BGP should move over to TLS (not https, http is a terrible protocol for this) for other reasons (it’s a better option than tcp aom/md5). That this is not already the case should inform people’s opinion of where this stuff is on the security timeline.

swisniewski 7 hours ago|||

You can use BGP hijacks to spoof another website.

You just need to get a publicly trusted CA to mint a certificate for your new site.

This can be done, for example, with let’s encrypt, using several of the various domain verification challenges they support.

There are some protections against this, such as CAA records in DNS, which restrict which CAs can issue certs and depending on the CA which verification methods are allowed. That may not provide adequate protection.

For example if you are using LE and are using verification mechanisms other than DNS then the attacker could trick LE to issuing it a cert.

That also depends on the security of DNS, which can be tricky.

So, yes, BGP hijacks can be used to impersonate other sites, even though they are using HTTPS.

When you configure your domains, Make sure you setup CAA, locked down to your specific CA, and have DNS sec setup, as a minimum bar. Also avoid using DV mechanisms that only rely on control over an IP address, as that can be subverted via BGP.

infogulch 7 hours ago|||

Well if they can deceive certificate authorities that implement the ACME protocol like LetsEncrypt, then they could get a certificate for your site with the HTTP-01 challenge, see the paper Using BGP to Acquire Bogus TLS Certificates (2017) [1]. That paper suggested a mitigation they call Multiple Vantage Point Verification, which has already been implemented [2].

[1]: https://petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.p...

[2]: https://community.letsencrypt.org/t/validating-challenges-fr...

tialaramex 7 hours ago||

They don't need ACME to do that, ACME is just an automation standard - the same rules apply for getting a certificate via ACME such as 3.2.2.4.19 "Agreed upon change to website - ACME" as for the manual process 3.2.2.4.18 "Agreed upon change to website v2". The ACME version is just designed for machines to automate easily (and as a result wildly more common in use today)

And Multi-perspective only helps against an attacker who is merely able to influence a local route, if they can ensure all your perspectives see the same thing the attacker wins.

infogulch 4 hours ago||

So there is a more general standard which the ACME protocol automates. Or perhaps another way to put it is that, the standard is written in a way that "just happens" to be nicely automatable.

Yes this is why multi-perspective is described as a "mitigation" above. Ideally, ACME issuers have a large array of perspectives with additional perspectives added frequently to foil planned attacks. But real BGP security is the actual solution to this problem.

tialaramex 4 hours ago||

Not exactly. There's a document, the Baseline Requirements or BRs: https://cabforum.org/working-groups/server/baseline-requirem...

This document is essentially an agreement between the Trust Stores (largely the browser vendors such as Microsoft, Google, Apple, and Mozilla) on behalf of their Relying Parties (everybody) and the Certificate Authorities they choose to trust. It lays out the requirements on what the CAs may do and how they may do it, the numbers I quoted were sub-section numbers for what are sometimes called the "Blessed Methods" which these days are listed in those requirements - for how a CA shall check that say a certificate for news.ycombinator.com can be issued to this web server we're both using.

This isn't a "standard" really, any more than you'd say the Geneva Conventions were standards. It specifies (that "- ACME" is from the document, it's not my addition) that you can use some ACME protocol features to achieve the name confirming requirement but it also specifies some ways to do so manually. Last month quite a few of the older methods were finally stopped for new issuance (though existing confirmations for those methods will keep working for a few years if you have them). Stuff like "Find the landline phone number for the company in a government directory and call them" which I'm not sure really still made sense when the BRs were first agreed, let alone last month when it was finally removed.

jon-wood 7 hours ago|||

For anything major you're right, you'd expect them to be on the HSTS preload list in people's browsers which forces all requests over SSL which would then pick up an invalid certificate. That doesn't make this harmless though, just being able to blackhole traffic for something is a pretty significant attack - Pakistan a few years back accidentally caused YouTube to be unavailable ~worldwide when they only intended to make it unavailable within the country. There's also a lot of sites not on the preload list, and those you could fairly easily MITM, especially if you've also got access to a tame certificate issuer and I don't doubt that a nation state could persuade someone to issue them some certificates given the proper levers.

jeroenhd 6 hours ago||

Only as long as all certificate authorities ensure that all networks they host servers on secure. If you can BGP spoof a domain-validating CA, you can get a valid certificate for any domain of your choice (unless maybe if that domain is DNSSEC-enabled, the CA does strict validation, and the domain has a CAA record for another CA that is not BGP-spoofable).

Major news outlets, government websites from various countries, the American army, and many more all lack CAA records, for instance. Any CA can generate a valid certificate for those domains and it's up to the people watching the public certificate transparency logs to catch any malicious certificates.

dsr_ 7 hours ago||

If you can inject arbitrary malicious routes, you can make ACME requests for a new cert.

ThomasGlanzmann 3 hours ago||

You can mitigate this with DNSSEC, CAA records and account pinning. See: https://www.devever.net/~hl/xmpp-incident

RRRA 8 hours ago||

Google being shown as unsafe makes me think they have some internal methods for filtering?

volemo 6 hours ago||

Wikimedia is an ISP?

dec0dedab0de 6 hours ago|

When they say ISP they mean anything with an ASN

nareyko 8 hours ago|

[dead]