Internet Route Hijacking -- Interesting Read

[Paul]

I saw this article mentioned in the ARIN mailing list recently, and found it quite interesting.

 

http://www.renesys.com/2013/11/mitm-internet-hijacking/

 

Apparently, route hijacking has been on the rise in 2013. Worth the read if you have a few minutes.

[Ken]

I saw this article mentioned in the ARIN mailing list recently, and found it quite interesting.

 

http://www.renesys.com/2013/11/mitm-internet-hijacking/

 

Apparently, route hijacking has been on the rise in 2013. Worth the read if you have a few minutes.

 

Thanks to encryption and trusted certificates you can sleep at night.

 

Edit:  With one eye open.

[Paul]

Thanks to encryption and trusted certificates you can sleep at night.

 

Edit:  With one eye open.

 

It does seem to reinforce the idea that encryption is increasingly necessary, and not just for the most sensitive information. An Internet where virtually all traffic is encrypted is one that I think we're necessarily heading towards. Necessity drives innovation, and I think it'll happen naturally.

[John]

On our website, in Google Chrome, it is hard coded into the browser that SSL must be used. If there is an invalid certificate or no certificate, the browser will throw an error. This includes all subdomains as well. We took this measure to prevent any possible chance of interception.

[Ken]

It does seem to reinforce the idea that encryption is increasingly necessary, and not just for the most sensitive information. An Internet where virtually all traffic is encrypted is one that I think we're necessarily heading towards. Necessity drives innovation, and I think it'll happen naturally.

 

To encrypt all internet traffic would require devastating amounts of CPU, electricity and bandwidth because of it's footprint.  I don't feel like there's a need to encrypt all traffic except for of course private or secret information and exploitable files.  When sends someone a file it can be intercepted and tampered with.  I think you'd sooner see some method to fragment or distribute traffic in order to prevent MITM where it is single point in nature.

[Paul]

To encrypt all internet traffic would require devastating amounts of CPU, electricity and bandwidth because of it's footprint.  I don't feel like there's a need to encrypt all traffic except for of course private or secret information and exploitable files.  When sends someone a file it can be intercepted and tampered with.  I think you'd sooner see some method to fragment or distribute traffic in order to prevent MITM where it is single point in nature.

 

Computationally it's becoming more and more feasible. A lot of websites now force SSL. More people use SFTP instead of FTP for file transfers. More people check and send email securely now (it's a requirement for all of us here). Sure, there are some services that may not necessarily benefit from encryption, or where encryption may be too expensive to implement due to processing power. BGP may be a good example of that.

 

I'm not arguing that there should be any laws or regulations to enforce encryption and I don't think those would pass anyway, governments love to get their hands on information. I always argue against such regulations. But, I think that people are becoming more and more security conscious, and that the result is that more and more traffic is becoming encrypted. I think that's a good thing.

[Ken]

Computationally it's becoming more and more feasible. A lot of websites now force SSL. More people use SFTP instead of FTP for file transfers. More people check and send email securely now (it's a requirement for all of us here). Sure, there are some services that may not necessarily benefit from encryption, or where encryption may be too expensive to implement due to processing power. BGP may be a good example of that.

 

I'm not arguing that there should be any laws or regulations to enforce encryption and I don't think those would pass anyway, governments love to get their hands on information. I always argue against such regulations. But, I think that people are becoming more and more security conscious, and that the result is that more and more traffic is becoming encrypted. I think that's a good thing.

 

Which websites force SSL traffic short of area of sensitivity like login access?  Requiring SSL on everything would make things incredibly slow, especially for mobile users.

[Paul]

Which websites force SSL traffic short of area of sensitivity like login access?  Requiring SSL on everything would make things incredibly slow, especially for mobile users.

 

google.com does

[Cody]

Which websites force SSL traffic short of area of sensitivity like login access?  Requiring SSL on everything would make things incredibly slow, especially for mobile users.

 

Almost all modern CPUs support hardware accelerated encryption. The iPhone5s even does this. Encryption is not necessarily a time consuming process. Block ciphers work by encrypting small pieces (usually 16-bytes) of data at a time, so can easily be streamed. Keep in mind the maximum TCP packet size is 64 KB.

 

Will encryption ever be as fast as plain-text? No, but soon the differences will be negligible and there will be simply no reason not to use it.

[Ken]

google.com does

 

Google is a login portal since even their search page will recognize a logged in user.

 

Almost all modern CPUs support hardware accelerated encryption. The iPhone5s even does this. Encryption is not necessarily a time consuming process. Block ciphers work by encrypting small pieces (usually 16-bytes) of data at a time, so can easily be streamed. Keep in mind the maximum TCP packet size is 64 KB.

 

Will encryption ever be as fast as plain-text? No, but soon the differences will be negligible and there will be simply no reason not to use it.

 

That's fair in regards to speed and consumption but what about proxy servers won't be able to filter traffic properly?  That and HTTPS doesn't make you immune to MITM since SSL connectivity is based on 'trust'.  

[Cody]

 

That's fair in regards to speed and consumption but what about proxy servers won't be able to filter traffic properly? That and HTTPS doesn't make you immune to MITM since SSL connectivity is based on 'trust'.  

 

Why would proxies need to filter traffic? I don't know of any open web proxy that forces users to use unencrypted connections. TOR is a proxy network that, in addition to forcing HTTPS (where possible), encrypts every packet in multiple layers of encryption.

 

While HTTPS may not be perfect, the key exchange (Diffie-Hellman) is still the best way of allowing two anonymous users to exchange encryption keys. While some trust is required, it's infinitely less trust than would be required when transmitting plain-text over the Internet.

[xison]

I somewhere (Slashdot I think) the W3C is working on http 2.0. Asbit stands, encryption will be the default. Plaintext will be a thing of the past.

I don't even think its necessary from a security standpoint, I think it is more of a requirement because of highjacking. Its incredibly difficult to spoof or highjack when its encrypted, and much easier to verify end to end.

My personal opinion is encrypt everything. I dont find any speed issues with any services I use. From my own servers, to email, to simple web browsing (google, wikipedia, etc.)

Ive even been using my mobile phone more and more as the months go by. I see no real speed dfference between my Nexus 4 over wifi or 3.5G, or my 8 core desktop. My home internet connection is 100Mbps.

I'm a big supporter of HSTS (HTTP Strict Transport Security). See more here: http://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[Ken]

Forget speed I was only referring to as it stands today.  You may have encrypted your site and did not notice a difference but if you're talking about encrypting every entity out on the internet that's another thing.  Will it fix MITM?  I say no for the fact that it's a 'trust'.  You are trusting the certificate on the other end because the root server says it's legit.  This is fine for local traffic when you're on WiFi networks but when you're talking about backbone traffic being rerouted how are you going to trust your trusted authority?

 

Let's not forget that encrypted traffic also allows hackers to hide in some situations.

[Ken]

Why would proxies need to filter traffic? I don't know of any open web proxy that forces users to use unencrypted connections. TOR is a proxy network that, in addition to forcing HTTPS (where possible), encrypts every packet in multiple layers of encryption.

 

While HTTPS may not be perfect, the key exchange (Diffie-Hellman) is still the best way of allowing two anonymous users to exchange encryption keys. While some trust is required, it's infinitely less trust than would be required when transmitting plain-text over the Internet.

 

Open Web Proxies yes but private businesses that use filtering for internal policies not just limited to security.  Of course those companies can add their certificates to the proxy and configure a MITM in order to do their filtering but I'd imagine in some cases this isn't applicable.  So I'm not sure I'd rule it out.

[Cody]

I somewhere (Slashdot I think) the W3C is working on http 2.0. Asbit stands, encryption will be the default. Plaintext will be a thing of the past.

Slashdot is where I read it.

 

I don't even think its necessary from a security standpoint, I think it is more of a requirement because of highjacking. Its incredibly difficult to spoof or highjack when its encrypted, and much easier to verify end to end.

My personal opinion is encrypt everything. I dont find any speed issues with any services I use. From my own servers, to email, to simple web browsing (google, wikipedia, etc.)

Ive even been using my mobile phone more and more as the months go by. I see no real speed dfference between my Nexus 4 over wifi or 3.5G, or my 8 core desktop. My home internet connection is 100Mbps.

I'm a big supporter of HSTS (HTTP Strict Transport Security). See more here: http://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security

+1

[Cody]

Forget speed I was only referring to as it stands today.  You may have encrypted your site and did not notice a difference but if you're talking about encrypting every entity out on the internet that's another thing.  Will it fix MITM?  I say no for the fact that it's a 'trust'.  You are trusting the certificate on the other end because the root server says it's legit.  This is fine for local traffic when you're on WiFi networks but when you're talking about backbone traffic being rerouted how are you going to trust your trusted authority?

 

What do you mean by "local traffic"? The only thing I would consider "local traffic" is traffic over my LAN. Anything over the Internet is not local.

 

I have a higher degree of trust in an entity that can prove to me who they are through a mutually trusted third party, than I do for an entity that can't or won't do that. That's really what it comes down to.

Regarding backbone traffic, that's completely transparent to both ends of the connection. It doesn't matter to me whether or not the backbone(s) transporting my data to the server encrypts their traffic because by the time it reaches the server the packets are as I sent them.

 

Let's not forget that encrypted traffic also allows hackers to hide in some situations.

Yes, and that's something I rely on.

[MemoryX2]

Which websites force SSL traffic short of area of sensitivity like login access?  Requiring SSL on everything would make things incredibly slow, especially for mobile 

 

 

 

Everything on our main website is SSL protected. We have internal sub domains and things that are not but places with client interaction on our site is SSL.

[techhelper1]

I believe what John was trying to say earlier is that Inertia Networks submitted its domain name (inertianetworks.com) to be put on the "Preloaded HSTS List", meaning that the browsers that support this feature will know to connect to the subdomains and the domain (inertianetworks.com) itself using ONLY SSL or die trying.

 

The enforcing in the browser directly happens in Chromium, Chrome, Safari (Mavericks OS X 10.9), Firefox 26 (that I know of) and Opera. If you're thinking I missed Internet Explore, I did not, because not a single version of IE (including the ones in Windows 8) does not enforce the list. The same may be for the browsers on iOS & Android.