I don't work in networking, but seeing as most traffic is encrypted these days, does passing through unfriendly hardware matter as much as back in the days of plaintext everything? Sure they can drop packets, but they can't tamper/read it, or is there something I'm missing?
If you direct a CA's traffic through your server, you can answer the HTTP or DNS queries that prove domain ownership. And lots of people click past warnings because an IT disruption isn't a day off if they can work around it
Russia could easily “convince” a CA based in their country to do them a favour to facilitate MITM. Or just gather the right kompromat needed to convince one overseas.
Yes, but doing it intentionally isn't as simple as one might think. First, BGP generally prefers the shortest path and yours is going to be a little long, so unless the best original path is very long you need on some transit provider to use policy-based routing and trust you as transit. Second, if you want the traffic to pass through your hardware you have to have sufficient bandwidth, otherwise you'll just trigger packet loss and disrupt service (fine if disruption is your goal, not so fine if you want the traffic to pass through your hardware). Third, some people use signed routes, which also complicates your job.
There are measures to prevent or at least mitigate that, like RPKI. But having a sensible improvement doesn’t mean that everyone is using it, look at IPv6.
Those protocols weren’t designed for privacy or financial transactions. Those things have just been kludged on top.
No one back then designed those protocols for our use cases today.
Ask rather why we haven’t upgraded all the hardware that supports all those old protocols? So that these protocols could also be updated and modernised.
We won’t replace electricity but we’ll build on top of it. Electricity is fundamentally the same since ever: copper wires transport it and it flows between two poles.
That’s a bit what C is - the basis of other languages and for that it works fine. We abstract up the chain of complexity.
There will always be a fundamental basis for all technology and it will never be perfect. Tesla would have preferred to use DC currents, instead we have AC which is more dangerous.
DC was preferred by Edison, not Tesla, which is not more dangerous at all. That was propaganda by Edison to disparage *EDIT:AC current. DC is just as dangerous as AC.
I don't work in networking, but seeing as most traffic is encrypted these days, does passing through unfriendly hardware matter as much as back in the days of plaintext everything? Sure they can drop packets, but they can't tamper/read it, or is there something I'm missing?
Who checks those encryption keys?
If you direct a CA's traffic through your server, you can answer the HTTP or DNS queries that prove domain ownership. And lots of people click past warnings because an IT disruption isn't a day off if they can work around it
Russia could easily “convince” a CA based in their country to do them a favour to facilitate MITM. Or just gather the right kompromat needed to convince one overseas.
This is an interception scenario, no? If issued intentionally, traffic will pass through hardware in… unfriendly territory.
Yes, but doing it intentionally isn't as simple as one might think. First, BGP generally prefers the shortest path and yours is going to be a little long, so unless the best original path is very long you need on some transit provider to use policy-based routing and trust you as transit. Second, if you want the traffic to pass through your hardware you have to have sufficient bandwidth, otherwise you'll just trigger packet loss and disrupt service (fine if disruption is your goal, not so fine if you want the traffic to pass through your hardware). Third, some people use signed routes, which also complicates your job.
Episode n°5933 of our regularly scheduled series: "how Internet still depends on terribly naïve and insecure protocols invented 30 years ago".
There are measures to prevent or at least mitigate that, like RPKI. But having a sensible improvement doesn’t mean that everyone is using it, look at IPv6.
Those protocols weren’t designed for privacy or financial transactions. Those things have just been kludged on top.
No one back then designed those protocols for our use cases today.
Ask rather why we haven’t upgraded all the hardware that supports all those old protocols? So that these protocols could also be updated and modernised.
BGP routers are for the most part replaced often as bandwidth requirements continue to increase, that is not the problem here.
Much like C.
We won’t replace electricity but we’ll build on top of it. Electricity is fundamentally the same since ever: copper wires transport it and it flows between two poles.
That’s a bit what C is - the basis of other languages and for that it works fine. We abstract up the chain of complexity.
There will always be a fundamental basis for all technology and it will never be perfect. Tesla would have preferred to use DC currents, instead we have AC which is more dangerous.
DC was preferred by Edison, not Tesla, which is not more dangerous at all. That was propaganda by Edison to disparage *EDIT:AC current. DC is just as dangerous as AC.
Thanks for the correction.
> That was propaganda by Edison to disparage DC
But if he prefered it, why would he create progaganda against it?
> DC is just as dangerous as AC.
I assumed the alternating made it more dangerous but I stand corrected.
I messed it up too. Edison wanted to disparage AC.
> instead we have AC which is more dangerous
That's false. If you assume the same (effective) voltage, ac is considerably less dangerous.