Summarizer

Network Security Infrastructure

Transit provider security practices, RPKI implementation, BGP route hijacking vulnerabilities, autonomous system path manipulation, route leak consequences

← Back to There were BGP anomalies during the Venezuela blackout

Advancements in network security, such as Encrypted Client Hello (ECH), are finally closing long-standing privacy gaps by hiding hostnames from middle-men, making it increasingly difficult for providers to block specific sites hosted on shared cloud infrastructure. While some argue that the BGP protocol remains inherently vulnerable to chaos, industry veterans highlight that modern router filtering has significantly reduced the frequency of the "fat-finger" route leaks that plagued the early internet. However, these architectural improvements are often undermined by foundational security lapses, such as the use of weak, universal passwords across critical telecom and IoT infrastructure. Together, these perspectives reveal a landscape where sophisticated encryption and improved routing practices must still contend with persistent human negligence.

4 comments tagged with this topic

View on HN · Topics
Encrypted DNS has existed for quite a while now through DNS over HTTPS, the missing link was that to connect to a website, you first had to send the server the hostname in plaintext to get the right public key for the site. So someone listening on the wire could not see your DNS requests but would effectively still get the site you connected to anyway. The new development (encrypted client hello) is you no longer have to send the hostname. So someone listening in the middle would only see you connected to an AWS/etc IP. This will make blocking websites very difficult if they use shared services like cloudflare or cloud VPS hosting.
View on HN · Topics
BGP is so unsecure that almost anyone can create chaos.
View on HN · Topics
Most BGP peers have router filters in place. It's not 1996 anymore. I remember the days of logging into a Cisco connected to a Sprint T1 and seeing a coworker had fat fingered a spammer's route, sending it to null0. Oops. How did that happen?
View on HN · Topics
I worked as a contractor for a IoT gig that sold sim cards services for buses, trains et cetera. The radio towers we used to access to obtain the accounting data (CDRs) all had the same very weak password.