[LINK] Firesheep
Scott Howard
scott at doc.net.au
Mon Feb 21 12:21:28 AEDT 2011
On Sun, Feb 20, 2011 at 4:54 PM, Paul Brooks <pbrooks-link at layer10.com.au>wrote:
>
> IPv6 requires all endpoints to implement IPSEC, where for IPv4 IPSEC
> support is optional.
>
Out of interest, are you aware of any platforms that support IPSec-over-IPv6
that don't support IPSec-over-IPv4 ? I can't think of any of the top of my
head, although it's not exactly a subject I've investigated.
> That said, if the popular websites such as Facebook etc enabled IPSEC
> encryption
> for all incoming connections then takeup would grow as more and more people
> became aware of the issue - and just maybe eventually it might become a
> default configuration for end user installations.
>
But why on earth would they?
It's not that IPSec doesn't have it's place, but we already have a perfectly
good solution for link-level security for websites (and unless I'm missing
something, Facebook is 100% HTTP-based).
The problem here is that Facebook made the decision to use non-encrypted
HTTP, rather than HTTP-over-SSL/TLS for the vast majority of their site.
That's not a failing of the protocols, that's a failing of the site - most
likely for cost reasons.
Scott.
More information about the Link
mailing list