[LINK] Firesheep

Scott Howard scott at doc.net.au
Mon Feb 21 12:21:28 AEDT 2011


On Sun, Feb 20, 2011 at 4:54 PM, Paul Brooks <pbrooks-link at layer10.com.au>wrote:

>
> IPv6 requires all endpoints to implement IPSEC, where for IPv4 IPSEC
> support is optional.
>

Out of interest, are you aware of any platforms that support IPSec-over-IPv6
that don't support IPSec-over-IPv4 ?  I can't think of any of the top of my
head, although it's not exactly a subject I've investigated.



> That said, if the popular websites such as Facebook etc enabled IPSEC
> encryption
> for all incoming connections then takeup would grow as more and more people
> became aware of the issue - and just maybe eventually it might become a
> default configuration for end user installations.
>

But why on earth would they?

It's not that IPSec doesn't have it's place, but we already have a perfectly
good solution for link-level security for websites (and unless I'm missing
something, Facebook is 100% HTTP-based).

The problem here is that Facebook made the decision to use non-encrypted
HTTP, rather than HTTP-over-SSL/TLS for the vast majority of their site.
That's not a failing of the protocols, that's a failing of the site - most
likely for cost reasons.

  Scott.



More information about the Link mailing list