[LINK] Firesheep

Scott Howard scott at doc.net.au
Mon Feb 21 12:21:28 AEDT 2011

On Sun, Feb 20, 2011 at 4:54 PM, Paul Brooks <pbrooks-link at layer10.com.au>wrote:

> IPv6 requires all endpoints to implement IPSEC, where for IPv4 IPSEC
> support is optional.

Out of interest, are you aware of any platforms that support IPSec-over-IPv6
that don't support IPSec-over-IPv4 ?  I can't think of any of the top of my
head, although it's not exactly a subject I've investigated.

> That said, if the popular websites such as Facebook etc enabled IPSEC
> encryption
> for all incoming connections then takeup would grow as more and more people
> became aware of the issue - and just maybe eventually it might become a
> default configuration for end user installations.

But why on earth would they?

It's not that IPSec doesn't have it's place, but we already have a perfectly
good solution for link-level security for websites (and unless I'm missing
something, Facebook is 100% HTTP-based).

The problem here is that Facebook made the decision to use non-encrypted
HTTP, rather than HTTP-over-SSL/TLS for the vast majority of their site.
That's not a failing of the protocols, that's a failing of the site - most
likely for cost reasons.


More information about the Link mailing list