Hacker News Viewer

Top 20

Is BGP Safe Yet? No. Test Your ISP

by janandonly on 4/1/2026, 1:10:29 PM

https://isbgpsafeyet.com/

Comments

by: maltalex

RPKI doesn&#x27;t make BGP safe, it makes it <i>safer</i>. BGP hijacks can still happen.<p>RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim&#x27;s traffic sent to it.<p>The solution to this was supposed to be BGPSec, but it&#x27;s widely seen as un-deployable.

4/1/2026, 2:06:14 PM

by: greyface-

RPKI isn&#x27;t just ROAs anymore, and BGP hijacks can happen at other places than just the first&#x2F;last hop. Why hasn&#x27;t this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?

4/1/2026, 3:19:47 PM

by: NetOpWibby

When was the last time this site was updated? It mentions Sprint, which hasn&#x27;t existed for years.

4/1/2026, 3:41:05 PM

by: commandersaki

I think the test for BGP is Safe is when we stop using it and instead use SCION: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;SCION_(Internet_architecture)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;SCION_(Internet_architecture)</a>.

4/1/2026, 1:44:07 PM

by: lucasay

RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.

4/1/2026, 3:19:52 PM

by: nemomarx

This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too...<p>How many major isps would we want to implement it to be &quot;safe&quot; and what would that look like? Is this a regional thing? They&#x27;ve only listed 4 unsafe ones on the site and that doesn&#x27;t seem like a major issue, but maybe they&#x27;re very large somewhere.

4/1/2026, 1:32:14 PM

by: olivier5199

An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)

4/1/2026, 1:52:43 PM

by: volemo

Wikimedia is an ISP?

4/1/2026, 3:37:23 PM

by: elashri

Any reasons on why an ISP would not implement it other than effort&#x2F;cost? Just for someone like me whose networks knowledge is very naive.

4/1/2026, 2:20:19 PM

by: bilekas

Google And digital ocean are huge players here but is there a reason they would only have partial coverage?<p>TIM is listed as insecure yet my test is successful.<p>&gt; Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes

4/1/2026, 1:40:17 PM

by: collabs

Looks like Verizon does it correctly.<p>&gt; Your ISP (Verizon, AS701) implements BGP safely. It correctly drops invalid prefixes.

4/1/2026, 2:17:33 PM

by: kevincloudsec

rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol

4/1/2026, 2:46:49 PM

by: RRRA

Google being shown as unsafe makes me think they have some internal methods for filtering?

4/1/2026, 1:39:43 PM

by: NewsaHackO

&gt; A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.<p>But with HTTPS, they wouldn&#x27;t be able to actually pose as another website, just delay&#x2F;black hole the request so it doesn&#x27;t reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that&#x27;s not right, correct?

4/1/2026, 2:01:37 PM

by:

4/1/2026, 3:00:37 PM

by: nareyko

[dead]

4/1/2026, 1:37:20 PM