Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

IPSec by itself isn't going to really help. If they are doing DPI, they can MITM your IPSec connections. You still need a key management system, and I am not aware of any large-scale systems that are in-place to just "switch on" IPSec, that is, suddenly provide you with the certificates for every IP you want to connect to.


If they are doing DPI, they can MITM your IPSec connections.

what, how? dpi just means looking at packets inside ip. it doesn't somehow grant you the ability to do man-in-the-middle attacks.

deep packet inspection is already possible. that doesn't mean that tls or ipsec or any other protocol is broken.

(i agree with the need for key management etc; it's just the quoted statement above that seems wrong).


You're right, it could be a passive inspection. But... if they are your ISP and have access to your packets, chances are they can rewrite and inject traffic too. Sure, they might need a bit more hardware to do so, but it's not exactly difficult.

But you're correct, DPI doesn't necessarily imply MITM capabilities.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: