Ironic this is from Cloudfare, probably the single entity most likely to be responsible for breaking the internet in 2026
maltalex
RPKI doesn't make BGP safe, it makes it safer. BGP hijacks can still happen.
RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it.
The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.
show comments
surround
The graphic that shows that a hijacker can route traffic to their malicious website is a little misleading. Since the SSL certificate would be invalid, browsers would block the connection and show a warning.
I guess the attack could still be used for denial of service.
show comments
nemomarx
This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too...
How many major isps would we want to implement it to be "safe" and what would that look like? Is this a regional thing? They've only listed 4 unsafe ones on the site and that doesn't seem like a major issue, but maybe they're very large somewhere.
RPKI isn't just ROAs anymore, and BGP hijacks can happen at other places than just the first/last hop. Why hasn't this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?
An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)
show comments
collabs
Looks like Verizon does it correctly.
> Your ISP (Verizon, AS701) implements BGP safely. It correctly drops invalid prefixes.
lucasay
RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.
bilekas
Google And digital ocean are huge players here but is there a reason they would only have partial coverage?
TIM is listed as insecure yet my test is successful.
> Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes
kevincloudsec
rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol
show comments
NetOpWibby
When was the last time this site was updated? It mentions Sprint, which hasn't existed for years.
show comments
elashri
Any reasons on why an ISP would not implement it other than effort/cost? Just for someone like me whose networks knowledge is very naive.
show comments
NewsaHackO
> A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.
But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?
show comments
RRRA
Google being shown as unsafe makes me think they have some internal methods for filtering?
Ironic this is from Cloudfare, probably the single entity most likely to be responsible for breaking the internet in 2026
RPKI doesn't make BGP safe, it makes it safer. BGP hijacks can still happen.
RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it.
The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.
The graphic that shows that a hijacker can route traffic to their malicious website is a little misleading. Since the SSL certificate would be invalid, browsers would block the connection and show a warning.
I guess the attack could still be used for denial of service.
This actually shows pretty good coverage for this feature, it seems to me. The big American isps do it, the mobile ones do too...
How many major isps would we want to implement it to be "safe" and what would that look like? Is this a regional thing? They've only listed 4 unsafe ones on the site and that doesn't seem like a major issue, but maybe they're very large somewhere.
Does not take BGPSec[1] into account, just RPKI.
[1]: https://en.wikipedia.org/wiki/BGPsec
i'm getting:
but when testing i'm getting a successYour ISP (Free SAS, AS12322) implements BGP safely. It correctly drops invalid prefixes. Tweet this → Details fetch https://valid.rpki.isbgpsafeyet.com correctly accepted valid prefixes
fetch https://invalid.rpki.isbgpsafeyet.com correctly rejected invalid prefixes
RPKI isn't just ROAs anymore, and BGP hijacks can happen at other places than just the first/last hop. Why hasn't this site been updated to test ASPA-invalid prefixes in addition to ROA-invalid ones?
I think the test for BGP is Safe is when we stop using it and instead use SCION: https://en.wikipedia.org/wiki/SCION_(Internet_architecture).
An ISP is marked as unsafe in the table, yet running the test says it is. (same ASN)
Looks like Verizon does it correctly.
> Your ISP (Verizon, AS701) implements BGP safely. It correctly drops invalid prefixes.
RPKI makes BGP safer, not safe. It helps prevent some hijacks, but attackers can still mess with routing paths. Feels like we’re patching a trust-based system rather than fixing it.
Google And digital ocean are huge players here but is there a reason they would only have partial coverage?
TIM is listed as insecure yet my test is successful.
> Your ISP (Telecom Italia S.p.a., AS3269) implements BGP safely. It correctly drops invalid prefixes
rpki adoption is the new ipv6 adoption. it looks great until you realize it only validates who owns the prefix, not the path to get there lol
When was the last time this site was updated? It mentions Sprint, which hasn't existed for years.
Any reasons on why an ISP would not implement it other than effort/cost? Just for someone like me whose networks knowledge is very naive.
> A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.
But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?
Google being shown as unsafe makes me think they have some internal methods for filtering?
Wikimedia is an ISP?