Hacker News: pjf

New comment by pjf in "Revocation of X.509 Certificates"

pjf — Mon, 27 Apr 2026 13:59:17 +0000

There are situations [1] where you could reliably BGP-hijack the IP prefix of the target domain authoritative nameserver, and obtain your own domain-validated cert for the target (by effectively controlling the zone file contents). And yeah, CAs do have their BGP protections, but still there's at least partial assumption BGP is secure enough to run DNS-based validation for new SSL certs, in our world where DNSSEC is still rare.

  [1] https://www.ietf.org/proceedings/104/slides/slides-104-maprg-dns-observatory-monitoring-global-dns-for-performance-and-security-pawel-foremski-and-oliver-gasser-00.pdf (see slide 15; yeah, it's already a bit old, yet still the case from my practice)

New comment by pjf in "Revocation of X.509 Certificates"

pjf — Mon, 27 Apr 2026 10:48:11 +0000

On the other front (Chrome), their crlset-tools [1] just fetched me 64k (~1.1MiB) of revoked certs just fine, contrary to the article (quote: "After retrieving and running this tool, I was surprised to see a total of 1,081 revoked certificate serial numbers in this list. This seems oddly low.")

[1] https://github.com/agl/crlset-tools

New comment by pjf in "Revocation of X.509 Certificates"

pjf — Mon, 27 Apr 2026 10:33:42 +0000

Good that at least BGP is secure.

New comment by pjf in "IPv6 traffic crosses the 50% mark"

pjf — Thu, 16 Apr 2026 09:42:05 +0000

NB: this is not "IPv6 traffic crosses the 50% mark" but "availability of IPv6 connectivity among Google users", which is a very important difference. This means roughly half of Google users have IPv6 capability, which does not 1:1 correspond how much traffic is actually transferred over IPv6, which is what this submission says in the title.

Golang Constmap by Daniel Lemire

pjf — Tue, 31 Mar 2026 09:04:27 +0000

Article URL: https://twitter.com/lemire/status/2038320406432494059

Comments URL: https://news.ycombinator.com/item?id=47584569

Points: 4

# Comments: 1

New comment by pjf in "How far can you go with IX Route Servers only?"

pjf — Mon, 16 Mar 2026 09:21:26 +0000

great post! key points for me:

1. 100 IXes alone would get 56% IPv4 and 61% IPv6 prefixes, but ~14% reachability

2. little uniqueness between exchanges: not many new prefixes after the top 5

3. for outbound-heavy networks IXes are great, but to attract traffic they are not (edit: applies to automatic peering via route servers)

Coursera prompt injection on copy and paste

pjf — Fri, 13 Feb 2026 09:33:00 +0000

Article URL: https://twitter.com/iangcarroll/status/2022212829441667482

Comments URL: https://news.ycombinator.com/item?id=47000793

Points: 4

# Comments: 1

New comment by pjf in "The Day the Telnet Died"

pjf — Wed, 11 Feb 2026 13:57:56 +0000

Kind of "funny" affected service is BGP RouteViews CLI access, still running over telnet: https://archive.routeviews.org/ (scroll to bottom of the page)

Isn't this one of the remaining, "legit" uses of the Telnet protocol on TCP/23 port over the public Internet?

The Day the Telnet Died

pjf — Tue, 10 Feb 2026 22:20:40 +0000

Article URL: https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/

Comments URL: https://news.ycombinator.com/item?id=46967772

Points: 499

# Comments: 385

Show HN: Bgpipe – pipe live BGP sessions through Python, add RPKI, etc.

pjf — Tue, 10 Feb 2026 15:49:32 +0000

bgpipe sits between BGP routers as a transparent proxy. It can work as a firewall for the Internet control plane. You build a pipeline of composable stages - connect, listen, grep, exec, rpki, write - and BGP messages flow through them, optionally being filtered, modified, or logged.

A few things you can do:

  # Monitor global BGP for your prefix in real-time (via RIPE RIS Live)
  bgpipe -g -- ris-live -- grep 'prefix ~ 1.1.1.0/24' -- stdout

  # Add RPKI validation between two routers
  bgpipe -- listen 1.2.3.4 -- rpki -- connect 5.6.7.8

  # Pipe through python
  bgpipe -- listen 1.2.3.4 -- exec -LR ./filter.py -- connect 5.6.7.8

  # Convert MRT dump to JSON
  bgpipe -- read updates.mrt.bz2 -- write output.json

The exec stage lets you process BGP in any language - bgpipe sends JSON to your script's stdin and reads JSON back. The grep stage has a small filter DSL (prefix operators, AS_PATH matching, community checks, RPKI tags, etc.).

Single static binary, pure Go, no deps. MIT license.

https://github.com/bgpfix/bgpipe https://bgpipe.org

Comments URL: https://news.ycombinator.com/item?id=46961425

Points: 2

# Comments: 0

New comment by pjf in "Show HN: BGP Scout – BGP Network Browser"

pjf — Sat, 17 Jan 2026 19:38:39 +0000

One reason is there already was exabgp, written in Python, which in my experience is slow and resource hungry. Golang is much faster, easily portable, and produces static binaries (easy to deploy).

Another thing is bgpipe speaks JSON to background (or even remote) packet processors, so basically you can use whatever language you want with it to drive your BGP routers.

New comment by pjf in "Show HN: BGP Scout – BGP Network Browser"

pjf — Fri, 16 Jan 2026 09:18:42 +0000

I'd advise to first compare with:

- https://bgp.tools/ - https://bgproutes.io/ - https://bgp.he.net/ - https://radar.qrator.net/ - https://github.com/nttgin/BGPalerter

...all of which are (usually) free. IMHO you should have a competing product + money strategy before you continue. Many people have tried (and failed) to make money off BGP.

BTW, author of https://bgpipe.org/ here, an open-source BGP data tool