IPSec For Some, Miniature American Flags for Others

Google's DNS problems this weekend have me thinking about IP-level authentication. DNS forgery and denials of service are only going to become more common now: if Google can get taken down, imagine how vulnerable the small fry websites are.

So, promptly terrified by this, I've started reviewing IPSec. IPSec can encrypt traffic, or it can authenticate, which I think is much more important: you don't want people sniffing your online bank account information, but you also don't want to spend the same time and effort necessary to encrypt that data for every site you visit: you want to know your Google query is going to Google, even if you aren't interested in obscuring from the world the fact that you're looking for Christina Aguilera pictures.

Currently, I can't rely on the DNS information that I've been given, and since google.com isn't using secure HTTP, I furthermore can't know that I'm actually visiting Google and not just a forged page that looks exactly like it. DNS currently tells me that google.com has IP address 64.233.161.99, and if that is in fact correct, there is no system in place to warn me if the page I type happens to go to a completely different IP. This is called phishing, and it happens all the time. You can recognize it because you'll get an e-mail that tells you that your Paypal account is going to expire, for example, and you need to log in to prevent your money from being defaulted. Just log in to this helpful URL: "http://34.123.266.89/login.php?user=yourmail&biglongcomplicatedstring=hastobeligitimate"

Of course Paypal doesn't own the IP address 34.123.266.89, and so even if you go to the page and it visually looks every bit like the real Paypal site, you're not on the real Paypal site. Phishing occurs mostly through e-mail, but with DNS forgery becoming more and more commonplace, realtime phishing is now a very serious threat. Imagine for a moment what would have transpired if instead of redirecting the Google homepage to the obviously visually different Sogo site, it was made to look just like the Google homepage? Users would never have noticed the difference! They would have unwittingly been browsing some other company's search engine. Eventually, somebody would have spotted the difference, but in four hours, the malicious company would have gotten hundreds of thousands of searches. And there's every chance they could have just disappeared back into the aether with their data and never be heard from again.

So now you know why I'm looking into IPSec. A good starter page, at least for Windows, is available here. Microsoft gets a pat on the head for making a relatively painless IPSec configuration utility. Configuring IPSec is in many ways still too complicated, even with Microsoft's GUI implementation, for grandmas to use. This is a major hurdle that must be overcome before the majority of Internet traffic is authenticated.