Value of using IP addresses for sensitive sites?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Value of using IP addresses for sensitive sites?

Post by Thrawn » Wed Dec 19, 2012 11:42 am

Hi, all. Just seeking feedback on an idea that I had.

Is there merit, from a security standpoint, in manually resolving the IP addresses for selected trusted sites, bookmarking them, and using them directly, instead of using hostnames?

Benefits that I can see include:
  • Resistant to DNS poisoning; as long as the address remains valid, you can keep using it and never know the hostname was poisoned.
  • Hidden from standard XSS and CSRF attacks, which target hostnames, because your cookies will be associated with the IP address instead.
  • Possibly better security certificate stability on sites that use a different certificate for each of their servers; this is beneficial when using addons like Certificate Patrol and Perspectives.

Drawbacks:
  • Security certificate errors because the hostname doesn't match. However, since you know which hostname should be used, you can manually verify that the certificate matches it.
  • Extra work to resolve addresses (eg from the command line), possibly repeated if server addresses change.
  • Sites that use name-based virtual hosts won't work.

Obviously this wouldn't be feasible everywhere. But does anyone have any thoughts on whether it's worth doing at all?
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:17.0) Gecko/20100101 Firefox/17.0

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Value of using IP addresses for sensitive sites?

Post by dhouwn » Wed Dec 19, 2012 4:57 pm

All the stuff that is matched using the hostname? Special handling of certain sites by Firefox (e.g. bug 782453) and NoScript that then might not be used. The IP of the server you have might not be the best one for when you are at a different location. You might save an IP of a server that at a different time is under heavily load, you might go against load distribution measures. ;)
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

Post Reply