Want to hack a Gmail account? IPv6 is the way to go
Google’s relatively new Google Over IPv6 service has just recently been extended to users of Hurricane Electric’s TunnelBroker.net service. It’s pretty cool even though you don’t notice what’s going on. 
There’s just something magical about knowing that all my Google searches and e-mail are going through IPv6 from a completely nearly untraceable /48 routed by a leading tier-1 ISP.
Of course there are bugs. One of my favorites is caused by the way their reverse proxy works: the IP that shows up is one of Google’s own, registering as “Unavailable” in the IP history table (presumably because Google internal IPs are probably stripped from IP logs) but shows up as “This computer is using IP address 74.125.114.147.”
(Why, you ask, am I allowing my real IPv4 IP to show? Answer: because your computer already knows it – the server running this blog is on the same IP 
)
Nowhere does the IPv6 address I used to access my Gmail account show up in the history. Of course this means that if you want to hack a Gmail account, this is a great way to do it: your IP history is never recorded, and apparently your IPv6 IP never reaches any Google servers that log requests in a very traceable form.
Oh good, you say. More privacy! Not necessarily. Every single website out there should be logging your IP address. All my servers do, as do 99% of other sites. It’s needed for forensic purposes. If all requests are logged, and an intrusion is detected, one can trace the intrusion back to its source and contact relevant authorities. This is an important thing for someone to be able to do. In my opinion, Gmail is well within ethical guidelines regarding IP logging, because its logs are made available to the owner of the account.
If I could speculate for a minute here, let me deliver my suspicions: I think Google is cheating with their IPv6 support. They probably have a rack of servers with IPv6 access that simply reverse proxy up to their IPv4 production systems which provide the actual service. If that’s the case, they should be able to just whitelist the reverse proxy’s IP in the trusted X-Forwarded-For list and perhaps alter a few database tables to support IPv6 addresses (a maximum of 39 characters) instead of just IPv4 (max. 15) and perhaps some regular expression checks against IPs.
Anyways, Google needs to get this fixed. It could make it very difficult to trace an intrusion into a Gmail account, something their new IP address logging feature was designed to expose.
