Thoughts on Systems

Emil Sit

Mar 14, 2008 - 3 minute read - Technology howto question security ssh tools vpn

How to use ssh to securely access the net

Public wireless networks can be scary; you never know who might be sniffing your traffic, recording your GMail authentication cookies, or worse. Ideally, all of your net activity should be end-to-end authenticated and encrypted. Fortunately, since this is not always feasible, ssh makes it easy to use an untrusted network by routing your traffic through a trusted end-point. All you need is an ssh client (OpenSSH, standard on most Linux/Mac systems or PuTTY for Windows), an HTTP/HTTPS proxy (optional), and clients that support SOCKS5 (most software these days). These techniques are new but I didn’t really learn them until I started working at caf├ęs so it may be worth re-summarizing.

The steps are pretty straightforward.

  1. Enable dynamic port forwarding for ssh. This creates a SOCKS proxy on your localhost at a port you specify; this proxy will handle the connection forwarding, over the secure (authenticated and encrypted) ssh connection.

I connect to our trusted server at work; if you don’t have a trusted server, you can try getting a free shell account. You can automatically enable dynamic port forwarding by setting DynamicForward in your ssh_config file (or creating a PuTTY profile) for your shell host.

  1. (Optional) Set up Polipo with a configuration file that points its parent proxy at the port you used for dynamic forwarding. I like using a separate web proxy so I can switch easily switch between tunneling through ssh or direct connection by just switching out the web proxy configuration without reconfiguring all my applications individually. A proxy also ensures that your DNS requests are not visible to the local insecure network.

  2. Configure all of your network applications to use the SOCKS proxy (or HTTP proxy). For application-specific instructions, you can view the Torify HOWTO; the “anonymizing” Tor network’s interface also uses an HTTP or SOCKS proxy, so the same instructions apply. (Unfortunately, Tor is neither secure (it has untrusted exit points) nor really anonymous (see any of Steven Murdoch’s papers about Tor) so I can’t recommend it. It’s slow too.) I tunnel Firefox, my Twitter client, and my IM client through the web proxy. If you choose not to use an HTTP proxy, Firefox and Pidgin both support directly talking to the SOCKS proxy.

Also, if you do not use a webmail sevice like GMail, make sure you configure your mail client to both read mail over SSL/TLS (e.g., secure IMAP) and to authenticate the outgoing mail server as well. I have been in a hotel that transparently redirected all outgoing mail traffic (port 25) into the void.

The result: all traffic to and from your laptop is secure from prying eyes. A side benefit is knowing that your traffic is exiting the Internet from a trusted host.