This really could be used to encyrpt web traffic over any “hostile” network. Here’s what I’m talking about. Laptop using wireless. Within our internal network we would LIKE all our web traffic to be encrypted at least from the laptop to a wired host. (From there to the outside world it will be open.) At the minimum we would like to have the traffic encrypted over the wireless leg of the journey. Here’s the most straightforward approaches uing ssh.
OK, from the laptop, we use…. ssh -D 8080 username@machinewithinwirednetwork
(You can choose a port other than 8080) It is possible to setup this with putty ssh as well. If you don’t want a command shell add the -N switch to the above.
What this does is set’s up a socks proxy on the local machine at port 8080 and does dynamic port forwarding to “machinewithinwirednetwork”. Of course, the example above is a wireless user, but you could just the same tunnel traffic to your home network from a wireless access point somewhere out in the world, or to a server elsewhere. Basically anywhere you have ssh access can act as a poxy.
Anyway, that much done, we need to configure our web browser to use it. Firefox will be a straightforward example. Open firefox and then go to edit… preferences (Windows users may find this in the tools…. options menu IIRC) and select “connection settings” next choose the radio button next to “manual proxy configuration”. Now, where it says “Socks host” enter localhost and for the port number use what was specified above (8080). My current setup works as Socks 5, but if you run into problems you may need to tell it to use socks 4. Let’s leave it at Socks v5 and click apply and ok. Assuming that you’ve got your tunnel started already you should be able to browse through the other host.
One thing I use to test it is visiting my IP check page, mainly because I’ve included a field to echo the INTERNAL lan address as well as the INTERNET address. This way I can see if it looks like I’m browsing from 192.168.5.200 or 192.168.5.20 (as well as the usual external IP.)
Of course if you’ve tunneled out through the internet to another computer you can use something like whatismyip.com or some similar page. This can be a useful technique for working on /testing a webpage when the DNS is first propogating. Some networks may have current DNS information before others and you can tunnel traffic to a host that knows where the machine is (of course you could put it in a hosts file too, but that’s too easy….)
It’s important to have a basic understanding of WHERE the data is encrypted and WHERE it is sent in the clear in a setup like this. Of course, https should be encrypted between the client machine and the server no matter what path it takes, but http over a tunnel like this is ONLY encrypted for the length of the tunnel (in this case from the laptop to “machinewithinwirednetwork”). From “machinewithinwirednetwork” out to the world, the traffic is unencrypted as usual.
Of course, it’s possible to use this to protect OTHER data channels (mail) as well. Another common method to do this is using specific port forwards, with a specific port forward to encrypt web traffic you need a proxy server running at the other machine which adds more layers to setup.
Related PostsRelated Posts
- Network Security guide for the home or small business network - Part 19 - What about when you're not on your home network? When you're not at your home network is probably one of those times you should be more on your guard. Wireless access points are very common and a greatly useful thing, but there are some steps you should take to protect yourself, your pc and the data stored there. First......
- SSH, Proxies (Proxy's?), Tor and Web Browsing For quite some time I've been making use of a dd-wrt modified linksys box on my home network as an openvpn endpoint so that when I'm out and about in the world, I connect the vpn, switch firefox to route through a squid proxy server on the home network and......
- Network Security - so https and ssh are immune to arp spoofing right? When a machine has been arp spoofed, ALL network traffic from it is likely passing through a "hostile" machine. So, NO, https and ssh traffic is not immune, it is travelling through a hostile machine. However, it should be encrypted. There are a few exceptions though. SSH version 1 is......
- Dreamhost November 2010 Promo Code Upto $75 Discount Here is the Dreamhost Promo Code for November 2010 (DHNOV75) and you get upto $75 discount to your account. Recently, we discussed about the Dreamhost Promo Code and its Rewards and from this month onwards, i will be sharing the discount coupons of various webhosting programs. As a first step,......
- Save Money by Ditching Your Cable Bill Each Money and Start Getting TV For Free Monopoly cable companies and satellite television companies will soon be things of the past. Consumers are wising up and making use of alternatives to watch their same favorite shows, only with much fewer commercials and without a monthly cable bill to go along with it. If you're still paying a......
- Taking the Problem Out of Obtaining an affordable and Reputable Hosting The primary goal why business people develop a business site is for them to create far more prospects for their business. It is among the most approaches on the best way to get folks acquire a certain item or subscribe to a precise provider. The majority of those small......
- SSH, Proxies (Proxy’s?), Tor and Web Browsing
- Network security – what does arp spoofing mean for wireless?
- SSH tips and tricks.
- Torbutton – firefox anonymity browser extension
- Network Security guide for the home or small business network – Part 19 – What about when you’re not on your home network?