I put together several available tools to allow me to safely use the Internet on untrusted networks, such as non-encrypted wireless networks.
The Problem
As anyone with a laptop is aware, it is often impossible to connect to a trusted network at all times. One can't risk confidential or proprietary information being intercepted, but solutions such as VPNs don't always work (e.g., some Internet providers block VPN packets) and can be complex to configure.
The Solution
SSH traffic is much more frequently permitted than VPN traffic, and it can be used to tunnel TCP connections fairly easily. It is impractical to establish an SSH tunnel to every website one wishes to visit, but if one instead establishes a connection to a proxy server, there need only be a single tunnel.
click to expand
How
The command line to establish a tunnel is relatively simple:
ssh -L8080:proxy_server:8080 ssh_serverEquivalent capabilities are available through graphical clients such as PuTTY.One must then configure the web browser to use a proxy server on the local machine (known as 'localhost', or '127.0.0.1'). Most ISPs provide a proxy server for their users, and this can be the destination for the tunnel, but it's also possible to install a proxy server such as Squid on a machine trusted by the user, for extra privacy.
For added convenience, it's possible to add an alias to one's shell to make establishing the tunnel simpler. To do this, one must simply add a line such as this to one's .bashrc file (assuming one uses Bash):
alias proxy='ssh -L8080:proxy_server:8080 ssh_server'Also, it is possible to streamline the reconfiguration process, so switching between networks is fast and easy. For example, the Proxy Button extension for the Firefox allows one to activate or disable the proxy settings with a single click.
Conclusion
SSH provides a robust way to protect traffic. It is both resistant to man-in-the-middle attacks (it is difficult for a malicious user to pretend to be the SSH server), and cyphertext attacks (it is difficult for a malicious user to decrypt traffic they have intercepted). While I have found this useful for using untrusted wireless networks, it is useful in any situation where the network cannot be trusted. For example, if one is traveling on business, a hotel's wired network or even the local telecom companies may be suspect.
This method is not helpful in evading some other methods of eavesdropping. For example, if law enforcement were monitoring a criminal's Internet activities, this method would make it easier for his traffic to be intercepted, since everything he sent would eventually go through a single connection. While the connection to his SSH server would be encrypted, the connection to the proxy server or the connections to websites by his own proxy server would be sent in the clear. The destination server and connection must be trusted.
For most purposes, this is simple to assume. One has no choice but to trust the connection to one's home or one's servers, but public wireless networks can attract people with the means and desire to intercept confidential information. While one's wired connection can't be totally trusted (otherwise we would have no use for encryption when ordering goods online), it is usually much more trustworthy than a place where attacks are easy and likely.