BlakeBrannon.com

As the title suggests, this post will explain how you can securely surf the Internet by tunneling your HTTP traffic via SSH. To ensure that you can use this process while surfing on any computer, I will be using only PortableApps to configure and setup the tunnel. By using PortableApps, you can be ensured that you can securely check your email on your friends computer; connected to a nearby unsecured wireless network (Probably linksys or default!). Enough babbling lets get started.

Disclaimer: The following procedure should work on most networks, however; there are ways in which the network can be configured to prevent this solution from working. In general if you can connect via SSH to an external server, it should work fine.

Motivation
There are several reasons for why someone would want to tunnel their web traffic. First and foremost is security. When you are connected to a public network at the local coffee shop; there could potentially be a malicious user snooping the network (wired or wireless) for valuable information. For example, if you connect to an FTP server, your username and password are stored in plain text. A promiscuous user could easily grab your login information. Most personal information related sites now use the encrypted https protocol to connect. This prevents the listener from getting your information but he or she will still see the DNS requests. Additionally even if you have WEP enabled, a busy network’s WEP key can easily be cracked in minutes. (For future reference consider WEP security to be essentially minimal security. Like a bouncer that only lets people with red shirts enter at club, all a malicious user needs to do is get a red shirt and then enter.)

Another reason for tunneling traffic might be limited access to the web. For example, a company I once worked for had all web traffic going through a proxy server. They would not allow you to connect to any IP addresses directly in the URL field and you had limited access to most “non-approved” websites. Even trying to find a Google answer to an Excel VBA question was a nightmare. A dialog would always pop-up asking you to login to view the page! How annoying.

Theory
What we will be doing is setting up an SSH tunnel between our client computer and the remote SSH server. Our web browser will be configured to send request, via SOCKS (short for Sockets), through the SSH tunnel. The remote server will then make the HTTP request itself and tunnel the information back to our client computer. Since the SSH connection is encrypted, a network administrator or malicious users will only see a single SSH session but cannot decode the information. To make the SSH traffic look less like tunneled HTTP request, you could setup an SSH server on port 443 (the default for secure http). This way it would blend in with the rest of the encrypted traffic and be less likely to get flagged by a network administrator.

What You Will Need
For this tutorial, you will need the following:

• A USB drive (pretty much any size will work)
• PortableApps (Putty and Firefox)
• Access to an SSH server

For the last item, I will assume you have an account somewhere you can connect to via SSH. For example all Georgia Tech students have access to the acme.gatech.edu servers. This will work. Additionally you might can apply for a shell account if you already have an account with a web hosting company or your ISP. Lastly you can install OpenSSH on your home computer and use Dynamic DNS to keep up with your IP address so you can connect back to your home computer (Opening remote access on your home computer is a huge security risk. Only do this if you know what you are doing).

Setting up the SSH Tunnel
As mentioned above, I will assume you have an SSH server to connect to. Additionally I will assume you can download and install the PortableApps suite with Putty and Firefox.

Once you have the applications installed, start Putty.

Under the Session category, fill in the appropriate host name or IP address for your SSH server. To quickly connect to the server in the future, save the session with a descriptive name.

Now under the Session/SSH/Tunnels Category, you will need to enter the port number for which your SOCKS proxy will use. I used 4242 but you can use any port number your computer is not using. Enter 4242 into the Source Port field and select Dynamic. Then select Add. Your screen should look like the following.

Now go back to the Session Category, select Save and then Open.

A terminal window should open and you can enter your username and password to connect to the SSH server. For your first time, you will need to accept the encryption key.

You will need to leave this window open for the duration of your web browsing session. Just minimize it. You are now connected to your SSH server and are setup to tunnel traffic on port 4242 to your remote server.

Setup Firefox to Use the SOCKS Proxy
You now are setup with the SSH tunnel and now just need to tell your web browser to use the appropriate SOCKS parameters. There are multiple ways to configure this and it can also be done in Internet Explorer (if you must use it).

Start your portable version of Firefox.

In Firefox, the fastest way to configure is to type about:config in the URL bar and then filter the results by typing network.proxy. You will probably only need to change four things: socks, socks_port, socks_remote_dns, type. You should change socks to be localhost, this will tell Firefox to forward all web request to the localhost. Change socks_port to 4242, this tells Firefox which port to forward the traffic to on localhost. Although not required, you should set socks_remote_dns to true. This makes the dns request happen on the remote side of the connection (your SSH server). Doing this keeps users on your local network from seeing the sites you are requesting. Last change the type to 1. The total configuration should look like the following.

Now you should have your browser setup to use your SOCKS proxy.

Testing Your Tunnel
Now you should be setup to surf the web with confidence. Before you get to carried away, you should check to make sure your setup went as planned. The easiest way to do this is to visit an IP address site and see if the IP address returned in your SOCKS setup browser is different than the IP address return in the machines locally installed browser. If they are different than it works! You can now safely browse on the remote network. If they are the same, be sure to check your browser settings and tunnel connection.

What About OS X or Unix
What if the remote machine you are using does not have Windows installed; PortableApps no longer works! Well your in luck. Almost all Unix OS’s have a SSH client built-in. The procedure will be the same except you will need to simply use the terminal to connect to the SSH server instead of Putty.

Open up the terminal and type: ssh -D 4242 username@sshserver.com. You can also turn on compression by using the -C flag. Then just configure Firefox as mentioned above.

Conclusion
If you have any additions or questions please post them as comments so other users can see them.