The new Firefox extension Firesheep highlights the fact that HTTP login sessions can be easily hijacked if the data can be sniffed, which is trivial on an open WiFi network.
I would like to set up something to mitigate this risk for my family. I have a small VPS (256M, currently running lighttpd and SpamAssassin) which I can leverage for this purpose, the basic idea being that when we are using an untrusted network, traffic (at least HTTP) goes over an encrypted tunnel to the VPS before being released onto the open internet.
What are my options given these resources? The clients are all Macs, if that matters. The possibilities I'm aware of are OpenVPN (the key issue being that in the tunnel-all-traffic configuration, it destroys the route to the open network's DHCP server) and an HTTP proxy (of which I know nothing). Are there other options? What considerations and gotchas should I be aware of?
I'd like something on the clients that is easy to just turn on (I am a technical person but the rest of my family is not), and that works for all websites regardless of whether they support HTTPS.
How about running HTTPS?
sshuttle has better performance than SSH's own SOCKS proxy and requires far less configuration. Simply copy it to each Mac and run
./sshuttle -r user@sshserver 0.0.0.0/0(as documented inREADME.md) before accessing the web.It only tunnels TCP traffic, so DNS and DHCP still happen on the local network.
configure a saved putty session with ssh tunnelling enabled to your vps with localhost:8000 (or whatever) forwarding dynamically.
install proxybutton extension on firefox and configure your proxy for localhost:8000 (or whatever).
set them up two firefox shortcuts "firefox.exe -proxy 0" and another one which is a batch file containing the commands "putty.exe -load "saved session name"" and then "firefox -proxy 1"
firefox shortcut #1 is for secured networks, and behaves in the standard manner. #2 is for unsecured networks, and all traffic is routed through your encrypted ssh tunnel before being unencrypted at your VPS and becoming plain http traffic between your VPS and the webserver.
With this method, they will have to authenticate to your VPS in order for it to actually work. You can make the authentication automated with keys, but this presents it's own risks when you cannot guarantee the security of the endpoints.
Alternatively, you could set up something like OpenVPN. I'm not sure how your hosting provider would feel about that or even if it would be allowed, though.
If you are on GNU Linux/other *nix with the Openssh client installed,
Open a Terminal and run :
ssh -D 8080 -p YOURSSHPORT [-i optionalkeyfile] username@your_VPS_DomainName
if you're not using rsa/dsa keys and your ssh port is the default 22, this would work:
ssh -D 8080 [email protected]
Then in your browser,
eg Firefox, Preferences>Advanced>Network>Connection-Settings button>
You're ready to tunnel all traffic over your local 8080 port through to your VPS's WAN link.
Additionally, to Tunnel DNS queries through your VPS as well (highly recommended):
Above is my QuickGun solution to a secure tunnel using OpenSSH. Hope this helps.
I ended up setting up OpenVPN with Tunnelblick on the clients. We'll see how well it holds up in practice.