Browsing (More) Securely Using SSH

Feb. 2, 2012, 5:42 p.m.


So a while back I wrote about browsing more securely using OpenVPN and just for posterity I suppose I should mention my post about using Tor to browse anonymously. I also wanted to talk about another way to accomplish about the same level of secure-browsingness as that, except it's much simpler to set up. OpenVPN allows you to tunnel all your traffic to another computer somewhere on the internet, over a potentially hostile network. It's great and can be set up so it's super easy to use (or even have it always connect automatically) and that's cool, but it can be a pain to set up. You can also tunnel traffic using the glorious SSH protocol that I'm sure everyone is familiar with (no hard feelings if you aren't, you will be after reading this post).

SSH is awesome, and it has been around for a fairly long time. It's secure and pretty easy to use. Basically you just run ssh user@host and you get a nice remote shell. You can set SSH up so that you can authenticate with keys (generally much more secure than passwords), and it does all kinds of good stuff like keeping track of what key a specific server was using the last time you connected to it (to alert you to potential man-in-the-middle attacks). If you have a server somewhere online with SSH installed on it, however, you may not realize that you can also forward your traffic through it. How sweet is that? It's easy, too. Just run this magical command from a terminal:

ssh -N -D <port> <user>@<host>

The -N flag basically tells it you don't want to start a shell, and the -D option specifies that you want to set up a dynamic proxy. That just means a SOCKS proxy. It will allow you to proxy a whole bunch of different protocols through it. You just have to set up your browser to use it.

I'm currently using Chrome, and apparently it uses your system's proxy settings. This image is of the Debian proxy config GUI. If you're using Firefox, the last time I checked it had an internal proxy configuration that looked pretty similar to this image. Whatever port you specify in your ssh -D command is what you need to put in the "port" box of course.

Once you have both those steps done, you should be able to navigate to your favorite external IP identification site and see the IP address of whatever host you connected to via SSH. Neat.

The same security caveats that I mentioned in the OpenVPN post still apply, so make sure to review those before using it on a truly hostile network or one where you believe you might be monitored. Just replace "VPN" with "SSH".