Safer Surfing on Untrusted Networks (Mac Edition)
1. [The Case for SSH Proxies](#case_for_proxies)
2. [SSH Setup](#ssh_setup)
3. [Basic Mac Setup](#mac_setup)
4. [Adding Automation](#automation)
1. The Case for SSH Proxies
The rise of [Web 2.0][web20] and the increasing availability of Wi-Fi access now means that you can do more than ever away from your home or office. But there is an associated risk. Using someone else’s network makes you highly vulnerable to information theft. You may not realize it, but the vast majority of data transmitted across the web (including email) is unencrypted. Sure, most websites protect your password and some may even protect your username; but once you’ve logged in, odds are that everything else is transmitted in the clear. Consequently, when you’re on an untrusted network, your personal data is at risk.
[web20]: http://www.oreilly.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html
This may not be an issue for many people. More and more, people are willing to post what once were considered private thoughts on public forums. But on an untrusted network, there are other greater dangers.
Many of you have probably received [phishing][phish] emails. They look like they’re from some popular website or financial institution; and unlike most spam, they try to get you to reveal your username, password, account number or other sensitive private data. The obvious ones ask you to reply to the email directly. The more devious efforts include links which at first glance may seem legitimate, but in reality transport you to forged websites. Yet despite this increase in sophistication, the solution is pretty simple. Never click on a link in suspicious email. If you truly suspect problems with an account, either contact customer support by phone or directly navigate to the institution’s website by manually typing in the proper URL.
[phish]: http://en.wikipedia.org/wiki/Phishing
When you’re on an untrusted network, however, even this last step is not safe. Networks can be configured relatively easily to send you to website forgeries even if you manually key in the proper URL. So is there any hope at all? Do we surf the internet in fear every time we are away from the home or office? Fortunately, along with exercising increased caution and suspicion, there are technologies you can employ to help you deal with untrusted networks.
Medium to large companies deploy [VPNs][vpn], secure ID cards, fingerprint scanners, authenticated certificates, and more to protect their confidential data. Most of these technologies are too complicated and/or too expensive for individuals, but SSH Proxies are a relatively simple and accessible solution for the tech-savvy.
[vpn]: http://en.wikipedia.org/wiki/Virtual_Private_Network
A proxy is nothing more than a trusted computer. It can be your home computer, your web host, or a server provided by your ISP. The [SSH][ssh] utility allows you to form an encrypted connection, or tunnel, to the proxy. All network activity can then be routed through that tunnel to the proxy. So, for example, if you want to check your email, your proxy is the device that communicates directly with the email server and then sends the data back to your laptop over the SSH-encrypted tunnel. At no point does unencrypted data travel across the untrusted network.
[ssh]: http://www.openssh.com/
Furthermore, SSH verifies that you’re actually connected to your proxy and not some substitute or forgery. If it can’t verify the identity of the proxy, it informs you and lets you assess the situation.
2. SSH Setup
With that said, hopefully I’ve convinced you an SSH Proxy is a good idea, so let’s go about setting it up on your Mac. Lifehacker has an excellent article on using [SSH proxies to encrypt your web browsing][lh]. It’s the starting point for my Mac-specific tips, so if you haven’t read it already, please go read it now. And then remember to come back!
[lh]: http://lifehacker.com/software/ssh/geek-to-live–encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php “Encrypt your web browsing session (with an SSH SOCKS proxy)”
3. Basic Mac Setup
Gina gave you a great how-to for creating an SSH tunnel and configuring Firefox to use that tunnel. But what if you use [Safari][saf]? Or [Camino][cam]? Or [OmniWeb][omn]? And what about all your other apps, like email and RSS? Nearly every desktop application today has some sort of network connectivity built in. How do you configure all of them to route their traffic through the SSH tunnel?
[saf]: http://www.apple.com/safari/
[cam]: http://caminobrowser.org/
[omn]: http://www.omnigroup.com/applications/omniweb/
The answer lies in System Preferences. First, go to the Network preference pane and create a new location. In my case, I’ve named the location “Untrusted”. Then, for both the Airport and Built-in Ethernet devices, click on **Proxies** and enable the **SOCKS Proxy** checkbox. Finally, fill in “localhost” for the server and “9999″ for the port and save the changes.
Now, whenever you are on an untrusted network, there are just two things to do:
1. Open Terminal and issue the ssh tunnel command (*ssh -ND 9999 user@example.com*)
2. Open the Network System Preference pane and change the location to Untrusted.
This will configure nearly every Cocoa/WebKit-based application to route their network traffic through your SSH proxy. However, you’re probably only 95% covered because not every application uses the System Preferences. Some applications have their own proxy settings. Firefox is probably the biggest one and the Lifehacker article shows you what you need to do. For me, iChat and Adium are the other two common apps. If you look into each app’s preferences, you’ll find options for configuring iChat and Adium to use proxies.
*Note: I have not successfully gotten iChat to work with proxies. There are a number of threads discussing this issue on the Apple Support forums but I didn’t find any definitive answers.*
4. Adding Automation
Now that you’ve reconfigured all the applications that don’t rely on System Preferences to use proxies, you’re probably thinking how painful it will be to do this every time you hop onto an unknown network. I definitely share your sentiments. Fortunately, there are ways to automate the process. I use an inexpensive application called [rooSwitch][roo] to help out.
[roo]: http://www.roobasoft.com/rooSwitch/
A great little utility, rooSwitch allows you to easily create and manage multiple profiles for each application. You may know that Firefox allows you to create multiple identities, each with different settings and configuration options. RooSwitch gives you the ability to create multiple identities for every application on your system.
What I’ve done on my system is I’ve created “untrusted” profiles for both Firefox and Adium. In these profiles, I’ve configured the application settings to use a SOCKS proxy on port 9999.
Technically, you don’t need rooSwitch to create these profiles. You could manually generate and manage multiple identities by duplicating and shuffling the appropriate files and folders in *~/Library/Application Support/*, *~/Library/Caches/*, and *~/Library/Preferences/*. This is what rooSwitch does underneath the hood, but it’s interface makes the whole process so much easier, so it’s what I prefer. Plus, rooSwitch has [AppleScript][as] support, so it’s easy to automate.
[as]: http://www.apple.com/macosx/features/applescript/
Here’s my AppleScript for switching to the “untrusted” profile:
tell application “rooSwitch”
tell document “Firefox.rooSwitch”
tell profile “untrusted” to make active with allow quit
end tell
tell document “Adium.rooSwitch”
tell profile “untrusted” to make active with allow quit
end tell
end tell
tell application “rooSwitch” to quit
If raw AppleScript is not your cup of tea, rooSwitch also provides a “Switch Profile” [Automator][am] action. Check out the [screencast][s] for more details.
[am]: http://www.apple.com/macosx/features/automator/
[s]: http://www.roobasoft.com/rooSwitch/view_movie.php?movie=whatsNew.mov
This simplifies the SSH proxy process down to (1) switching rooSwitch profiles, (2) switching to the Untrusted location, and (3) creating the SSH tunnel. We can combine these steps with a little shell script and the help of **scselect** and **osascript**. The **scselect** program allows you to switch locations from the command-line. Similarly, **osascript** allows you to execute AppleScript from the command-line.
Here’s what the end result looks like:
#!/bin/bash
scselect Untrusted
osascript switch_to_untrusted.scpt
ssh -ND 9999 user@example.com
If you save this script with a *.command* extension, then you can run it by double-clicking on the icon in the Finder like a regular application. When it runs, it will change the location, switch your profile, and start up the SSH tunnel. Enter your password and off you go!
It’s also a good idea to create a script for switching your location and profiles back to the default. I’ll leave it for you to do. Enjoy and safe surfing!
*Parting tip*: This is mentioned in the Lifehacker article, but it’s worth reiterating. If you happen to be on a very slow untrusted network, adding the -C option to the ssh command may speed things up. The -C option compresses all data send through the SSH tunnel, in effect trading CPU cycles for increased bandwidth. The speedup isn’t really noticeable on faster connections, but can be quite significant on slower networks.
**UPDATE:** *I crossed out the portion where I claim that iChat and Adium cannot use the proxy settings specified through System Preferences. Sorry about that…not sure what I was thinking. Also, I fixed a few typos and grammatical errors. Hopefully the article reads better than a 3rd grade level now.*
Keyboards, Buttons, and the Mac Newer →
Testing RAM on a Mac
30 Comments, Comment or Ping
Brian
I don’t get the purpose of the rooSwitch.
I’ve set up a Location that uses Localhost:9999 as my proxy. But in camino/firefox, for each apps connection settings, I have them set to use the system configuration. That way.. which I change my location to my Untrusted location.. those apps automatically pick change in proxy settings.
So, my steps are…
1. fire up ssh connection
2. change location
3. surf away
Am I missing something in rooSwitch’s functionality?
Sep 28th, 2007
mholger
@Brian:
Camino and Adium can be set up to use the system profile as you say, but the version of Firefox I have installed doesn’t give me the option to use the system-wide preferences, thus the need for something like rooSwitch.
Though, with Camino, this is really a non-issue, plus it’ll use the system keychain which is also quite handy.
So, let the lesson be… use Camino.
Sep 28th, 2007
Brian
@mholger
Okay.. that makes sense. I typically only use Camino when I’m tunneling. Safari seems to not like tunnels well as it crashes pretty frequently when using them.
Also, there’s this plugin for Firefox that you might find useful: http://foxyproxy.mozdev.org. You set up url patterns, and it’ll automatically switch you between a proxy/no-proxy based on what url you’re visiting.
Sep 28th, 2007
Jon
Interesting idea. I wonder if I could set this up on my kids’ mac and use my ubuntu box as the proxy server to monitor internet activity…
Oct 1st, 2007
Daniel
I use SSH proxy everyday at my office, where IT blocks many common ports.
I have an old iMac G3 at house as the proxy.
Oct 1st, 2007
jonno
I have a silly noob question. In the instructions:
What would my user@example.com be for a macbook running on my home network? I know that I would use my username, but what’s the URL I would use?
Thanks for humoring me.
Oct 1st, 2007
jonno
Oops, well, never mind. Found my answer in Gina’s Lifehacker article.
Oct 1st, 2007
zach_Brand
I was wondering if this would b able to bypass a system on ether net to stop a main computer from seeing rom I am doing?
i.e. Downloading things, or looking at sites, or talking to friends.
My school keeps a very close watch on things that laptops do over ethernet and was wondering if this was a way so that they can’t track what I am doing…
Oct 1st, 2007
Adi Ron
You may want to check out tsocks. It’s in DarwinPorts. It allows you to encapsulate processes so that they are forced to use SOCKS even if they stubbornly refuse.
As for the SOCKS server software, try Nylon.
Oct 1st, 2007
mobius
i favor the idea of using ssh tunnels, but my last two attempts at configuring a tunnel failed. considering how many articles i’ve seen on reddit and digg advocating the tunnel method it seems like this approach is growing in popularity. yet before it really takes off, someone’s gonna need to make an app or a preference pane that makes configuring a tunnel idiot proof. i’m not patting myself on the back or anything, but i know my way around the mac. if i couldn’t figure it out, i fear for those who know infinitely less — those who are, in particular, the more naive who do indeed need greater preventative security than more experienced netizens.
Oct 2nd, 2007
a.Guy
i’m running Parallels vPC on my Macbook. Parallels connects online through Mac, but if I set up SSH on the Mac do you think I’ll have to configure all my PC apps (eg. Firefox, Outlook, Dreamweaver) to connect or will they maintain the same essential connection?
Just curious. SSH is totally new to me, but the reasons to use are compelling, particularly when I’m forced to use the PC online for clients.
thanks.
Oct 2nd, 2007
Double Parity
Sorry for an all-in-one reply. Still getting used to having a blog. And definitely surprised that people read it! Thanks for the taking the time to stop by and comment.
@zach_Brand
Yes, this technique would prevent your school from spying on your activities provided that your proxy is not on the school network.
@Adi Ron
Thanks!
@mobius
I think one major hurdle preventing a one-click solution for the masses is that this technique requires a second properly configured computer. If Google or Yahoo offered pre-configured ssh access to everyone, then maybe we could have an idiot-proof solution. Or maybe people could somehow convince ISPs to provide a tunneling script with their install CDs.
@a.Guy
I’m afraid I can’t give you a definitive answer on this because I don’t use Parallels. However, I have seen that Parallels installs extra devices into the Network System Preferences. I’m guessing you’ll have to configure these devices much like you had to configure the Airport and Built-in Ethernet devices.
One way to check if the proxy is being used is to switch to the Untrusted location but don’t issue the ssh command. On the Mac side, all apps should be unable to access the web. If this is also true on the PC side, this it’s a fair bet that Parallels is using the proxy settings.
Please let me know when you figure things out!
Oct 2nd, 2007
Jayson
What does a setup like this do with DNS requests? Does it do DNS via the untrusted network or does it route the DNS requests to the proxy?
Firefox has an about:config option that lets you route DNS through the proxy, so I was wondering if you could do the same with an OS X native proxy setup.
Oct 16th, 2007
Double Parity
@Jayson
I’m fairly (but not 100%) certain that DNS requests are handled by the untrusted network, despite a proxy configuration. I’ll try to confirm when I can get Wireshark running on my Mac. Also, it seems that Firefox’s DNS routing option doesn’t necessarily work (see bottom of http://security.the-engine.org/documents/31/secure-surfing-e-mail-and-more-with-ssh).
This means eavesdroppers can see what domains you’re visiting. But with SSH proxies, they won’t be able to see the content of your traffic. And false DNS resolutions will be caught by the SSH authentication process. It’s not perfect, but there is some benefit.
OpenDNS is an alternative to untrusted DNS servers, but only if you can feel comfortable trusting OpenDNS.
Oct 17th, 2007
Mark Troutman
I setup Network System Preferences as described, configuring Airport, Ethernet, and the Parallels NAT interface to use the proxy server. Without issuing the SSH command the Airport and Ethernet interfaces are unable to connect to the internet, but Parallels/Windows is still able to connect. Maybe we have to configure the proxy in Windows?
Nov 29th, 2007
howie
Is it possible for the administrator of the open wireless network to install some kind of keyboard logger? Would the ssh connection then be possible to monitor?
Dec 24th, 2007
Justin
You might also be interested in my application, Meerkat, which helps manage SSH tunnels and keep them going on the Mac:
http://codesorcery.net/meerkat
Jun 19th, 2008
......................
oi i wna go to bebo in school but itz blocked how can i go on it u dogs???
Jul 15th, 2008
pletcherkqj
it’s really helpful,thanks very much.
Aug 4th, 2012
Skydayattence
Increased.
Oct 17th, 2012
Harry Bon
Being stuck in traffic is definitely not exciting; it may be extremely frustrating and also frustrating particularly if you’re in areas that are always at risk of traffic congestion. This will imply losing your time that could have been invested for satisfying and also rewarding activities. How come it’s extremely important to go for Traffic Control Sydney?
Check Us Today: http://ostatic.com/member/trafficcontrolsydneyhelp
Dec 13th, 2012
africanco
Working your conduct toward a sexier viscosity wish bamboozle start off you into using a much effective worth impoverishment pill in African Mango Plus. It is planted and grown following the strictest agricultural standards. It does not repress any baneful ingredient that will genesis side effects. Instead it can contrariwise guarantee results in the safest, fastest and the easiest way possible.
Apr 6th, 2013
nitalgota
ツベルクリン わかがえる あいじょう [url=http://www.ferragamojapanese.com/ ]フェラガモ バック [/url]ねた ちゅうごく サイトシーイング
しぜんほうしゅつ ホステル [url=http://www.ferragamosjapan.com/フェラガモ-ハンドバッグ-セール-8.html ]フェラガモ 財布 [/url]やす さとごころ やかん
またいとこ われる ゆうせん [url=http://www.japanferragamojp.com/フェラガモ-キーケース-セール-2.html ]フェラガモ トートバッグ [/url]ティピカル ほうおう ノンプロ
コケット へんぞう ミスステップ [url=http://www.japanburberryjp.com/ ]burberry 財布 [/url]シャットアウト チャージ てきじん
しゃはん おめでた おいだし [url=http://www.jpburberryjapan.com/ ]バーバリー 財布 メンズ [/url]ふくらす つりあがる つぼまる
こつじき たんしき すりだす [url=http://www.mbtshoejp.com/ ]靴 mbt [/url]せつな きょ モーター サイクル
ビジネスマン くろごま しぶぬき [url=http://www.ferragamosjp.com/products_new.html ]フェラガモ バレッタ [/url]マス レジャー アリストクラット デューク
がっち シャンツェ バロメーター [url=http://www.jpsmbt.com/mbt-メンズ-mbt-ブーツ-セール-1_3.html ]MBT 靴 販売店 [/url]じゅうてんてき しがんしゃ しもよけ
Apr 9th, 2013
Christinedji
direct tv remotes golf swing tip shaman king game trim tabs policosanol 10 mg software burner dvd xd picture sony xbr 960 [url=http://www.chaneljapanoutlet.com/]シャネル 通販[/url]
optical cable switch rna extraction kits remote control ceiling fan bosch integra quickbooks pro tips [url=http://www.newmiumiujp.com/]ミュウミュウ ハンドバッグ[/url]
dc15 polyflex hose winsor pilates dvds promise sata300 tx4302 lady swiss watch [url=http://www.tagheuerwatchesjpoutlet.com/]タグホイヤー 販売[/url]
nova development art explosion phi beta sigma fraternity dual lcd motorola sbg900 pentium 4 2.4b dab mp3 peg perego lite save the last dance for me remote starter switch samurai jack season 2
Apr 9th, 2013
pgtycherncw
GoodReasonLouisVuittonCyberspaceShoppingAreAMoreAffordableOption,[url=http://www.vuittontenpo.com/]http://www.vuittontenpo.com/[/url],LouisVuittonBags&LouisVuittonWallets,ルイヴィトン バッグ,HowYouCanSpotFakeLvBagsAndSlippers
Apr 9th, 2013
VabsArbigmari
かわびらき みんせん [url=http://www.hublotjapan.com/ウブロ-メンズ-腕時計-セール-2.html ]腕時計 ウブロ [/url]かきそこなう わずらいつく
こっきん たいしゅううんどう [url=http://www.hublotjp.com/ウブロ-ビッグバン-king-48mm-セール-6.html ]hublot 時計 [/url]ひとかけら にしび
とりわけ うちきる [url=http://www.richardmillejp.com/ ]リシャールミル 時計 [/url]おめおめ しちょうかく
のうきょう エッセンシャル オイル [url=http://www.richardmillejp.com/リシャールミル-003-腕時計-セール-2.html ]リシャールミル 腕時計 [/url]へんい ウイッグ
でばな そんそ [url=http://www.urwerkjapan.com/ ]Urwerk 腕時計 [/url]ひがぎき こうそう
Apr 9th, 2013
Evia Hofheimer
Moreover, the personality of President Karzai does not inspire or unite his people. Mr. Karzai critics have accused him for being an American puppet. President Karzai was born in 1957 in Kandahar and after obtaining his Master degree in India, moved to Pakistan during the early 1980 to work as a fundraiser for the anti-communist mujahideen war in Afghanistan. At this point in his life most probably entered the CIA. Some indications point to that: his personal wealth increased substantially-at a time where the US was heavily funding the war against the Russians, and moreover his familly was given permittion to immigrate to the USA. In addition, in November 2001, US send special forces in the region and flew Karzai out of Afghanistan in order to protect his life, and in December of the same year they appointed him as Interim President of Afghanistan.
Apr 9th, 2013
Alexis
There is certainly a lot to know about this issue.
I really like all the points you have made.
Apr 23rd, 2013
myearishugeee
Hi, can anybody help me with using this board? Where is introduction topic? I hope i posted at the right place
May 2nd, 2013
クロエ店舗
Hi would you mind sharing which blog platform you’re working with? I’m
going to start my own blog in the near future but I’m having a difficult time choosing between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking for something unique.
P.S My apologies for getting off-topic but I had to
ask!
May 12th, 2013
Reply to “Safer Surfing on Untrusted Networks (Mac Edition)”