1. [The Case for SSH Proxies](#case_for_proxies)
2. [SSH Setup](#ssh_setup)
3. [Basic Mac Setup](#mac_setup)
4. [Adding Automation](#automation)
1. The Case for SSH Proxies
The rise of [Web 2.0][web20] and the increasing availability of Wi-Fi access now means that you can do more than ever away from your home or office. But there is an associated risk. Using someone else’s network makes you highly vulnerable to information theft. You may not realize it, but the vast majority of data transmitted across the web (including email) is unencrypted. Sure, most websites protect your password and some may even protect your username; but once you’ve logged in, odds are that everything else is transmitted in the clear. Consequently, when you’re on an untrusted network, your personal data is at risk.
This may not be an issue for many people. More and more, people are willing to post what once were considered private thoughts on public forums. But on an untrusted network, there are other greater dangers.
Many of you have probably received [phishing][phish] emails. They look like they’re from some popular website or financial institution; and unlike most spam, they try to get you to reveal your username, password, account number or other sensitive private data. The obvious ones ask you to reply to the email directly. The more devious efforts include links which at first glance may seem legitimate, but in reality transport you to forged websites. Yet despite this increase in sophistication, the solution is pretty simple. Never click on a link in suspicious email. If you truly suspect problems with an account, either contact customer support by phone or directly navigate to the institution’s website by manually typing in the proper URL.
When you’re on an untrusted network, however, even this last step is not safe. Networks can be configured relatively easily to send you to website forgeries even if you manually key in the proper URL. So is there any hope at all? Do we surf the internet in fear every time we are away from the home or office? Fortunately, along with exercising increased caution and suspicion, there are technologies you can employ to help you deal with untrusted networks.
Medium to large companies deploy [VPNs][vpn], secure ID cards, fingerprint scanners, authenticated certificates, and more to protect their confidential data. Most of these technologies are too complicated and/or too expensive for individuals, but SSH Proxies are a relatively simple and accessible solution for the tech-savvy.
A proxy is nothing more than a trusted computer. It can be your home computer, your web host, or a server provided by your ISP. The [SSH][ssh] utility allows you to form an encrypted connection, or tunnel, to the proxy. All network activity can then be routed through that tunnel to the proxy. So, for example, if you want to check your email, your proxy is the device that communicates directly with the email server and then sends the data back to your laptop over the SSH-encrypted tunnel. At no point does unencrypted data travel across the untrusted network.
Furthermore, SSH verifies that you’re actually connected to your proxy and not some substitute or forgery. If it can’t verify the identity of the proxy, it informs you and lets you assess the situation.
2. SSH Setup
With that said, hopefully I’ve convinced you an SSH Proxy is a good idea, so let’s go about setting it up on your Mac. Lifehacker has an excellent article on using [SSH proxies to encrypt your web browsing][lh]. It’s the starting point for my Mac-specific tips, so if you haven’t read it already, please go read it now. And then remember to come back!
[lh]: http://lifehacker.com/software/ssh/geek-to-live–encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php “Encrypt your web browsing session (with an SSH SOCKS proxy)”
3. Basic Mac Setup
Gina gave you a great how-to for creating an SSH tunnel and configuring Firefox to use that tunnel. But what if you use [Safari][saf]? Or [Camino][cam]? Or [OmniWeb][omn]? And what about all your other apps, like email and RSS? Nearly every desktop application today has some sort of network connectivity built in. How do you configure all of them to route their traffic through the SSH tunnel?
The answer lies in System Preferences. First, go to the Network preference pane and create a new location. In my case, I’ve named the location “Untrusted”. Then, for both the Airport and Built-in Ethernet devices, click on **Proxies** and enable the **SOCKS Proxy** checkbox. Finally, fill in “localhost” for the server and “9999″ for the port and save the changes.
Now, whenever you are on an untrusted network, there are just two things to do:
1. Open Terminal and issue the ssh tunnel command (*ssh -ND 9999 email@example.com*)
2. Open the Network System Preference pane and change the location to Untrusted.
This will configure nearly every Cocoa/WebKit-based application to route their network traffic through your SSH proxy. However, you’re probably only 95% covered because not every application uses the System Preferences. Some applications have their own proxy settings. Firefox is probably the biggest one and the Lifehacker article shows you what you need to do.
For me, iChat and Adium are the other two common apps. If you look into each app’s preferences, you’ll find options for configuring iChat and Adium to use proxies.
*Note: I have not successfully gotten iChat to work with proxies. There are a number of threads discussing this issue on the Apple Support forums but I didn’t find any definitive answers.*
4. Adding Automation
Now that you’ve reconfigured all the applications that don’t rely on System Preferences to use proxies, you’re probably thinking how painful it will be to do this every time you hop onto an unknown network. I definitely share your sentiments. Fortunately, there are ways to automate the process. I use an inexpensive application called [rooSwitch][roo] to help out.
A great little utility, rooSwitch allows you to easily create and manage multiple profiles for each application. You may know that Firefox allows you to create multiple identities, each with different settings and configuration options. RooSwitch gives you the ability to create multiple identities for every application on your system.
What I’ve done on my system is I’ve created “untrusted” profiles for both Firefox and Adium. In these profiles, I’ve configured the application settings to use a SOCKS proxy on port 9999.
Technically, you don’t need rooSwitch to create these profiles. You could manually generate and manage multiple identities by duplicating and shuffling the appropriate files and folders in *~/Library/Application Support/*, *~/Library/Caches/*, and *~/Library/Preferences/*. This is what rooSwitch does underneath the hood, but it’s interface makes the whole process so much easier, so it’s what I prefer. Plus, rooSwitch has [AppleScript][as] support, so it’s easy to automate.
Here’s my AppleScript for switching to the “untrusted” profile:
tell application “rooSwitch”
tell document “Firefox.rooSwitch”
tell profile “untrusted” to make active with allow quit
tell document “Adium.rooSwitch”
tell profile “untrusted” to make active with allow quit
tell application “rooSwitch” to quit
If raw AppleScript is not your cup of tea, rooSwitch also provides a “Switch Profile” [Automator][am] action. Check out the [screencast][s] for more details.
This simplifies the SSH proxy process down to (1) switching rooSwitch profiles, (2) switching to the Untrusted location, and (3) creating the SSH tunnel. We can combine these steps with a little shell script and the help of **scselect** and **osascript**. The **scselect** program allows you to switch locations from the command-line. Similarly, **osascript** allows you to execute AppleScript from the command-line.
Here’s what the end result looks like:
ssh -ND 9999 firstname.lastname@example.org
If you save this script with a *.command* extension, then you can run it by double-clicking on the icon in the Finder like a regular application. When it runs, it will change the location, switch your profile, and start up the SSH tunnel. Enter your password and off you go!
It’s also a good idea to create a script for switching your location and profiles back to the default. I’ll leave it for you to do. Enjoy and safe surfing!
*Parting tip*: This is mentioned in the Lifehacker article, but it’s worth reiterating. If you happen to be on a very slow untrusted network, adding the -C option to the ssh command may speed things up. The -C option compresses all data send through the SSH tunnel, in effect trading CPU cycles for increased bandwidth. The speedup isn’t really noticeable on faster connections, but can be quite significant on slower networks.
**UPDATE:** *I crossed out the portion where I claim that iChat and Adium cannot use the proxy settings specified through System Preferences. Sorry about that…not sure what I was thinking. Also, I fixed a few typos and grammatical errors. Hopefully the article reads better than a 3rd grade level now.*