Comments on: Safer Surfing on Untrusted Networks (Mac Edition)

By: Matthew Clark

Matthew Clark — Sun, 01 Aug 2010 19:02:28 +0000

i broke my arm on a freak surfing accident but hey, surfing is a nice sport-.~

By: ......................

...................... — Tue, 15 Jul 2008 10:12:50 +0000

oi i wna go to bebo in school but itz blocked how can i go on it u dogs???

By: Justin

Justin — Thu, 19 Jun 2008 18:30:20 +0000

You might also be interested in my application, Meerkat, which helps manage SSH tunnels and keep them going on the Mac: http://codesorcery.net/meerkat

By: howie

howie — Mon, 24 Dec 2007 23:53:03 +0000

Is it possible for the administrator of the open wireless network to install some kind of keyboard logger? Would the ssh connection then be possible to monitor?

By: Mark Troutman

Mark Troutman — Thu, 29 Nov 2007 15:21:10 +0000

I setup Network System Preferences as described, configuring Airport, Ethernet, and the Parallels NAT interface to use the proxy server. Without issuing the SSH command the Airport and Ethernet interfaces are unable to connect to the internet, but Parallels/Windows is still able to connect. Maybe we have to configure the proxy in Windows?

By: Double Parity

Double Parity — Wed, 17 Oct 2007 10:45:29 +0000

@Jayson

I’m fairly (but not 100%) certain that DNS requests are handled by the untrusted network, despite a proxy configuration. I’ll try to confirm when I can get Wireshark running on my Mac. Also, it seems that Firefox’s DNS routing option doesn’t necessarily work (see bottom of http://security.the-engine.org/documents/31/secure-surfing-e-mail-and-more-with-ssh).

This means eavesdroppers can see what domains you’re visiting. But with SSH proxies, they won’t be able to see the content of your traffic. And false DNS resolutions will be caught by the SSH authentication process. It’s not perfect, but there is some benefit.

OpenDNS is an alternative to untrusted DNS servers, but only if you can feel comfortable trusting OpenDNS.

By: Jayson

Jayson — Tue, 16 Oct 2007 15:18:11 +0000

What does a setup like this do with DNS requests? Does it do DNS via the untrusted network or does it route the DNS requests to the proxy?

Firefox has an about:config option that lets you route DNS through the proxy, so I was wondering if you could do the same with an OS X native proxy setup.

By: Double Parity

Double Parity — Wed, 03 Oct 2007 04:30:36 +0000

Sorry for an all-in-one reply. Still getting used to having a blog. And definitely surprised that people read it! Thanks for the taking the time to stop by and comment.

@zach_Brand

Yes, this technique would prevent your school from spying on your activities provided that your proxy is not on the school network.

@Adi Ron

Thanks!

@mobius

I think one major hurdle preventing a one-click solution for the masses is that this technique requires a second properly configured computer. If Google or Yahoo offered pre-configured ssh access to everyone, then maybe we could have an idiot-proof solution. Or maybe people could somehow convince ISPs to provide a tunneling script with their install CDs.

@a.Guy

I'm afraid I can't give you a definitive answer on this because I don't use Parallels. However, I have seen that Parallels installs extra devices into the Network System Preferences. I'm guessing you'll have to configure these devices much like you had to configure the Airport and Built-in Ethernet devices.

One way to check if the proxy is being used is to switch to the Untrusted location but don't issue the ssh command. On the Mac side, all apps should be unable to access the web. If this is also true on the PC side, this it's a fair bet that Parallels is using the proxy settings.

Please let me know when you figure things out!

By: a.Guy

a.Guy — Wed, 03 Oct 2007 01:41:11 +0000

i’m running Parallels vPC on my Macbook. Parallels connects online through Mac, but if I set up SSH on the Mac do you think I’ll have to configure all my PC apps (eg. Firefox, Outlook, Dreamweaver) to connect or will they maintain the same essential connection?

Just curious. SSH is totally new to me, but the reasons to use are compelling, particularly when I’m forced to use the PC online for clients.

thanks.

By: mobius

mobius — Tue, 02 Oct 2007 08:25:36 +0000

i favor the idea of using ssh tunnels, but my last two attempts at configuring a tunnel failed. considering how many articles i’ve seen on reddit and digg advocating the tunnel method it seems like this approach is growing in popularity. yet before it really takes off, someone’s gonna need to make an app or a preference pane that makes configuring a tunnel idiot proof. i’m not patting myself on the back or anything, but i know my way around the mac. if i couldn’t figure it out, i fear for those who know infinitely less — those who are, in particular, the more naive who do indeed need greater preventative security than more experienced netizens.

By: Adi Ron

Adi Ron — Tue, 02 Oct 2007 06:29:38 +0000

You may want to check out tsocks. It’s in DarwinPorts. It allows you to encapsulate processes so that they are forced to use SOCKS even if they stubbornly refuse.

As for the SOCKS server software, try Nylon.

By: zach_Brand

zach_Brand — Tue, 02 Oct 2007 05:13:50 +0000

I was wondering if this would b able to bypass a system on ether net to stop a main computer from seeing rom I am doing?

i.e. Downloading things, or looking at sites, or talking to friends.

My school keeps a very close watch on things that laptops do over ethernet and was wondering if this was a way so that they can’t track what I am doing…

By: jonno

jonno — Mon, 01 Oct 2007 23:43:56 +0000

Oops, well, never mind. Found my answer in Gina’s Lifehacker article.

By: jonno

jonno — Mon, 01 Oct 2007 23:06:41 +0000

I have a silly noob question. In the instructions:

Now, whenever you are on an untrusted network, there are just two things to do:

1. Open Terminal and issue the ssh tunnel command (ssh -ND 9999 user@example.com)

What would my user@example.com be for a macbook running on my home network? I know that I would use my username, but what’s the URL I would use?

Thanks for humoring me.

By: Daniel

Daniel — Mon, 01 Oct 2007 21:09:36 +0000

I use SSH proxy everyday at my office, where IT blocks many common ports.

I have an old iMac G3 at house as the proxy.