Christophe Jacquet

Securing an untrusted Wifi access using SSH

It is now quite easy to get a Wifi connection while on the move, in public places or at hotels or holiday apartments. However, a majority of these access points are not to be relied upon. Most often, the network itself is open, and you log in on a web page. This means that the data exchanged between your laptop and the access point is unencrypted. In other words, anybody may eavesdrop on your data, even if they are not logged in. The same goes for Wifi networks “secured” with WEP, as the key may be recovered by any intruder in a matter of just a few minutes using off-the-shelf programs. And anyway, if you’re on an unknown network, you never know if someone who has physical access to the network doesn’t “monitor” traffic.

If you use only encrypted protocols on top of the insecure Wifi channel (e.g. HTTPS, POPS, SSH, etc.) it’s not really a problem. For instance, you may safely connect to your bank account as it’s done over HTTPS. However, if you connect to Wikipedia or Facebook for instance (which use HTTP), anybody may 1) steal your password if you log in, or 2) hijack your session if you have logged in already, and in any case 3) gain access to private information by just capturing exchanged data.

Therefore a basic recommendation is not to connect to websites requiring a log in and not offering HTTPS when on untrusted networks. Unfortunately this prevents you from using many sites. So here comes this solution. All you’ll need is an SSH client on your laptop and a trusted computer, online somewhere on the Internet, accessible via SSH.

The connection between you and the trusted computer, using SSH, an encrypted protocol, is inherently secure, and may be safely used on an untrusted network. So the basic idea is to tunnel all your traffic through this secure channel. It’s very easy using SSH, because the standard OpenSSH client has an option to create a SOCKS proxy on the local host. To do this just connect to the trusted computer using a command like:

ssh -D 8888 my.trusted.box

Once logged onto the computer, a SOCKS proxy will be opened on your laptop, here on port 8888.

Now all you have to do is to configure your browser or OS to use localhost, port 8888, as a SOCKS proxy. Firefox must be configured specifically (Advanced > Network > Proxy parameters), while Chrome, Safari and IE use system-wide parameters. After that, any HTTP connection will be delegated to your trusted computer, which will do it on your behalf. Note that on MacOSX, when you set a SOCKS proxy, it affects all connections, not just HTTP, so for instance when Mail.app sends an e-mail, it’s actually done through your trusted computer.

Valid HTML5? © . ✍ Contact. Imprint (Mentions légales).