I’m on the road today, writing this from a hotel’s unsecured wireless Internet connection.
Call me paranoid if you wish, but I know how easy it would be for someone to snoop on any Internet traffic over such an unprotected wireless connection. Most of my e-mail accounts already use SSL encryption, but there’s one that doesn’t have that option; if I check it over this connection, any snooper could read not only my e-mail, but my account name and password too. The theoretical snoop could also see any websites I view, and any data I send to them, unless they use secure HTTP (which most sites don’t). A malicious one could even could even redirect my DNS queries and pretend to be any site that I want to view, potentially scarfing up my login credentials for any web account that I access. Secure HTTP would defeat such a man-in-the-middle attack, but again, most sites don’t use it.
So the first thing I did when I got online this evening was to research this problem. Lo and behold, there’s a very simple solution, and I was even all set up for it already!
As I’ve mentioned previously, I had set up a secure SSH server in our office months ago, keyed so that only a few people could get into it. I had some vague idea that I should be able to redirect all of my Internet access through that system via the SSH (Secure SHell) program. Sure enough, it’s easy to do: I just needed to start the SSH program like this:
ssh -D 8080 myofficeserver.dyndns.org
(No, myofficeserver.dyndns.org is not my real server address, nor is 8080 the port I use. They’re just examples.)
After that, it’s just a matter of setting my programs (Thunderbird, Firefox, and any other programs that I want to go through the proxy) to use a SOCKS proxy of ‘localhost’, port 8080 (you can do this on a per-program basis, so programs like Skype connect directly to the ‘net instead of going through the proxy, or globally through the OS’s network settings). As long as the SSH instance that I started above is running, all network traffic is automatically routed through my office system, and piped from there to my hotel room fully encrypted. Nobody can easily eavesdrop on it; attempted man-in-the-middle attacks are obvious to me; to the servers I visit, I seem to be in my office rather than on the road; and I can even then SSH to other resources on my home network that aren’t directly accessible over the Internet, like the MyBook network drive that I set up before I left. There are even Firefox plug-ins that make it easy to switch proxies for Firefox alone, such as FoxyProxy.
God, I love technology. 🙂 Now to go get some work done.