Main menu:

Sponsoring

Please consider a small donation:

 

Also appreciated: support me by clicking the ads (costs nothing) :-)

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

My Favourites

Slackware

Calendar

August 2014
M T W T F S S
« Jul    
 123
45678910
11121314151617
18192021222324
25262728293031

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

Meta

Securely browsing the net – using SOCKS

If you are using a public/open wireless access point (like, in an Internet Cafe), or if you live in a country where people are not all that happy or concerned about it’s citizens’ freedom, you sometimes find yourself in the position that you want to hide your browsing behaviour from others.

I will describe a setup which allows you to run your browser traffic through an encrypted tunnel. And using Firefox, even your DNS lookups will use that tunnel instead of talking to the local (possibly monitored) DNS server. There is one catch: you have to have a shell account on a remote SSH server.

This article uses a less-known feature of OpenSSH which is that the ssh client can create a SOCKS proxy.

Suppose you have a shell account “alien” on a remote server “safehaven.net”. Using ssh you can quickly setup a local SOCKS proxy using the following command (assuming you are running this command as non-root, you can only make your SOCKS proxy listen on non-privileged ports – anything higher than port 1024 is unprivileged):

$ ssh -D 8888 alien@safehaven.net

Once your ssh client connects to that remote server, your local computer’s port 8888 will now act as a SOCKS proxy which enables encrypted traffic to the Internet for all applications that can use SOCKS proxies.

You then configure Firefox to use a SOCKS proxy; the proxy’s hostname will be “127.0.0.1” and the port is of course “8888“.

This is enough to hide your browsing (the URLs you access as well as the data you retrieve in your browser) from any 3rd party. But… your computer is still consulting a local DNS server for the hostname lookups. Anyone can still sniff that traffic and guess what you are doing. Even if your computer uses one of the many “free” DNS services on the Internet (like Google’s public DNS addresses 8.8.8.8 and 8.8.4.4), your DNS lookups can possibly be monitored on the local network.

So, there is one more setting in Firefox which you have to to change in order to alter its DNS lookup behaviour. In your Firefox entry bar, type “about:config” which will show the low-level configuration options for the browser, most of which are not accessible through its “normal” GUI. Look for the entry:

network.proxy.socks_remote_dns

which will have the value of “false” by default. Change its value to “true” by double-clicking it. From then on, Firefox will use the DNS server at the remote end of the SOCKS proxy instead of the locally configured DNS server, thereby effectively hiding your browsing from anyone. If you happen to be in a situation where  you know that DNS lookups are being filtered or spoofed, this is your secure way out of this ugliness.

Eric

Comments

Pingback from UKOLN Dev » Accessing local-network-only web pages from outside the firewall
Posted: April 10, 2010 at 18:23

[...] Here is a blog post describing the basics of this openssh functionality: http://alien.slackbook.org/blog/securely-browsing-the-net-using-socks/ [...]

Comment from Ponce
Posted: April 10, 2010 at 22:21

thank you a lot for the nice tip :)

Pingback from How do I find the host server name for my college email address? | Host Rage
Posted: April 11, 2010 at 08:05

[...] Alien Pastures » Securely browsing t&#1211&#1077 net – using SOCKS [...]

Comment from slava_dp
Posted: April 12, 2010 at 07:47

That’s a useful tip, thanks Eric.

Pingback from Anonymous
Posted: January 30, 2011 at 22:52

[...] = "ad"; document.write('[Log in to get rid of this advertisement]'); Hi, I read this article: http://alien.slackbook.org/blog/secu…t-using-socks/ (thanks Alien for all packages and howto) but I have some doubts. Let's see if I understand [...]

Comment from Kazee
Posted: June 5, 2011 at 17:21

Thanks for the information
It is really very helpful.

Comment from Corey
Posted: July 21, 2011 at 22:13

I was usinga chrome extension called proxy switchy to do this same thing in Chrome. Unfortunately the developer has removed the built in functionality and is instead relying on the OS. In KDE netowrk settings I do not see socks as an available proxy type. Is there a workaround for that?

Pingback from firefox doesn’t show up properly when run remotely through ssh -Y
Posted: April 4, 2012 at 00:21

[...] Not actually an answer to your question, as I do not have one as this just works for me. However I have found that I get much better performance by running the browser locally using a SOCKS proxy. http://alien.slackbook.org/blog/secu…t-using-socks/ [...]

Pingback from The Proxy That SOCKS | Lysender's Daily Log Book
Posted: April 12, 2012 at 14:40

[...] Slacker that it is possible to create a proxy using SSH. He describe the details in his post about Securely browsing the net – using SOCKS. The post is very straight-forward and he even explains the how and the [...]

Comment from Alan Aversa
Posted: March 31, 2013 at 19:55

I’ve been using this trick for quit awhile, but only recently do I get a “bind: Cannot assign requested” error. Does this having something to do with the remote server into which I am logging? Can one configure sshd to prohibit “-D”? thanks & happy Easter

Comment from Alan Aversa
Posted: March 31, 2013 at 19:59

I just figured out, courtesy this StackExchange posting, that I need to force IPv4 with “-4″.

Write a comment