digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

HOWTO: Secure Firefox/IM/email from anywhere with PuTTY

thinkhole.org — Quick, step-by-step HOWTO to set up secure, encrypted tunnels for web browsing, instant messaging, and email from anywhere. No need to set up a VPN. Great for working from hotels and coffee shops!

Bury
show profanity settings
expand all
  • veza, on 10/12/2007, -18/+4where to find remote host with OpenSSH?
    • lagerbottom, on 10/12/2007, -13/+4I am not sure I follow your question veza?
    • mooninite, on 10/12/2007, -9/+38In Soviet Russia, OpenSSH finds remote host!
    • silenceHR, on 10/12/2007, -15/+7what about soviet USA?

      who finds you there?
    • dclowd9901, on 10/12/2007, -13/+5In soviet russia, Open SSH doesn't find Chuck Norris.....
    • CypherXero, on 10/12/2007, -6/+11@Veza:

      Don't be one of those morons I see in my authlog files, trying to bruteforce his/her way into my machine via SSH. It's mostly people from China triyng to bypass their government's firewall. And using me as the middle man.
    • dbr_onix, on 10/12/2007, -2/+3I think he wants a remote system to use SSH to.. If you have a spare PC and broadband, use that, if not, find a free shell host, which are gerenally hard to find, if you can't, maybe ask a friend with an always-on linux computer/server if you can use that..
      - Ben
    • NJank, on 10/12/2007, -0/+4hard to find?

      http://www.freeshell.org
    • lowbot, on 10/12/2007, -0/+2You dont need a dedicated linux box to do this. Install cygwin and install openssh. Use a service like dyndns if your IP keeps changing. A windows machine and a broadband connection works fine.
  • srineer, on 10/12/2007, -4/+4this would be cool with portable putty or on a LiveCD
  • pcgeek101, on 10/12/2007, -53/+6I follow this process almost daily ... :-) It works, but with one flaw ... DNS requests are still directed to your local DNS server, and should logging be enabled, it can easily be traced back to you. Have fun, but be careful too ----- http://develnet.blogspot.com
    • harmlessinc, on 10/12/2007, -4/+19PCgeek101 - seriously, stop linking to your blog in the comments. It's spam, plain and simple. And finding all of my comments and calling me out as a spammer really doesn't change that.
    • pbaehr, on 10/12/2007, -2/+10I don't think the author meant this to be used for anonymous communication, just secure communication. So it doesn't really matter that the DNS requests are received locally, the communication end of it is still being sent through SSH and therefore encrypted.
    • MrGeneric, on 10/12/2007, -16/+5Good point, but where on your advertising free blog (http://develnet.blogspot.com) do you explain what to do about it?
    • falsedata, on 10/12/2007, -1/+24"DNS requests are still directed to your local DNS server, and should logging be enabled, it can easily be traced back to you. Have fun, but be careful too -----"

      Firefox fix:
      *about:config
      *network.proxy.socks_remote_dns --> true

      You can also use this same tunneling trick with Thunderbird.
    • falsedata, on 10/12/2007, -1/+16Oh and you probably wouldn't want DNS requests to be done locally if you are using this trick to bypass filters (ex. school or work) -- an admin would be able to see what sites you visited by viewing the DNS requests.
    • ksponge, on 10/12/2007, -1/+2Thanks for the tip falsedata.
  • datastorageguy, on 10/12/2007, -2/+3I use vmware's browser appliance at home when I need to get to my bank or credit card sites. Works well and fairly secure.

    http://www.vmware.com/vmtn/appliances/browserapp.html
    • alecks, on 10/12/2007, -2/+8Doesn't your bank or most credit card sites use SSL? In which case making a "secure browser" somewhat irrelevant?
      • ungamedplayer, on 06/13/2008, -0/+1Not really, do you trust the browser manafacturer ? Do you trust your machine is not infected ?
  • Amplix, on 10/12/2007, -2/+3Anyone know of a Mac Equivalnet?
    • Dhalgren, on 10/12/2007, -2/+4Firefox works on macs...

      Or, if you are asking for a mac alternative to openssh:
      http://www.openssh.com/macos.html
    • namelyk, on 10/12/2007, -34/+8Dude, macintoshes are gay.
    • jswg, on 10/12/2007, -2/+8ssh -D 1666 user@ssh-host.com
      System Preferences -> Network -> Airport -> Proxies. Set SOCKS Proxy to localhost:1666
    • rasterbator, on 10/12/2007, -16/+3Equivalnet is not a word, so the answer is no. ;-)
    • CypherXero, on 10/12/2007, -3/+1@jswg:

      He still needs a ssh daemon to connect to somewhere. There are ssh daemons for OS X, and if you want, you can set up another computer, like a *nix box, with the ssh daemon running. Either way, you have to have a service to connect to.
    • dbr_onix, on 10/12/2007, -1/+1I thought OS X has a SSHd by default (Called Remote Login I think), atleast when I set up OS X there was a fairly obvious check box to enable it..
      - Ben
    • jgeorgeson, on 10/12/2007, -0/+3@CypherXero

      OS X includes includes the OpenSSH daemon. In System Preferences -> Sharing, just turn on Remote Shell (or Login, or Session, I forget the name).
    • Amplix, on 10/12/2007, -0/+1Thanks guys, jswg
  • datastorageguy, on 10/12/2007, -1/+2@alecks

    True, but running a virtual machine adds another layer of security. It also protects your pc from ad ware, viruses, etc, because even if you were to download these via HTTP onto the virtual machine, none of it can propagate to your local machine. Just restart it, don't save any changes made, and you have a newly wiped clean virtual machine.
    • namelyk, on 10/12/2007, -19/+0That is impossible, virtual machines suck.
    • CypherXero, on 10/12/2007, -2/+4@name:

      Apparently, you've never used an OS in a virtual machine setting. You're no better than all those other morons who say "that sucks" without having used it before.
    • webcrumb, on 10/12/2007, -0/+1"none of it can propagate to your local machine."

      Just be careful it's not a network-propagating worm. Seeing as the VM is accessing the network, and your real machine is also part of the network, you still have to take standard precautions - e.g. don't run an exposed unpatched retail XP install.
  • gumannm, on 10/12/2007, -2/+4openssh eqivalent (plus a lot more ) for this is.ssh -qTfnN -D 7070 remotehost.All the added options are for a ssh session that%u2019s used for tunneling.-q :- be very quite, we are acting only as a tunnel. -T :- Do not allocate a pseudo tty, we are only acting a tunnel. -f :- move the ssh process to background, as we don%u2019t want to interact with this ssh session directly.-N :- Do not execute remote command. -n :- redirect standard input to /dev/null.In addition on a slow line you can gain performance by enabling compression with the -C option.
    • gumannm, on 10/12/2007, -1/+7editing comment is screwing up my formatting .
      OK second try

      ssh -qTfnN -D 7070 remotehost.
      All the added options are for a ssh session that’s used for tunneling.
      -q :- be very quite, we are acting only as a tunnel.
      -T :- Do not allocate a pseudo tty, we are only acting a tunnel.
      -f :- move the ssh process to background, as we don’t want to interact with this ssh session directly.
      -N :- Do not execute remote command.
      -n :- redirect standard input to /dev/null.

      In addition on a slow line you can gain performance by enabling compression with the -C option.
    • jgeorgeson, on 10/12/2007, -0/+1If you already have a fast connection, -C can actually slow things down by adding CPU time for compressing/decompressing on each end of the tunnel.
  • Paladin27, on 10/12/2007, -1/+4I've been doing this for a long time using Trillian and Firefox and using DD-WRT firmware, which has an SSH server built in, on my Linksys WRT54G connected to my DSL at home. ;)
  • MrGeneric, on 10/12/2007, -4/+6That is only half a solution, the link from your remote system is not secure to the final destination, why not just use hamachi and ssh or tor and privoxy?
    • namelyk, on 10/12/2007, -9/+2Someonethink your downplaying just how important stories like this are. Yeah, WE (Wii?) know this, but WE are geeks/nerds/gamers/etc. We are in the know. But even now the vast majority of people, including potential and definite consumers, are completely unaware of what's going on right now in the gaming industry, especially in regards to the PS3 and super-especially the Wii.

      Stories like these that hit popular sources like Newsweek are really more important for Nintendo than your standard online gaming article on say IGN. This goes double in the Wii's case because of it's attempt to capture the market outside your typical gamer. This kind of exposure is essential for Nintendo in their marketing of the WiSomeoneif they truly want to reach out and grab non-gamers, because right now the general populas has no freakin' clue what Nintendo's doing.

      Someonehope to see a lot more informed popular articles for the WiSomeonethat help to better spread the word. Although, what Nintendo's marketing REALLY needs is visual demonstrations (like TV stuff) and actual demo stations put in places where non-gamers will actually play them.

      edited for plagiarism
    • CypherXero, on 10/12/2007, -9/+3Why the hell would you need Hamachi? OpenSSH does everything you need. If you want to install that bloatware crap, go ahead. But, I'm telling you, nothing beats OpenSSH (and for Windows users, you can install Cygwin, and then install OpenSSH)

      Hamachi...pshh...go home, n00b.
    • MrGeneric, on 10/12/2007, -3/+8Hamachi and ssh allows secure connections between 2 systems when BOTH are firewalled by an ISP, without any fear of hamachi not being secure (It is secure, but some people have their doubts).

      So who is the n00b? I have worked in IT security related roles with +20,000 users in +6000 locations and $ billions at stake, I'm not a n00b.

      Why neg-digg my question without answering it directly, ssh to home only secures HALF the data path (and not the DNS).

      What is happening to digg these days, the retards have taken over!


    • CypherXero, on 10/12/2007, -2/+5OpenSSH gives you everything you need. Adding Hamachi is just redundant. It's like installing 2 anti-virus programs when all you need is just one. If you want to get past a firewall using SSH, just set the ssh server (sshd) to accept connects on port 443 (SSL) which is almost never closed by a firewall, and then when you use the client to connect, just specify porrt 443 on the server. Bingo.

      So why use Hamachi when SSH handles encrypted proxy tunnels?
  • Zavius, on 10/12/2007, -5/+2Anyone know how to get this to work with Real Rhapsody or any other online music stores? Rhapsody doesn't appear to have a proxy type setting and it's causing me problems.

    • webcrumb, on 10/12/2007, -0/+1ProxyCap or similar should get most programs working.
  • nOOBert, on 10/12/2007, -3/+4It is only secure in the ssh tunnel. once you connect to something else through the tunnel it is no longer secure.rnrnExample. You set up a tunnel for FF to use. you connect to a site thourgh you tunnel. Only the traffic between your computer through the tunnel is secure. Once the "server" connects to the outside world it is no longer secure.rnrn"6. EnjoyrnThat%u2019s it. From now on, as long as you first log into the remote ssh host with PuTTY, your Firefox and IM traffic will be routed over a secure tunnel to the remote host and then out to the Net. Good stuff."rnrnMeaning once it leaves the computer you are tunneling thourgh it is no long secure. Bad headline...
    • CypherXero, on 10/12/2007, -1/+7It's secure from Point A to Point B (ie: Coffee Shop to Home). Basically, it can prevent people from packet sniffing you, from intercepting your communications, and to bypass firewalls. This is GOOD for places like coffee shops, with free WiFi. Because you never know who's on the network there with you.
    • nOOBert, on 10/12/2007, -4/+0two things... Digg is broke and wont let me do returns in my comments... or at least when i edited my above comment. and 2: https or SSL is ur freind. The only way that i know of to have a secure connection between you and website (for example) you are looking at.
    • nOOBert, on 10/12/2007, -2/+3CypherXero: Yes. I am just pointing out that once you leave you tunnel it is no long secure. IMHO the Topic is misleading. Maybe people are smarter then I assume. :)
    • MrGeneric, on 10/12/2007, -3/+2Exactly, and other solutions are 100% secure, such as tor. Why did somebody neg-digg your relevant and accurate comment?
    • CypherXero, on 10/12/2007, -0/+6Tor is way too slow to use, it's a pain in the ass. It's worse than 56k dialup.

      I know that SSH won't protect your data once when it's not in the proxy tunnel, but then again, you should be safe.
    • spiderland, on 10/12/2007, -1/+1This is true. I have no idea why people are neg-digging your comment, since it is significant.

      If your home network (or where ever your SSH tunnel terminated) was insecure for any reason, your traffic from that point could be sniffed and intercepted.
    • rattboi, on 10/12/2007, -0/+1although it IS a bit misleading in that it's just securing part of your connection, sometimes that is enough. For example, I run SSHd on my mac mini at home, and even though it didn't mention it in the article, it gave me enough to work with so I could secure all my VNC traffic to the same machine, and other machines in my home network from work, which is a crappy open wireless connection.
  • Maceyhw, on 10/12/2007, -3/+3Okay, maybe this is a stupid question, but why not just use VPN? The article dismisses it but doesn't give a reason for doing so.
    • MrGeneric, on 10/12/2007, -6/+1ACK, the story is bull and the little nazi who posted it is getting ***** because people are pointing out the obvious.
    • ShaunO, on 10/12/2007, -0/+2A VPN is useless anywhere you're a guest on their machine. If they havee half a clue, you won't have the required access to go installing network drivers, raise a new interface, add a new (default?) route, etc.

      PuTTY will work as a "portable app", in that it's a self-contained .exe .. just don't save any settings while you're a guest on someone else's machine. Combine with a portable build of your preferred web & email clients, and you're set.

      VPN, tor, privoxy, hamachi, are solutions for certain problems. But not when you're on a guest on a machine with limited access. There's still a need & use for user-space solutions.
    • rattboi, on 10/12/2007, -0/+1There's also PortaPutty that'll keep all the settings in the same directory as Putty, so you can put it on a thumb drive or whatever.
  • equusdc, on 10/12/2007, -2/+2If you are adept enough to install and correctly configure a SSH server, doing the same with a VPN using PoPToP or FreeS/Wan is trivial at worst, so I don't get this "sometimes using a VPN isn't practical." On what planet is "create a SSH tunnel with a loopback proxy to provide port-forwarding" any more straight-forward than the equivalent technospeak required to explain installation of a VPN server?

    Clever solution, maybe, but why bother?
    • richbradshaw, on 10/12/2007, -2/+3You can get PortaPutty and Portable Firefox meaning that you can do all this without needing to install/change and settings on a PC that you might want to use this on. e.g. in an internet cafe, you might not have root access to the pc.
    • shizeon, on 10/12/2007, -0/+2This also will allow you to use any box you have ssh access to as the proxy server. Sometimes you don't have root to install a VPN solution. SSH offers a great userland utility to do this. This allows me to use my web host as a proxy when my home connection takes a dump.
  • lagerbottom, on 10/12/2007, -9/+3I love how people mod down my comment. I WASN'T TALKING TO YOU!
  • thrillho, on 10/12/2007, -0/+2How can I confirm that this is working? Anyone, anyone?
    • jswg, on 10/12/2007, -0/+2If your server and client are behind different public ip:s; connect to http://www.whatismyip.org from the client. If the site says you are behind the server's ip, it's working.
    • CypherXero, on 10/12/2007, -0/+3If you're on ANOTHER internet connection (like at a coffee shop using SSH), go to http://www.ipchicken.com and check and see if the IP address you're given is your home IP address.
    • thrillho, on 10/12/2007, -0/+3I found out a simple way, kill the putty connection and try to load up firefox. There is an error that says "the proxy is refusing connections". Thanks all.
    • CypherXero, on 10/12/2007, -2/+3That doesn't mean anything, by killing the proxy and then checking. Of course it's going to say you can't connect to the proxy. If I put this in my firefox settings:

      efiehfr9h9hwedfjoewjhf90u0rf3r3r3.nete

      If you kiled the proxy, the browser would tell me it can't connect to it. So you need a more accurate way to tell. And the way I described above works fine.
  • farr, on 10/12/2007, -1/+2I've been doing this for a looong time. Secure tunnels for my data makes me feel warm and fuzzy inside. =) and dugg.
  • xanos3001, on 10/12/2007, -7/+1Dud, I was doing this in 1997!!!
    This is nothing new.
  • Zavius, on 10/12/2007, -1/+0Anyway to do this without using a SOCKS5 proxy? Opera as well as several other apps don't support SOCKS5 proxying
  • nferrier, on 10/12/2007, -0/+0the latest version of openssh has built in vpns as well.

    before built in vpns I use to run ppp over ssh:

    sudo pppd silent updetach noauth pty "sudo -u user ssh -t someuser@internet-host 'pppd noauth internalip1:internalip2'" internalip2:internalip1

    but now you can just use ssh -w ip1:ip2 ...

    this makes the article trick even easier. I don't know when putty will have this tho.
  • moonshade, on 10/12/2007, -1/+0... or use Putty + SocksCap and tunnel any windows TCP/UDP application, not only ones that support proxy settings.
  • doenitz16, on 10/12/2007, -2/+0Would it be more secure or maybe better if you tunnel through your own proxy, like privoxy for example. Or better than that privoxy running together with TOR?
  • dheaney, on 10/12/2007, -1/+2For those of you who are interested in doing a little more work to get truly private browsing, you can follow this setup: http://compulsive.org/2006/02/17/ssh-squid-private-browsing/

    The PuTTY tunnels actually leak DNS requests, so employers (girlfriends?) can see where you're going, but not the content of your traffic. If you're truly paranoid, and have access to SSH and Squid, then you can follow the setup above. It doesn't leak anything.

    Good luck!
  • Nemesis][, on 10/12/2007, -2/+6And I'll do a shameless plug...

    After looking for an application to monitor/control SSH tunnels under Win32 (and not finding anything I really liked) I whipped this up:

    http://nemesis2.qx.net/software-myentunnel.php

    Hopefully others will find it useful.
    • LilGator, on 10/12/2007, -0/+1Nemesis][, perfect :) that's beautiful ...
    • mamluk, on 10/12/2007, -0/+1I have no clue why you are getting neg-diggs, that app looks pretty nice. Thanks for sharing it.
  • winkydo, on 10/12/2007, -1/+2this is good for those of you who missed the same instructions on other blogs the first 50 times the same setup configuration was posted.
    • sleepless, on 10/12/2007, -0/+1True that.... they are everywhere.... for my money, is put it in SSH with Squid. Just redirect all your traffic over an SSH tunnel. If you are super paranoid, just use Links inside your SSH terminal.
  • critic, on 10/12/2007, -0/+0O-Tay rank n00b here.

    Tried setting up Putty from Work to Home. Could not connect or get to home login screen.

    Zone Alarm runs on home pc. Don't want to leave home machine open.

    Any good tutorials for the beginner on this?

    TIA - Critic
  • jbestrom, on 10/12/2007, -0/+1One question is there anyway to hide what ip you are connected to by chance? I just don't want my network admin to see that I'm connected to MYIP all day and block that ip addy.
    • emostar, on 10/12/2007, -0/+1No way around it, unless you have shell accounts on other systems that you can login to, then login to your home PC. I know there are some free shells online, and maybe just set some up with your friends. But if you connect to it directly, the network admin can see it.. otherwise it is not a connection.
  • btboudreaux, on 10/12/2007, -0/+0Im going to sound like a noob.

    1) If you use remote desktop from your laptop to home pc, and access firefox, trillian, gaim, and everything else like that, wouldn't everything be secure? Seems like an easier solution.

    2) Is there anyway to secure everything locally? Like can I have Trillian, firefox, and email secured on my computer through some third party program without creating a remote desktop session or tunnel? It seems like there would be something out there that would allow you to do this without all the overhead of creating a tunnel or remote desktop. Im not concerned about hiding my IP or anything, just that if I send a message or visit a webpage that it will be encrypted.

    But then again... I dont know anything.

    • BlitzPig_Sal, on 10/12/2007, -0/+11. You can do this, but it will be much slower because you are really transmitting bitmaps of the remote desktop instead of regular web packets. And if you're behind a firewall that blocks everything but web traffic, you won't be able to connect to the remote desktop

      2. You can't normally have a secure connection with websites, IM servers and email servers because those servers do not support the encryption. This is why you create a ssh tunned to a computer you control. That computer provides the secure connection to your location but the traffic from your ssh server to the destination server will always be in the clear.
  • pygmalion, on 10/12/2007, -0/+0What if you can't open a connection on port 22 in the first place ? Some hotspots I visited blocked every single port except 80 (and I'm assuming 443 for HTTPS). It seems that "Internet access" means Internet Explorer and Hotmail for some hotspots administrators... No email, no FTP, no SSH, no nothing.
    • rattboi, on 10/12/2007, -0/+1set up your SSH server on port 80, and change your client accordingly. I've done this at school before, where all traffic was blocked except outgoing port 80, and it worked beautifully.
  • artbarizo, on 10/12/2007, -0/+1That's great when you use a Linux box as your server. But what about when you are (sadly) a Windows purist? I really don't want to have to learn another operating system. I wrote a tutorial on setting up a VPN in Windows XP. It's not that hard at all! Visit it here:
    http://www.hackernotcracker.com/2007-04/using-virtual-private-networking-vpn-to-avoid-packet-sniffinganalysis-and-data-theft.html
  • wolfgang123usa, on 10/12/2007, -0/+0try this
    you have to install a proxy tunnel yourself at your home computer. Here the HowTo http://sharkssl.com/44100/viewforum.php?f=4&sid=b71f75cbde257e319c1b7a5b6a64834d , all the HowTo are made for the free version of BarracudaDrive , called homeserver. When you buy the professional version the proxy is allready buildt in. The free and the professional version you find at http://barracudaserver.com/products/BarracudaDrive/HttpsTunnel.html
    enjoy, Wolfgang
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.