How to surf securely while traveling, especially outside U.S?
May 3, 2009 7:26 PM Subscribe
Is it a good idea when traveling to connect to a secure proxy with an ssh tunnel for doing business on the internet?
First, is there any advantage to tunneling when accessing sites that have https such as checking email, banking and shopping tour and travel sites, possibly giving credit card or sensitive personal information?
Second, is there any legal risk to consider? If so what countries could there be legal issues with creating an SSH tunnel to a proxy from my laptop or, using portable apps, from a hotel or internet cafe computer?
First, is there any advantage to tunneling when accessing sites that have https such as checking email, banking and shopping tour and travel sites, possibly giving credit card or sensitive personal information?
Second, is there any legal risk to consider? If so what countries could there be legal issues with creating an SSH tunnel to a proxy from my laptop or, using portable apps, from a hotel or internet cafe computer?
Ssh-tunneling to a trusted proxy can protect you from malicious proxy attacks, some of which are effective against https. So yes, there is an advantage. That said, it's not likely that these attacks would be used against you.
Can't speak to the legality, although if a country prohibits this kind of encryption, I would think that SSL (https) would be illegal too.
posted by qxntpqbbbqxl at 7:47 PM on May 3, 2009
Can't speak to the legality, although if a country prohibits this kind of encryption, I would think that SSL (https) would be illegal too.
posted by qxntpqbbbqxl at 7:47 PM on May 3, 2009
If you're using https already, there is little to no point in tunnelling. For other purposes, running your http through an ssh tunnel (from a local port on the machine you're browsing with, presumably) would help secure against some interference (local to where your client is) but obviously not help with attacks between your secure proxy and the actual web host you're browsing.
I'm pretty sure SSH isn't restricted in any first-world western countries but wouldn't like to speak for China, Iran or Saudi Arabia in particular - certainly it will raise some eyebrows and/or give the impression you may have something to hide, which is sad. Encrypted comms should be the default not the exception IMHO but that's not the way it is.
Obviously you want to create yourself a few different DSA keys (stored on separate media) BEFORE you leave (because secure key-exchange across the network is hard, particularly if you don't already have a secure channel) and control which ones are accepted - perhaps by calling someone local to your secure proxy that can revoke a key you've lost control of and enable the next one.
posted by polyglot at 7:49 PM on May 3, 2009
I'm pretty sure SSH isn't restricted in any first-world western countries but wouldn't like to speak for China, Iran or Saudi Arabia in particular - certainly it will raise some eyebrows and/or give the impression you may have something to hide, which is sad. Encrypted comms should be the default not the exception IMHO but that's not the way it is.
Obviously you want to create yourself a few different DSA keys (stored on separate media) BEFORE you leave (because secure key-exchange across the network is hard, particularly if you don't already have a secure channel) and control which ones are accepted - perhaps by calling someone local to your secure proxy that can revoke a key you've lost control of and enable the next one.
posted by polyglot at 7:49 PM on May 3, 2009
If you aren't using your own computer I'd be worried about a key logger, in that case it doesn't matter how much encryption you use.
posted by bottlebrushtree at 8:31 PM on May 3, 2009
posted by bottlebrushtree at 8:31 PM on May 3, 2009
If you trust the computer at which you're sitting (your laptop?), then there are few advantages to tunneling all of your traffic through a secure proxy that using secure application protocols will not provide with less annoyance.
https, ssh, sftp, etc. all create a secure link between endpoints. So, your computer can understand the conversation, and the target computer can understand it, but nobody in the middle can understand it. Somebody who controls your internet connection can play man in the middle, but have a look at certificates for how this sort of problem is frequently mitigated.
The one advantage of ssh-tunneling everything is that it makes traffic analysis more difficult. So, from a snooper's point of view, you're outputting a single compressed and encrypted stream with all of your traffic intermingled. It's going to one destination, to one port. It's clearly a stream of compressed data, but without breaking the code no inferences may be made about the content, It could be a bittorrent download or a streaming porno or you downloading a stolen database.
In a technologically advanced but politically repressive country, those people in charge of internet surveillance may notice your encrypted connection to a western proxy. The ssh protocol itself is characteristic and may set off an alert. I don't know where the use of ssh is illegal. But, it is detectable.
But, if your concern is somebody at a hotel stealing your credit card as you order midget porn, and you're using your own laptop, https is fine. If you're using somebody else's computer, there's nothing you can do to be sure the owner isn't stealing your input. But, again, if your concern is network-dwelling hoodlums, and not the laptop owner, https is fine. Never, ever, ever trust a kiosk or cyber cafe computer... you have literally no idea who could have cracked it and using what means, no matter what you do (short of dismantling and inspecting it then reinstalling the OS).
posted by Netzapper at 9:12 PM on May 3, 2009
https, ssh, sftp, etc. all create a secure link between endpoints. So, your computer can understand the conversation, and the target computer can understand it, but nobody in the middle can understand it. Somebody who controls your internet connection can play man in the middle, but have a look at certificates for how this sort of problem is frequently mitigated.
The one advantage of ssh-tunneling everything is that it makes traffic analysis more difficult. So, from a snooper's point of view, you're outputting a single compressed and encrypted stream with all of your traffic intermingled. It's going to one destination, to one port. It's clearly a stream of compressed data, but without breaking the code no inferences may be made about the content, It could be a bittorrent download or a streaming porno or you downloading a stolen database.
In a technologically advanced but politically repressive country, those people in charge of internet surveillance may notice your encrypted connection to a western proxy. The ssh protocol itself is characteristic and may set off an alert. I don't know where the use of ssh is illegal. But, it is detectable.
But, if your concern is somebody at a hotel stealing your credit card as you order midget porn, and you're using your own laptop, https is fine. If you're using somebody else's computer, there's nothing you can do to be sure the owner isn't stealing your input. But, again, if your concern is network-dwelling hoodlums, and not the laptop owner, https is fine. Never, ever, ever trust a kiosk or cyber cafe computer... you have literally no idea who could have cracked it and using what means, no matter what you do (short of dismantling and inspecting it then reinstalling the OS).
posted by Netzapper at 9:12 PM on May 3, 2009
And then checking out the keyboard.
There is some cheap hardware that they can put between the keyboard and the computer that will capture everything you type too.
posted by Iax at 9:53 PM on May 3, 2009
There is some cheap hardware that they can put between the keyboard and the computer that will capture everything you type too.
posted by Iax at 9:53 PM on May 3, 2009
First and foremost: Never trust a computer that isn't yours, if you're really worried about security.
Generally speaking, though, risk is directly related to the value of the potential security breach. Hence, don't hangout where rich people, other business people, or high value targets do their internetting.
That said, an ssh tunnel on port 80 is easy, and most likely to get past any non-government sponsored nastyware firewalls. A VPN service would also probably work. A Reverse SSH tunnel also might do the trick.
Another fairly standard option is ssh over https.
From there, things get a bit more exotic:
if you want to be both sure your data gets through, baffle the local sysadmin, and keep your data safe, you could run ozymandns from dan kaminsky, DNS demigod. You can run an ssh tunnel over what look like slightly strange dns lookups. Has the side effect of transparently enabling free internet access behind pay-for-play hotspots.
That, or pipe your ssh tunnel through a jabber server with ssh-xmpp. That'll look like a really really weird, but non-encrypted conversation between two people.
Hell, you could run xmpp over dns, with the ssh tunnel inside of it. Total mindfuck.
posted by Freen at 10:16 PM on May 3, 2009 [1 favorite]
Generally speaking, though, risk is directly related to the value of the potential security breach. Hence, don't hangout where rich people, other business people, or high value targets do their internetting.
That said, an ssh tunnel on port 80 is easy, and most likely to get past any non-government sponsored nastyware firewalls. A VPN service would also probably work. A Reverse SSH tunnel also might do the trick.
Another fairly standard option is ssh over https.
From there, things get a bit more exotic:
if you want to be both sure your data gets through, baffle the local sysadmin, and keep your data safe, you could run ozymandns from dan kaminsky, DNS demigod. You can run an ssh tunnel over what look like slightly strange dns lookups. Has the side effect of transparently enabling free internet access behind pay-for-play hotspots.
That, or pipe your ssh tunnel through a jabber server with ssh-xmpp. That'll look like a really really weird, but non-encrypted conversation between two people.
Hell, you could run xmpp over dns, with the ssh tunnel inside of it. Total mindfuck.
posted by Freen at 10:16 PM on May 3, 2009 [1 favorite]
"Second, is there any legal risk to consider? If so what countries could there be legal issues with creating an SSH tunnel to a proxy from my laptop or, using portable apps, from a hotel or internet cafe computer? "
Yeh, American here, long term ex-pat. I've worked all over Africa and in many Middle East nations. Depends really upon the country, some are indifferent, others just too disorganised to notice, but VPN or SSH serves to attract the wrong kind of attention in some countries.
As an American you really don't want that attention, as they can and do assume the worst.
Legal risk? Well, for starters you're subject to their laws and, very often, their whims. Forget due process, your phone call, a visit from the embassy, etc. They'll do what they want to with you and your property. Frequently folks in such countries are held for protracted periods then released without charge. Worse off for wear, I must add.
Its best to avoid attracting attention to yourself in any country that is openly hostile to US interests, and in many that are sympathetic to or otherwise friendly with such nations.
If you've got specific countries in mind MeMail me.
posted by Mutant at 1:09 AM on May 4, 2009
Yeh, American here, long term ex-pat. I've worked all over Africa and in many Middle East nations. Depends really upon the country, some are indifferent, others just too disorganised to notice, but VPN or SSH serves to attract the wrong kind of attention in some countries.
As an American you really don't want that attention, as they can and do assume the worst.
Legal risk? Well, for starters you're subject to their laws and, very often, their whims. Forget due process, your phone call, a visit from the embassy, etc. They'll do what they want to with you and your property. Frequently folks in such countries are held for protracted periods then released without charge. Worse off for wear, I must add.
Its best to avoid attracting attention to yourself in any country that is openly hostile to US interests, and in many that are sympathetic to or otherwise friendly with such nations.
If you've got specific countries in mind MeMail me.
posted by Mutant at 1:09 AM on May 4, 2009
« Older Image-heavy CMS: is Drupal the right choice? | MusicFilter: What do these folks (or their... Newer »
This thread is closed to new comments.
posted by Chocolate Pickle at 7:42 PM on May 3, 2009