Double Parity: Safer Surfing on Untrusted Networks (Mac Edition)

The rise of Web 2.0 and the increasing availability of Wi-Fi access now means that you can do more than ever away from your home or office. But there is an associated risk. Using someone else's network makes you highly vulnerable to information theft. You may not realize it, but the vast majority of data transmitted across the web (including email) is unencrypted. Sure, most websites protect your password and some may even protect your username; but once you've logged in, odds are that everything else is transmitted in the clear. Consequently, when you're on an untrusted network, your personal data is at risk.

Highlighted by missiontobe

When you're on an untrusted network, however, even this last step is not safe. Networks can be configured relatively easily to send you to website forgeries even if you manually key in the proper URL. So is there any hope at all? Do we surf the internet in fear every time we are away from the home or office? Fortunately, along with exercising increased caution and suspicion, there are technologies you can employ to help you deal with untrusted networks.

Highlighted by jyrkij

SSH Proxies are a relatively simple and accessible solution for the tech-savvy.

Highlighted by jyrkij

A proxy is nothing more than a trusted computer. It can be your home computer, your web host, or a server provided by your ISP. The SSH utility allows you to form an encrypted connection, or tunnel, to the proxy. All network activity can then be routed through that tunnel to the proxy. So, for example, if you want to check your email, your proxy is the device that communicates directly with the email server and then sends the data back to your laptop over the SSH-encrypted tunnel. At no point does unencrypted data travel across the untrusted network.

Highlighted by jyrkij

Furthermore, SSH verifies that you're actually connected to your proxy and not some substitute or forgery. If it can't verify the identity of the proxy, it informs you and lets you assess the situation.

Highlighted by jyrkij

First, go to the Network preference pane and create a new location. In my case, I've named the location "Untrusted". Then, for both the Airport and Built-in Ethernet devices, click on Proxies and enable the SOCKS Proxy checkbox. Finally, fill in "localhost" for the server and "9999" for the port and save the changes.

Highlighted by jyrkij

Now, whenever you are on an untrusted network, there are just two things to do:

1. Open Terminal and issue the ssh tunnel command (ssh -ND 9999 user@example.com)
2. Open the Network System Preference pane and change the location to Untrusted.

Highlighted by jyrkij

scselect Untrusted

Highlighted by jyrkij

ssh -ND 9999 user@example.com

Highlighted by jyrkij

Parting tip: This is mentioned in the Lifehacker article, but it's worth reiterating. If you happen to be on a very slow untrusted network, adding the -C option to the ssh command may speed things up. The -C option compresses all data send through the SSH tunnel, in effect trading CPU cycles for increased bandwidth. The speedup isn't really noticeable on faster connections, but can be quite significant on slower networks.

Highlighted by jyrkij