I have been spending a fair amount of time working in coffee shops in Hangzhou. The culture seems to be that buying a coffee also buys me several hours sitting in a table doing whatever I damned well please. It’s a nice change of scenery from my apartment. They usually have wi-fi, but it would be pragmatic to assume that whatever traffic goes over that connection is beamed directly to a billboard outside. I generally feel the same way about hotel internet, free airport wi-fi, and other dodgy connections: I just don’t trust that they have any interest in protecting my privacy.
I really want to encrypt all of my traffic over those links. I always encrypted my mail client connections anyway, and SSH is inherently encrypted. That really leaves my browser as the weak link in my average-day networking.
After considering some options, I ended up with just about the simplest solution, although it does take touch of technical know-how to get going. The basic idea is that SSH can provide an encrypted SOCKS server. Using it basically involves setting my browser to use the SOCKS tunnel for everything, and starting up the SOCKS tunnel with a command like this:
ssh -C -D 1080 email@example.com
In theory, this can speed up a slow connection a little. It removes the TCP handshake from their network, and the compression (
-C) might help for the right kind of traffic.
Of course, you need a server to SSH to. If I’m working, I use a computer in the department at SFU. I figure that’s kosher. Another option is Amazon: a Amazon Web Services free tier should stay free if you use a micro instance and keep the bandwidth under control. As I recall, I just used their most generic looking Ubuntu image and changed just about nothing.
You privacy is, of course, only as good as your endpoint. Sooner or later, your unencrypted web traffic has to get out there into the big-bad internet. It’s not that I particularly trust Amazon, but I don’t trust any other provider much more.
I have also experimented with sshuttle. It pushes your entire network interface over the SSH connection. That’s technically better, but the SOCKS tunnel usually passes the “good enough” bar for me.
Edit: …and Proxy Selector to flip the SOCKS proxy on when I need it.