Network Sanitization

April 23rd, 2013, 11:48 pm PDT by Greg

I have been spending a fair amount of time working in coffee shops in Hangzhou. The culture seems to be that buying a coffee also buys me several hours sitting in a table doing whatever I damned well please. It’s a nice change of scenery from my apartment. They usually have wi-fi, but it would be pragmatic to assume that whatever traffic goes over that connection is beamed directly to a billboard outside. I generally feel the same way about hotel internet, free airport wi-fi, and other dodgy connections: I just don’t trust that they have any interest in protecting my privacy.

I really want to encrypt all of my traffic over those links. I always encrypted my mail client connections anyway, and SSH is inherently encrypted. That really leaves my browser as the weak link in my average-day networking.

After considering some options, I ended up with just about the simplest solution, although it does take touch of technical know-how to get going. The basic idea is that SSH can provide an encrypted SOCKS server. Using it basically involves setting my browser to use the SOCKS tunnel for everything, and starting up the SOCKS tunnel with a command like this:

ssh -C -D 1080

It’s also possible to do this on Windows with PuTTY and on a Mac from the Terminal.

In theory, this can speed up a slow connection a little. It removes the TCP handshake from their network, and the compression (-C) might help for the right kind of traffic.

Of course, you need a server to SSH to. If I’m working, I use a computer in the department at SFU. I figure that’s kosher. Another option is Amazon: a Amazon Web Services free tier should stay free if you use a micro instance and keep the bandwidth under control. As I recall, I just used their most generic looking Ubuntu image and changed just about nothing.

You privacy is, of course, only as good as your endpoint. Sooner or later, your unencrypted web traffic has to get out there into the big-bad internet. It’s not that I particularly trust Amazon, but I don’t trust any other provider much more.

I have also experimented with sshuttle. It pushes your entire network interface over the SSH connection. That’s technically better, but the SOCKS tunnel usually passes the “good enough” bar for me.

Edit: …and Proxy Selector to flip the SOCKS proxy on when I need it.

3 Responses to “Network Sanitization”

  1. tb Says:

    maybe try Ultrasurf or Freegate

  2. Hexcles Ma Says:

    Hi Greg, I’m a student of your Discrete Math class. Just came across your blog and saw this post.

    I think I should inform you a bad news: GFW will block your server’s SSH socket if you have too much SSH traffic(e.g. watching YouTube for tens of minutes). And OpenVPN has the same problem.

    Of course you can keep changing the socket if you wish, but I’m afraid that finally the whole IP will be blocked.

    I suggest you using this project:

    It’s really easy to setup. A simple python server and client. It’s also a SOCKSv5 proxy with simple encryption support.

  3. Hexcles Ma Says:

    BTW, never try Ultrasurf or Freegate as @tb said. They are kind of suspicious private softwares provided by untrustworthy organizations.