paranoid browsing with squid
As Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for the deeply paranoid: all your DNS traffic is still in the clear. While the web traffic and URLs aren’t sniffable any more, curious people can still get a sense for what kinds of stuff you’re browsing, based on domain names. (And for the really really paranoid: if you’re on open wireless, your DNS lookups could get hijacked, causing you to browse to look-alike sites ready to phish your login credentials.)
Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.
Update: Oops, as the title hints, I was going to talk about Squid. But then I didn’t. It’s pretty cool too. Carry on…
Thank you, thank you. This is awesome. This is also necessary in oppressive nations where they fiddle with DNS servers to block certain content (that is, using SSH SOCKS with local DNS is useless because the DNS lookup itself cannot be trusted). I’m not going to say where this is, but let’s just say they are hosting the 2008 Olympics.
Comment by Oppressed — 7/11/2007 @ 5:56 pm
I’ve been using IPCop and its SSH and Squid to surf through. I am not picking up and DNS ‘leaks’ with a packet sniffer either. However, I would like to know if you could tell me:
A: When my port forwarded traffic goes to localhost:9999 then gets forwarded through the shell to Squid on port 800, does Squid not handle all the DNS?
B: if I use -D in my plink.exe batch file, I am able to use Socks in FF, but otherwise, I’m using an http proxy. Is one method preferred over another?
My overall concern is unfiltered access to sites I need but also privacy. I don’t want anyone snooping on my DNS.
I’m looking at IronKey and other Tor on a stick ideas and am wondering if you have any other suggestions. I’d like to be anonymous, so my ISP isn’t watching all I do either. Thanks.
Comment by SB — 11/27/2007 @ 11:05 am
(In response to SB’s post above)
Answer to Question A: In this situation, Squid is performing the DNS lookups for you. Your computer would resolve ‘localhost’ without a DNS lookup, data for your HTTP traffic is sent over the port forwarding tunnel created by SSH and Squid will attempt to fulfill your HTTP requests by performing its own DNS lookups originating from its location.
Answer to Question B: Both methods accomplish the same amount of encryption and “hiding”, assuming you’ve configured Firefox like the article says (by going to about:config). With Squid, you would have an added layer of caching which may or may not be useful. In an asymmetric Internet connection like consumer-grade cable or DSL, the caching is of no practical use because download bandwidth is so much more than upload bandwidth.
Comment by KC — 12/3/2007 @ 12:00 pm