HOWTO: Secure Firefox and IM with PuTTY
There are times when you want to connect to the Internet through unknown and/or insecure networks such as the local Panera or other WiFi hotspot. If you aren’t careful, you might make it all too easy for someone to sniff your connection using Ettercap.
One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust.
Requirements:
- PuTTY* loaded on your local machine
- Remote host running OpenSSH (e.g. Linux box at home)
- Firefox (obviously)
- Gaim for all your IM needs
Just follow these steps…
1. Create a new PuTTY session
Run PuTTY and create a new session in PuTTY to connect to the remote host that is running OpenSSH. Fill in the hostname, the port (usually 22), make sure SSH is checked, give it a session name and hit Save:
2. Configure a secure tunnel
Click on “Tunnels” on the left and set up dynamic fowarding for a local port (e.g. 7070). Under “Add new forwarded port” type in 7070 for the source port, leave the destination blank, and check Auto and Dynamic. Then it the Add button. If you did it correctly, you’ll see D7070 listed in the Forwarded Ports box:
That’s it for tunnels, as there is no need to create more than one. Remember to save your session profile in PuTTY so you don’t have to set up the tunnel next time.
3. Connect to the remote SSH box
Double click on the connection profile and type in your username and password when prompted.
4. Configure Firefox
Go to Tools, Options, General, and then click on Connection Settings…
Check Manual Proxy Configuration, leave most of the fields blank, but fill in 127.0.0.1 for the SOCKS v5 host with a port of 7070 (or whatever you used in Step 2):
5. Configure Gaim
Fire up Gaim and hit the Preferences button:
Then select Network on the left and set up the Proxy Server. The Proxy Type should be SOCKS 5. The host is 127.0.0.1 and the port is 7070 (or whatever you chose in Step 2).
There’s no need for a user or password. Then hit close.
6. Enjoy
That’s it. From now on, as long as you first log into the remote ssh host with PuTTY, your Firefox and IM traffic will be routed over a secure tunnel to the remote host and then out to the Net. Good stuff.
* Yes, PuTTY is available for Linux. It’s even in Portage!
Update (Email): Actually, the setup for Thunderbird to securely proxy your email traffic is pretty much the same as it is for Firefox.
And then type in 127.0.0.1 and your port number:
That’s it.
Update: Getting some linkage from Digg.
Corrections/Addendum:
- Note that this method will secure your connection between your remote location (e.g. WiFi hotspot) and the ssh host (e.g. Linux box at home). It is not secure from the ssh host to Internet. For the most part, that’s OK as it will provide reasonable protection from people running packet sniffers at the hotspot. But please recognize that if your ssh host is on your cable connection at home, your ISP can still (obviously) easily sniff all your packets.
- Quite a few people have correctly pointed out that DNS queries will still be “leaked” to the untrusted network. So the names of any sites you visit will still get logged.
Now if you don’t mind people knowing what sites your are connecting to, then there’s nothing to worry about. But if are running the current version of Firefox and would like to protect that information, you can open the about:config page, and change network.proxy.socks_remote_dns to true.
You can do the same thing in Thunderbird if you would like.
For a greater level of security on all your connections, you should consider running a full VPN (see also: IPCop + OpenVPN HOWTO).
- As Nate pointed out in the comments, if you have the command-line version of OpenSSH already installed on your computer, you don’t need to mess with PuTTY. Just run ssh -D 7070 user@host.example.com and that will set up your tunnel. I’m not an Apple user, but I think OS X has everything you need.
- There are portable versions of Firefox, Gaim, and Thunderbird, and PuTTY runs from a USB drive. So using this method (unlike using OpenVPN) there is no need to install anything on the computer you are using. Quite handy if you are borrowing someone’s computer or you are in a school computer lab.
- How do you know if it’s working? Personally, I used SmartSniff to look at the packets and make sure they looked encrypted and were on the right ports. Of course, any packet sniffer would do.
The other method (and I tried this one too) is to get all set up and running with the tunnels. And then after it is apparently working, kill PuTTY and see if you lose the connection.
Of the two, the packet sniffer is the better way to go.
- Apparently Opera only does SOCK4. I didn’t personally try it, but this should work with SOCKS4 proxies as well as SOCKS5.
- SocksCap (non-commercial, home-use only) will let you run just about anything over a SOCKS5 proxy.
May 11th, 2006 at 5:35 am
Or, if you use linux, in a terminal type:
ssh -D 7070 nathan@foo.bar.com // This is the remote address
And follow the rest of the tutorial.
May 11th, 2006 at 7:56 pm
Heh. Good call. That’s easy enough. :)
May 22nd, 2006 at 9:57 am
[...] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust . [...]
May 22nd, 2006 at 1:58 pm
To add to what nathan suggested, on linux do
ssh -qTfnN -D 7070 remotehost.
All the added options are for a ssh session that’s used for tunneling.
-q :- be very quite, we are acting only as a tunnel.
-T :- Do not allocate a pseudo tty, we are only acting a tunnel.
-f :- move the ssh process to background, as we don’t want to interact with this ssh session directly.
-N :- Do not execute remote command.
-n :- redirect standard input to /dev/null.
In addition on a slow line you can gain performance by enabling compression with the -C option.
May 22nd, 2006 at 1:59 pm
[...] I noticed a nice secure tunneling tutorial over at digg that uses putty. It might be useful to someone. [...]
May 22nd, 2006 at 2:05 pm
if you type in ssh -fD 7070 bla@bla.com
this will make the tunnel run as a background service, so you don’t have an empty terminal open
May 22nd, 2006 at 2:11 pm
[...] Quick, step-by-step HOWTO to set up secure, encrypted tunnels for web browsing, instant messaging, and email from anywhere. No need to set up a VPN. Great for working from hotels and coffee shops!read more | digg story [...]
May 22nd, 2006 at 2:27 pm
You should also mention DNS leakage.
May 22nd, 2006 at 3:24 pm
If you’re on Windows, even easier is to download and use bitvise tunnelier. stays open and minimizes into the tray, and will even reattempt connection should you be dropped. as good as it gets for a background ssh tunneler for windows. google ‘download bitvise tunnelier’ .
May 22nd, 2006 at 3:26 pm
Don’t forget to make sure that you don’t leak DNS queries:
(quoted from metropipe.net)
ONLY use Firefox 1.5.0.2, go to about:config and set network.proxy.socks_remote_dns to true. This method only protects Firefox from the problem.
May 22nd, 2006 at 3:32 pm
[...] Howto Secure Firefox with Putty [...]
May 22nd, 2006 at 4:26 pm
For a GUI-less version that does basically the same thing, you can use plink in the PuTTY package. On the windows platform, you can combine it with VBScript WshShell to bring up a GUI prompt for password.
plink.exe -ssh -2 -batch -v -C -N -L ” & localHost & “:” & localTunnelPort & “:” & remoteHost & “:” & remoteTunnelPort &” -pw ” & remoteGatewayPassword & ” ” & remoteGatewayUserName & “@” & remoteGateway & ” > ” & logName & ” 2>&1″
May 22nd, 2006 at 4:28 pm
In Firefox and Thunderbird, you need to set the network.proxy.socks_remote_dns option to true. Otherwise you will have DNS leakage and DNS will not resolve when proxyied into a private network. I don’t use the other apps, so I don’t know how they handle SOCKS v5 (or 4A) name resolution.
May 22nd, 2006 at 4:56 pm
Can you do this with VNC?
May 22nd, 2006 at 5:37 pm
[...] Quick, step-by-step HOWTO to set up secure, encrypted tunnels for web browsing, instant messaging, and email from anywhere. No need to set up a VPN. Great for working from hotels and coffee shops!read more | digg story [...]
May 22nd, 2006 at 5:43 pm
[...] Came across this link on Digg. Talks about how to use PuTTY to tunnel connections over SSH to access the net through a trusted box rather than on an unsecured wireless network. Pretty easy step-by-step instructions with screenshots. [...]
May 22nd, 2006 at 9:58 pm
[...] http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/ [...]
May 23rd, 2006 at 1:21 am
[...] import this. » Blog Archive » HOWTO: Secure Firefox and IM with PuTTY (tags: putty security) [...]
May 23rd, 2006 at 4:05 am
Very interesting article. Good read. Must read for users who access the net from many places.
Mozilla Firefox has a lot of disadvantages though.
May 23rd, 2006 at 4:19 am
[...] Quick, step-by-step HOWTO to set up secure, encrypted tunnels for web browsing, instant messaging, and email from anywhere. No need to set up a VPN. Great for working from hotels and coffee shops!read more | digg story Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
May 23rd, 2006 at 4:56 am
It does not work for me, what am I doing wrong? I have SUSE 10.1 with OpenSSH installed (/etc/init.d/sshd status returns “running”) and I have followed all the steps. Firefox tells me that it can’t connect to the proxy :-?
May 23rd, 2006 at 5:37 am
[...] HOWTO: Secure Firefox and IM with PuTTY - 利用 Putty 建立 SSH Tunnel,然後透過此Tunnel對外連線。 [...]
May 23rd, 2006 at 1:08 pm
[...] http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/ [...]
May 23rd, 2006 at 1:51 pm
[...] HOWTO: Secure Firefox and IM with PuTTY [...]
May 23rd, 2006 at 5:13 pm
Hi-
Checking it out with SmartSniff, I fully see all the packets. How can I be ensured of encryption? What did I do wrong?
May 24th, 2006 at 12:02 am
Or even better yet, just connect through ssh to your remote box and use elinks for web browsing and a text based instant messenger client for chatting.
May 24th, 2006 at 3:31 am
[...] On a linux host you could to the following: ssh -qTfnN -D 7070 remotehost instead of using putty. Thanks to thinkhole for this great article [...]
May 24th, 2006 at 3:49 am
A warning here:
The most common problem with using public computers for secure access is NOT packet sniffing (which this protects against) - but rather KEYSTROKE CAPTURE - which this does NOTHING to protect.
J.
May 24th, 2006 at 7:18 am
[...] HOWTO: Secure Firefox and IM with PuTTY (tags: security firefox putty gaim SSH) // Used for showing and hiding user information in the comment form function ShowUtils() { document.getElementById(”authorinfo”).style.display = “”; document.getElementById(”showinfo”).style.display = “none”; document.getElementById(”hideinfo”).style.display = “”; } function HideUtils() { document.getElementById(”authorinfo”).style.display = “none”; document.getElementById(”showinfo”).style.display = “”; document.getElementById(”hideinfo”).style.display = “none”; } [...]
May 24th, 2006 at 10:06 am
[...] Source: http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/ [...]
May 25th, 2006 at 6:09 am
Secure Firefox and IM with PuTTY…
Using public WiFi, while nice because it is free, is a sandbox for hackers to capture data that you might have otherwise thought was secure. Any black hat can use freely available tools that can sniff the data leaving your computer and capture that in…
May 25th, 2006 at 2:34 pm
I typically just ssh into my machine and browse with links or elinks.
Much faster. But this is useful.
Thanks!
May 25th, 2006 at 5:26 pm
Sounds like a cool idea but why not just use tor or torpark on a thumb drive to take care of your anonymity? You can use tor with gaim and the PGP plugin to encrypt aim traffic.
May 25th, 2006 at 9:22 pm
J3:
(1) For my purposes, I don’t really care about anonymity.
(2) I tried Tor, and found it to be quite slow. Certainly slower than a non-Tor setup.
That said, Tor may be a good solution for people, depending on the needs/problem to be addressed.
May 26th, 2006 at 1:06 pm
[...] How To: secure Firefox and IM with PuTTY (when connected to a public/unsafe network) [...]
May 27th, 2006 at 3:25 am
More Tips for Secure Communication…
Previously I’ve written about how to use SFTP, SSH and SSL to secure your web surfing experience. One of the tips was to use PuTTY as your SSH client to create an encrypted connection to DreamHost’s servers.
thinkholelabs now features a gre…
May 27th, 2006 at 3:46 pm
[...] Resources for tunneling your traffic through your Dreamhost server using SSH. Here, here, here, and here. [...]
May 27th, 2006 at 4:11 pm
[...] Secure Firefox and IM with PuTTY (tags: browser firefox putty security ssh tunnel vpn) [...]
May 28th, 2006 at 3:27 pm
[...] Pour se connecter à une machine Linux, la plupart des gens utilise SSH, qui est à la base une connexion sécurisée sur laquelle on peut faire du transfert de fichiers, terminal/console/shell, et j’en passe. Cet article indique comment configurer Putty (un programme ssh pour Windows) pour se connecter sur une machine ET configurer un proxy pour les programmes exécutés local (comme MSN), pour les rediriger vers la connexion SSH. [...]
May 28th, 2006 at 11:40 pm
[...] HOWTO: Secure Firefox and IM with PuTTY (tags: Tech HOWTO SSH Security Putty) [...]
June 4th, 2006 at 1:22 am
[...] import this. » Blog Archive » HOWTO: Secure Firefox and IM with PuTTY Very good tutrorial with comments that make sense. This is good for the paranoid among us. (tags: ssh putty vpn terminal telnet mail im) [...]
June 9th, 2006 at 10:38 am
the proxy doenst work with GAIM…i dnt know why…it says it cant connect to it.
June 11th, 2006 at 4:32 am
[...] I read a great tip recently that told you how to securely connect to the Internet through an unknown or insecure network using SSH tunnelling, but it does require you to have access to a host running OpenSSH. Simple on Linux, not so simple on Windows. But it is possible, here’s how. [...]
June 12th, 2006 at 1:02 pm
wow, this is pretty cool. thx for the information
June 13th, 2006 at 9:35 am
[...] read more | digg story [...]
June 18th, 2006 at 12:34 pm
network.proxy.socks_remote_dns only works on plain proxies, once you start using SSH, it doesn’t work very well, because DNS uses UDP, and SSH can’t forward UDP… just try it for yourself. I’m using Firefox 1.5.0.4. I’ve tried this with PuTTY and with a few other programs, always the same results with Ethereal:
http://img152.imageshack.us/img152/7194/dns5ib.jpg
If anybody knows how to get around this (besides Privoxy)… let me know. :)
July 13th, 2006 at 8:01 pm
Instead of using hidden settings in Firefox/Thunderbird to keep from leaking your DNS queries, you can use Privoxy and set it up to connect to the SSH tunnel, and then from there set everything to use Privoxy. Privoxy will do your DNS queries through the tunnel.
July 13th, 2006 at 8:03 pm
^^Dylan:
There isn’t really any way around it other than using Privoxy or encapsulating your DNS queries in some fashion so they can be sent over the tunnel normally (which is what Privoxy does). But since Privoxy is free and easy to setup, I don’t see why there is any problem with using it.
August 18th, 2006 at 3:05 pm
[...] I found some great info about how to surf the web at WiFi hotspots with some extra security. You need a remote server somewhere running OpenSSH and an SSH client like PuTTy. If you set it up (it’s easy), it will protect you against some jack ass at the internet cafe running Wireshark, or some other network protocol analyzer. [...]
September 1st, 2006 at 3:07 am
[...] Quick, step-by-step HOWTO to set up secure, encrypted tunnels for web browsing, instant messaging, and email from anywhere. No need to set up a VPN. Great for working from hotels and coffee shops!read more | digg story [...]
September 14th, 2006 at 12:45 am
With help of free client Hummingbird SOCKS V8.001 it’s easy to socksify any Windows program using PuTTY’s tunnel, including Opera and any other program, that don’t support socks proxy natively.
October 27th, 2006 at 2:04 pm
[...] No Related Posts a nice article on keeping your IMs and browsing private when you’re on wireless. via thinkhole « « gmail | [...]
November 2nd, 2006 at 4:41 pm
[...] Came across this link on Digg. Talks about how to use PuTTY to tunnel connections over SSH to access the net through a trusted box rather than on an unsecured wireless network. Pretty easy step-by-step instructions with screenshots. [...]
November 14th, 2006 at 7:14 am
Why isn’t this an actual extension in Firefox.
Something that would configure all the details and remain “embedded” in FF? A port-forward with an SSH connection is all that’s needed.
Are there some licensing issues somewhere that I don’t know about?
I would hope that this extension would be easy enough to use such that the more novice end users who are concerned about security would be able to easily set up a tunnel and encryption without having to download too many other programs or mess with the command-line.
Just a thought. I’m not a programmer, otherwise I’d try to do it myself.
January 8th, 2007 at 8:54 pm
Has anyone found a SIP client that can be run this way? I’ve been looking like mad for a socks enabled SIP client but cant seem to find any…
It would be great to be able to SSH tunnel to the PBX from any net.
February 16th, 2007 at 5:20 pm
[...] how to set up a secure web proxy using putty and Firefox also change about:config network.proxy.socks_remote_dns (tags: howto web proxy ssh putty firefox) [...]
February 23rd, 2007 at 4:11 am
@Tristor: …and once you’re done setting up Privoxy, PuTTY, Firefox, etc. on whatever remote computer you’re using, you’re time’s up…
Personally, I don’t care if someone gets kicks from watching what web sites I’m visiting, or if they grab my data going over the line, Anything I need secured is already running 128-bit or 256-bit SSL (for web sites) or I conduct those activities by simply PuTTYing into the server (for mail/config).
March 5th, 2007 at 2:46 pm
[...] permalink ssh -qTfnN -D 7070 remotehost hier gibts ein paar infos in den kommentaren zu dem thema.. aber ohne server mit shell zugriff bringt das leider nichts. [...]
March 8th, 2007 at 9:03 am
I found freecap - it is something like sockscap for windows, you can socksify any windows program, opera has no socks support (no socks4 as you wrote).
May 10th, 2007 at 4:02 pm
[...] I’ll be trying to figure out how to use secure email protocols. I’ve already tried to switch to using SCP instead of Dreamweaver or Filezilla to transfer files (and using Secure FTP when in Dreamweaver). So it’s pretty much just a change in how I do things. And just for my memory more than anything - here is a link to securing Firefox and IM. I’ll be looking into doing that. [...]
August 7th, 2007 at 4:34 pm
Not only does this tunnel out for privacy, but its an awesome method of bipassing annoying firewalls and site blockers. : )
August 8th, 2007 at 12:39 am
I set up the Firebox. I setup the ssh server on the server side and Putty on the client side. What should I do with the ssh server? Do I have to issue the command when I have logged into ssh server with the Putty?
After I am able to log in to the ssh server with Putty, then I set up the Firebox. Now the Putty part is confusing. Do we have to log into the ssh server while we are using Firefox? Please help me out! Now my Firefox saying the proxy server is refusing connection.
August 9th, 2007 at 2:56 pm
I figured out. Actually there are only 3 portions of the job:
1, set up the ssh server
2, set up the client, putty or ssh
3, set up the browser.
To set up the tunnel, it is done in the second step. As long as the user be able to login from remote, the ssh server job is done. Do not need issue the command on the server side to talk to the client(ssh or Putty). The tunnel is built by the client on the client’s machine. This is hard to understand. Usually, on the server side, the server has to do something to cooperate with the client.
Sounds like Firefox won’t work with Socks4. We have to explicitly tell Firefox to use Socks5.
Now my tunnel is working. The big problem is:
which DNS the browser is using? When I input a wrong DNS on the TCP/IP property, browser won’t find the site. This seems that the browser is still using the local DNS. How do I know the browser is really using remote DNS. I have done the about:config part.
August 11th, 2007 at 9:45 pm
On the command window, you can fire this command. Then configure Firefox to listen to 127.0.0.1:7000
plink.exe -D 7000 your_login@the_ssh_server -P 443 -N -C -pw “your_pass phrase” -i “the_private_key_file_you_created_by_putty_keygen”
assuming you have already put the public key in your home/.ssh directory. Name it as authorized_keys.
August 13th, 2007 at 8:25 pm
I tried out FreeCap working with Putty ssh tunnel for Skype. Skype is extremely aggressive. It can penetrate any firewall without any help of DNS, local or remote. If you just tell Skype to use your Socks proxy, it won’t work. It will go beyond of your proxy and find some other port to reach outside. If you put Skype in your FreeCap, Skype cannot find any other port except the proxy you set up. This way, all of your Skype traffic will go through your Socks tunnel. Also you can grad Firefox into FreeCap. MS Internet Explorer won’t work with FreeCap and Putty Socks tunnel. It uses the local DNS and by pass your tunnel.
Now if you fire the command:
plink.exe -D 7000 your_login@the_ssh_server -P 80 -N -C -pw “your_pass phrase” -i “the_private_key_file_you_created_by_putty_keygen”,
the man in the dark world will have hard time to read your traffic!
November 27th, 2007 at 12:45 pm
I’ve used SSH tunnel with FF for a while, never knew about the DNS leakage. Kinda worried now. Anyway, I also wondered, why do you have to choose SOCKS(5)? Why not just use http proxy, use same proxy for all protocols? Is this leaking info too?
January 16th, 2008 at 11:38 am
Hmm, I did all of the above (well, the necessary steps) as youtube is blocked from my new office, yet is a vital part of most news stories (especially on theregister.co.uk).. So, simple enough, ssh -D.. No joy! ssh hostname -L 8080:proxy:proxy_port works fine, but ssh hostname -D 8080 doesn’t work at all.. Firefox can connect to the proxy, but never loads anything. Anybody got any ideas about this odd behaviour?
March 10th, 2008 at 2:19 pm
I have this working no problem. However, it will not work from my office. I can setup the SSH connectin from just about any network, but when I try it at work, putty can’t connect to my server….. is there a setting that I can adjust? How can my office admins block ssh on the network?
May 3rd, 2008 at 3:38 pm
[...] very helpful tutorial on how to use Putty to Tunnel your Firefox activities through an SSH connection — essentially, make it look like your machine is wherever your server [...]