How do I keep my web access safe from sniffing?

Home » Internet

Summary: Your web access can be easily sniffed when you're in a public WiFi hotspot. Logins on web sites that don't use https are vulnerable to sniffing. We'll look at one technique to avoid this.

I read your article How can I keep my email safe from sniffing? about keeping your email and most importantly email passwords safe whenever you use a public WiFi hotspot. My problem is that I also have websites on my own server that I need to visit which require a user name and password. Unfortunately, they are not https encrypted which implies that those user names and passwords could be sniffed and stolen. Is there a similar solution to keep this type of web access safe?

Yes, indeed.

I'll warn you, though, this gets pretty geeky.

•

I have several websites on my servers, and some of them are definitely not for the public. A good example might be the MovableType administrative interface that I use to publish Ask Leo! and other sites. This, and my other administrative sites require a user name and password.

Unfortunately these are all unencrypted http, not https, connections. If I access those sites in a public place such as my local coffee house's free WiFi hotspot, someone else could sniff my traffic and extract the user name and password I use.

Now, I could run around and set up https for each of these sites, purchasing a certificate for each, or installing a "self signed" certificate on each. But since I've already done "SSH tunneling" for email, it wasn't much of a stretch to expand on that to encrypt the web traffic as well.

There are two steps:

Creating the tunnel
Setting up fake DNS

We'll look at both here.

Creating the tunnel

"There are two steps: Creating the tunnel [and] Setting up fake DNS"

As with the email tunnel discussed in that earlier article, you must have SSH (Secure SHell) access to your server. If you do not (and if you don't know, you probably don't), you can stop reading now. Check with your ISP if you like, to see if you can get it, but this technique relies on SSH being available on your server.

Start by getting the free SSH client and tools called PuTTY. Get the ZIP file that contains all the tools, because we'll be using more than just the PuTTY client.

One of the tools is called "plink". In a command shell, run the following:

plink -v -L 80:webserver:80 -2 you@webserver -N -pw yourpassword

Where:

-v: verbose - optional, but it will show you what plink is doing setting up the tunnel, and as long as the tunnel is active.
-L 80:webserver:80: defines a tunnel of port 80 on your local machine to go to port 80 on the webserver. Port 80 is the port used for http connections. You would replace "webserver" with the name or IP address of your web server. (For reasons we'll see shortly, IP address is actually preferred.)
-2: force ssh v2 protocol only. Optional, but slightly more secure. Use it unless your remote server doesn't support it.
you@webserver: your ssh login account name @ your web server.
-N: no shell. Normally plink will also open up an interactive shell. For our purposes here we don't need one.
-pw yourpassword: your password for your ssh login account name. You can also leave this off to be prompted instead.

Leave plink running once it connects.

You now have a tunnel. Go to your browser and enter http://localhost as the URL; you should see some activity on the plink line and you should get the default page that your server offers up.

And the communication between your machine and your server went over an encrypted SSH connection.

Now to get to specific sites you care about.

Setting up fake DNS

If the default website you just viewed is sufficient, then you're done. However it's more likely you actually have several websites defined on your server, only some of which need to be tunneled.

The tunnel we've just set up is only used when you attempt to view a web page from "localhost", meaning IP address 127.0.0.1. The result is we need to make your website "look like" it's at 127.0.0.1 by faking DNS.

Locate your "hosts" file; typically it's c:\windows\system32\drivers\etc\hosts. Edit hosts using notepad or some other text editor, and add the following line:

127.0.0.1 webserver

Where "webserver" is the domain hosted on your server that you want to tunnel to. It's common for that to be a subdomain; something like "admin.example.com", but you can tunnel to any domain.

This is where we run into a chicken and egg problem. If your hosts file fakes DNS to make "webserver" appear as if it's at 127.0.0.1, then the plink line used to establish the tunnel can't use "webserver" as the server it's attempting to tunnel to. The solution is to in plink use either use a different domain that resolves to the same server, or just use the IP address of your server.

If you have several domains on the same server that you want to tunnel to (as I do), then just add additional entries to the host file:

127.0.0.1 mt.example.com
127.0.0.1 admin.example.com

Only domains listed are tunneled, so if you need to tunnel both "example.com" and "www.example.com", you'll need to list both. Any domains not listed in the hosts file are not tunneled.

The steps, in summary

So next time you visit your local WiFi hotspot and need to access the sites you're concerned about, you:

Establish an SSH tunnel between your local machine and your server using plink.
Fake the DNS for each of the domains you wish to tunnel, either by editing your hosts file, or perhaps copying in a pre-edited version of the hosts file.
Surf away, securely!

Important: when you are done, CTRL+C to abort plink, and then don't forget to remove the fake DNS entries from your hosts file.

Related:

Ask Leo! - How can I keep my email safe from sniffing?
Ask Leo! - Can hackers see data going to and from my computer?
Ask Leo! - How do I create and use Public Keys with SSH?

Article 10767 | Posted October 1, 2006

•