Sunday, March 6, 2011

How to Browse Privately on Public Wi-Fi

If you're a mobile worker who likes to go online using public Wi-Fi services--in coffee shops and elsewhere--you probably don't realize how insanely reckless you're being.
Public Wi-Fi is the worst kind of Internet connection. Data isn't encrypted as it flies through the air; and as the recent Firesheep debacle showed, it's incredibly easy for others using the same network to grab your log-in details for sites such as Facebook.
One method of protecting yourself is to use a browser extension such as HTTPS Everywhere, which forces your browser to connect by default to a site's secure HTTPS server. Unfortunately, very few sites have one. Alternatively, you can pay for VPN services, but these can be quite slow.
In this tutorial, I'll explain how to create a secure setup that will stop anybody from snooping on your Wi-Fi-transmitted data, regardless of the type of Internet connection you use. It won't cost a penny, either, because we'll be using entirely free-of-charge software--though you will need an old PC to act as a server, and your Internet router must be able to work with a dynamic DNS service. (Most can--and even if yours can't, a firmware update might be able to give it that the functionality.)
The technique I'll use involves creating a secure shell (SSH) server on the old computer at home or work, and then doing all of your Web browsing through that server via an encrypted tunnel across the Internet.
It's not a perfect solution because DNS look-ups occur via the public Wi-Fi connection, so somebody could theoretically find out what sites you've been visiting, but this result is unlikely.
The instructions cover four stages, the first three of which explain how to set everything up.

Setting Up the SSH Server

1. Start by downloading the standard desktop release of Ubuntu Linux (don't download the server version unless you're experienced with the Linux command line). I chose to install version 10.10 of Ubuntu. Install it on the old computer that you're going to use as a server.
Install the SSH server software on Ubuntu. There's no minimum specification for the old computer, but ideally it would have at least 1GB of RAM. It will be an Internet-facing machine, however, so remove any personal data--such as files contained in an old Windows installation--from it.
2. Once the Ubuntu installation is complete, get your new Ubuntu system online via ethernet or Wi-Fi to your home or work router, and ensure that it's fully updated (select System, Administration, Update Manager, and then click the Check button, followed by the Install Updates button).
3. When updating has finished, open a command-line prompt (go to Applications, Accessories, Terminal) and type the following: sudo apt-get install openssh-server. Once that installation is done, close the command-line window.
That's all you have to do to set up the Ubuntu machine. Henceforth, all you need to do before leaving the house to work remotely is to boot up the server and log in to your account to ensure that the machine gets an Internet connection.
There's no need to run any additional software, since everything runs in the background. If you don't mind the electricity bill, you could leave the machine booted up 24 hours a day, but check its power-saving settings (at System, Preferences, Power Management) to ensure that the system doesn't drift off into sleep mode.

Configuring Your Internet Router

1. At this stage, you'll need to create a static domain name for your server, and then configure your router to allow incoming connections, so you can always connect to it while you're out and about. Head over to Dyndns.com and create a free domain name (look in the lower-left portion of the Dyndns home page). You can choose just about anything for the DNS address--I created keirthomas.dyndns-office.com, for example.
In order to set up the domain name, you'll have to create a new account at Dyndns.com--but doing so is free. Be careful when registering your new domain: Dyndns.com tries very hard to sell you for-a-fee accounts and seeing the smaller links that set up the free stuff can be difficult.
Create a host name at dynamic DNS. 2. You'll know when the Dyndns account is fully set up because you'll reach a screen that shows the host name alongside your router's public IP address.
Next, you must configure the dynamic DNS feature of your router so that it will always inform Dyndns of its public IP address.
The method for doing this varies from router to router, but generally you'll need to select Dyndns.com from a dropdown list within the configuration screen and then enter both your Dyndns username and your password, along with the host address that you created (I entered keirthomas.dyndns-office.com, for example). If prompted about setting up multiple hosts, be aware that there's no need to do this.
3. You'll also have to create a firewall rule on the router to enable incoming SSH traffic to pass through the firewall automatically to reach your new Ubuntu server. Again, the details of this process vary. Some routers refer to creating these rules as "setting up application sharing." If you've ever created a firewall rule for online gaming or file sharing, you'll know where to look in your router's configuration options because the SSH rule is essentially the same thing, except that this time you must allow port 22 to pass through.

Configuring Your Laptop

1. Most of the hard work is now done. On the laptop that you're going to use out in the wild, download and install PuTTY (a free, open-source app that will act as your SSH client). PuTTY doesn't have an installation routine, so you'll need to put the .exe file somewhere safe on your hard drive, such as in your Documents folder.
PuTTY does two things: It opens the secure tunnel to the Ubuntu server; and it runs a SOCKS proxy on your laptop that your Web browser can connect to in order to use the tunnel.
Set up an SSH tunnel using PuTTY. 2. Start PuTTY and, in the tree view of configuration options on the left, click the SSH option under the Connection heading. In the new submenu that appears, select Tunnels. Under the Destination heading in the PuTTY dialog box, select the Dynamic radio button; and in the Source Port text field, enter 8080. Then click the Add button.
3. Back in the tree view of configuration options in PuTTY, click the Session heading at the top. In the Hostname (or IP Address) field, type the Dyndns domain that you created earlier (again, I would type keirthomas.dyndns-office.com). In the Saved Sessions text field, type a name so you can save your new configuration (something like SSH tunnel is fine). Then click the Save button.
4. Now you should configure your browser, which involves setting it to work with a proxy server. If you use Firefox, installing the FoxyProxy Basic add-on will enable you to switch quickly between using a proxy server and deactivating it when you're back at home. You can search for and install it by using the Add-Ons window of Firefox (go to Tools, Add-ons).
5. Once you've installed FoxyProxy Basic, select its entry in the Tools menu in Firefox, and select Options on the submenu. Then, in the FoxProxy Basic configuration dialog box, click the Add New Proxy button.
6. In the dialog box that appears, confirm that Manual Proxy Configuration is selected. Then, in the Host or IP Address field, type localhost; and in the port field, type 8080. Add a check mark to the SOCKS proxy? checkbox. Leave everything else as is, and click OK. Close the FoxyProxy Basic dialog box.

Open the Tunnel Via Your Laptop

Setup is now finished. In future, before you leave your house or office to work remotely, make sure that the Ubuntu computer is booted up and that you've logged in to it. Then follow these instructions when you reach your destination.
1. Log in to the public Wi-Fi service that you want to use.
2. Start PuTTY, and select the new entry that you created in the list of Saved Sessions. Click the Open button to start the secure tunnel connection.
2. The first time you do this, your system will inform you that the host key is not in the Registry. This is fine--just click Yes in the dialog box that appears to add the host key. This dialog box will not appear during future sessions.
To create the secure tunnel you'll need to log in via PuTTY.3. Every time you log in using PuTTY, a window will appear bearing the words Login As. Enter the username for the account that you created on your Ubuntu computer, and enter the password when prompted. You'll then log in to the new computer and be shown a command prompt, but you don't have to type anything there, and you can minimize the PuTTY window to get it out of the way. However, you must keep the PuTTY window open in order for the tunnel to work.
4. Start Firefox and select the proxy entry that you created earlier from the FoxyProxy Basic entry on the Tools menu.
And that's it!
From this point on, you'll be browsing via your own secure tunnel. To confirm this, open another browser (such as Internet Explorer) and visit WhatsMyIp.com. This site will display the public IP address of the Wi-Fi service you're using in the coffee shop.
However, visiting WhatsMyIp with Firefox will show a different IP address--the one for your home or work router, which is feeding you the Websites via the secure tunnel. In other words, all of your Web data is coming to you via this IP address, through the secure tunnel. To anyone snooping on the connection, the data will consist of encrypted garbage.
When you've finished working remotely, you can close the PuTTY window, and switch Firefox back to a nonproxy connection by clicking FoxyProxy Basic, followed by Completely Disable FoxyProxy on the Tools menu of Firefox. Source: http://www.pcworld.com