Skip to main content

Using Meerkat to secure wireless web browsing

A hot topic in the news today is Firesheep, a Firefox web browser extension that takes advantage of a security vulnerability in many popular websites like Twitter and Facebook and allows you to login to those sites as any other user on the network! This makes use of the practice of exchanging login information for web browser cookies that are then used to gain access, but which on open networks are subject to interception and reuse by other parties.

Our SSH tunnel manager Meerkat has always supported the ability to secure your web browsing on open networks. It does this with what's called a SOCKS proxy. The basic idea is you tell Mac OS X to use a proxy server, your web browser proxies all website requests through this server, and the server makes the actual requests for information to the website. The connection between your browser and the proxy server is encrypted via SSH, providing a workaround to network-based snooping.

Here's how to set it up:

Step 1: Add an SSH account to Meerkat

If you have an SSH account through your web hosting provider or someplace else, add the details to a new Meerkat account. [screenshot]

Step 2: Add a tunnel to Meerkat that uses this account

Be sure to check the Dynamic forwarding option and choose a high port (something in the 6000-9000 range is ideal) for the tunnel. [screenshot]

Step 3: Configure a SOCKS proxy in Network settings

In the System Preferences application, choose Network, then the AirPort connection, then Advanced... settings. Choose the Proxies tab, then SOCKS Proxy, then enter 127.0.0.1 as the hostname (this means the local computer, where the tunnel endpoint resides) and the port number from above. Choose OK, then Apply to apply the changes. [screenshot 1] [screenshot 2]

Step 4: Browse the web securely!

Just activate the tunnel in Meerkat. All web browser traffic will now go through the SSH account that you setup.

While these steps are a little involved, unfortunately web browser proxies aren't a simple procedure. One way that this can be automated is with Meerkat's free plugin for NetworkLocation, an application that can apply settings based on physical location changes. You can get the plugin in the NetworkLocation website's "Extras" section or from the sidebar on Meerkat's web page.

Have any questions about this? See the Meerkat support forums if you need a hand and we'll try to help out!

Happy -- and safe -- surfing!

Update: I've also heard tips from Meerkat users about setting their SOCKS tunnel to automatically start when using a particular web browser. Meerkat supports associating a tunnel with an app so that when the app stats, the tunnel is enabled and when it is quit, the tunnel is disabled. This is another great option to help with auto-configuration.

Trackback URL for this post:

http://codesorcery.net/trackback/367

Works by location too

Proxies are by network location, too, so it's easy to switch back and forth. I have a network location I call 'open wifi' for this. I also have iStat Menus, which has a network monitor status bar widget that lets me change network locations.

End result? mouse up to the upper right: 2 clicks on iStat Menus to change location, 2 clicks on Wifi to change network, right click on meerkat in the dock and enable tunnel. Boom, I'm safe.

Custom Commands of connect / disconnect

Hi,

I have been testing meerkat for proxy tunneling.

Would it be possible to specify a command / script on connection / disconnection of a profile. If so, something along the following could be run to automate the system proxy change. So on connect:-

networksetup -setsocksfirewallproxy AirPort 127.0.0.1 3333 off

and on disconnect:-

networksetup -setsocksfirewallproxystate Airport off

There are many other uses for this as well!

Just a thought. Would like to hear your feedback.

Harvey