Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I keep my web access safe from sniffing?

Question:

I read your article How can I
keep my email safe from sniffing?
about keeping your email and most
importantly email passwords safe whenever you use a public WiFi hotspot. My
problem is that I also have websites on my own server that I need to visit
which require a user name and password. Unfortunately, they are not https
encrypted which implies that those user names and passwords could be sniffed
and stolen. Is there a similar solution to keep this type of web access
safe?

Yes, indeed.

I'll warn you, though, this gets pretty geeky.

Become a Patron of Ask Leo! and go ad-free!

I have several websites on my servers, and some of them are definitely not
for the public. A good example might be the MovableType administrative
interface that I use to publish Ask Leo! and other sites. This, and my other
administrative sites require a user name and password.

Unfortunately these are all unencrypted http, not https, connections. If I
access those sites in a public place such as my local coffee house's free WiFi
hotspot, someone else could sniff my traffic and extract the user name and
password I use.

Now, I could run around and set up https for each of these sites, purchasing
a certificate for each, or installing a "self signed" certificate on each. But
since I've already done "SSH tunneling" for email, it wasn't much of a stretch
to expand on that to encrypt the web traffic as well.

There are two steps:

  • Creating the tunnel

  • Setting up fake DNS

We'll look at both here.

Creating the tunnel

"There are two steps: Creating the tunnel [and] Setting
up fake DNS"

As with the email tunnel discussed in that earlier article, you must have
SSH (Secure SHell) access to your server. If you do not (and if you don't know,
you probably don't), you can stop reading now. Check with your ISP if you like,
to see if you can get it, but this technique relies on SSH being available on
your server.

Start by getting the free SSH client and tools called PuTTY. Get the ZIP file that contains all the tools,
because we'll be using more than just the PuTTY client.

One of the tools is called "plink". In a command shell, run the
following:

plink -v -L 80:webserver:80 -2 you@webserver -N -pw
yourpassword

Where:

  • -v: verbose - optional, but it will show you what plink is
    doing setting up the tunnel, and as long as the tunnel is active.
  • -L 80:webserver:80: defines a tunnel of port 80 on your
    local machine to go to port 80 on the webserver. Port 80 is the port used for
    http connections. You would replace "webserver" with the name or IP address of
    your web server. (For reasons we'll see shortly, IP address is actually
    preferred.)
  • -2: force ssh v2 protocol only. Optional, but slightly
    more secure. Use it unless your remote server doesn't support it.
  • you@webserver: your ssh login account name @ your web
    server.
  • -N: no shell. Normally plink will also open up an
    interactive shell. For our purposes here we don't need one.
  • -pw yourpassword: your password for your ssh login account
    name. You can also leave this off to be prompted instead.

Leave plink running once it connects.

You now have a tunnel. Go to your browser and enter http://localhost as the URL; you should
see some activity on the plink line and you should get the default page that
your server offers up.

And the communication between your machine and your server went over an
encrypted SSH connection.

Now to get to specific sites you care about.

Setting up fake DNS

If the default website you just viewed is sufficient, then you're done.
However it's more likely you actually have several websites defined on your
server, only some of which need to be tunneled.

The tunnel we've just set up is only used when you attempt to view a web
page from "localhost", meaning IP address 127.0.0.1. The result is we need to
make your website "look like" it's at 127.0.0.1 by faking DNS.

Locate your "hosts" file; typically it's
c:\windows\system32\drivers\etc\hosts. Edit hosts using notepad or some other
text editor, and add the following line:

127.0.0.1 webserver

Where "webserver" is the domain hosted on your server that you want to
tunnel to. It's common for that to be a subdomain; something like
"admin.example.com", but you can tunnel to any domain.

This is where we run into a chicken and egg problem. If your hosts file
fakes DNS to make "webserver" appear as if it's at 127.0.0.1, then the plink
line used to establish the tunnel can't use "webserver" as the server it's
attempting to tunnel to. The solution is to in plink use either use a different
domain that resolves to the same server, or just use the IP address of your
server.

If you have several domains on the same server that you want to tunnel to
(as I do), then just add additional entries to the host file:

127.0.0.1 mt.example.com
127.0.0.1 admin.example.com

Only domains listed are tunneled, so if you need to tunnel both
"example.com" and "www.example.com", you'll need to list both. Any domains not
listed in the hosts file are not tunneled.

The steps, in summary

So next time you visit your local WiFi hotspot and need to access the sites
you're concerned about, you:

  • Establish an SSH tunnel between your local machine and your server using
    plink.

  • Fake the DNS for each of the domains you wish to tunnel, either by editing
    your hosts file, or perhaps copying in a pre-edited version of the hosts
    file.

  • Surf away, securely!

Important: when you are done, CTRL+C to abort plink, and then don't
forget to remove the fake DNS entries from your hosts file.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.