Thursday, January 6, 2011

Surfing the Web securely on Free Wifi Hotspots

Everyone likes free especially free Wifi. We are all on devices that need an internet connection and we are more than happy to connect to these free Wifi hotspots to get internet access. There is of course a big problem with all this. If your Wifi is not secure (most free Wifi hotspots are not secured by encryption) , anyone that is using the same Wifi connection can snoop on the information exchanged between you (the browser) and the website that you are connecting to. This is ok if you are just surfing the web reading news articles and such or if the website that you are using uses https (where s in https stands for secure). However, we tend to use services like Facebook, Twitter etc that don't use https. There is a firefox plugin firesheep that can actually show you how trivial it is to hijack another person's facebook / twitter account if they happen to be logged into facebook from the same coffee shop you are logged in from.

Obviously I still want to be able to use free hotspots in places like starbucks. To be secure, I typically use the following setup in my mac to keep my stuff off snooping eyes. Here is a very short HOWTO on how to you use an ssh tunnel to do secure web browsing in a Mac (this will work in Windows and Linux as well with small tweaks)


  • openssh (I installed openssh using mac ports: port install openssh)

  • Firefox add-on called quick proxy (

  • a shell account with ssh access (this could be your hosted account or if you are a geek perhaps a dd-wrt router at home)


  • Create an ssh tunnel to your server. If you have private/public key pair setup, this will be quick and easy
    /opt/local/bin/ssh -D 9999 user@host

  • Now create a proxy configuration in firefox->Preferences->Advanced->Network->Settings
    Click on the Manual Proxy Configuration and set just the SOCKS host to localhost and Port to 9999

  • Now install the QuickProxy add-on to be able to switch between the proxy being on and off.

  • To avoid people from knowing where you are surfing or from having the malicious one do a DNS phish, change in the following setting by typing in about:config in firefox address bar and then search for network.proxy.socks_remote_dns
    network.proxy.socks_remote_dns = true

  • When you are in an insecure wifi hotspot , simply turn the proxy on in the status bar of firefox. This will make all traffic go through the ssh tunnel created in step 1.

  • Go to to see what the server sees as your IP Address. you will notice that when the proxy is on, all traffic flows through the SSH tunnel (encrypted) and the IP address is different from when you connect directly.


  • Remember that only your browser is using the SOCKS proxy.

No comments:

Post a Comment