Hacker News new | ask | show | jobs
by tpahax0r 5679 days ago
SideStep basically automates ssh -D for you and sets up a local SOCKS proxy. However SOCKS proxies (and thus the current version of Sidestep) can only protect TCP traffic that supports SOCKS proxies. For example, you can't tunnel your DNS requests over a proxy (without tinkering with Firefox's about:config).

Also, since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don't have a firewall).

If you want complete privacy where ALL of your IP traffic is tunneled out, OpenVPN (or other tunneling layer 3 solution) is the way to go.
2 comments
riobard 5679 days ago
Thanks for the explanation! There are a few things I don't understand fully, could you please talk a bit more?

“since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don't have a firewall).”

I believe on OS X the SOCKS proxy is applied globally, unlike Windows where you have to do per-application settings. So aside from DNS queries, I guess other TCP connections should go through SOCKS? That should cover the major problem of FireSheep.

Also, since on Windows/OS X/iOS there is no default OpenVPN clients, I use PPTP/L2TP/IPSec-based VPN instead because they are available by default. Is there any advantage of OpenVPN over them?

link
tpahax0r 5679 days ago
For the purpose of defeating FireSheep, ssd -D works just fine.

OpenVPN in the configuration of the blog post utilizes 443/tcp, which is open at most places, while the ports required for PPTP/L2TP/IPSec could be closed.

link
draebek 5679 days ago
Worst than just "ports" AFAIK: last I checked PPTP required use of either GRE or its own protocol (I can't remember which)--so not TCP nor UDP, and thus more likely to be blocked or simply NATed incorrectly. I don't recall how L2TP works, but I bet it uses a different IP protocol as well. I'm not sure if it's common to use L2TP unless it's tunneled in IPsec these days. IPsec can run over UDP if configured correctly. (I always encountered the UDP transport in the context of NAT-T which has/had its own set of problems. For example, it used to be the case that many IPsec "servers" had a problem with more than a single NAT-T client behind the same NAT. Not sure if that's still the case as this stuff is no longer my job, thankfully.)
link
nodata 5679 days ago
If you want complete privacy where ALL of your IP traffic is tunneled out, OpenVPN (or other tunneling layer 3 solution) is the way to go.

If you don't have a static ip at home, OpenVPN with this configuration will mean loss of privacy to everyone on the internet.

link