Possibly Historical Document - Last Updated Wed Oct 12 18:11:44 2005

Secure Access - The "Internet Cafe" Problem

SSH provides secure end-to-end communication, but it does not automatically protect other traffic such as Web or email access. These unencrypted protocols are vulnerable to snooping on wireless LANs or untrusted network equipment, and to diversion through DNS manipulation. However, the port forwarding feature of SSH may be used to tunnel the access through the untrusted network to a more trusted one, such as TRIUMF's.

Proxy at TRIUMF

A Squid proxy is running on trshare.triumf.ca:3128. This may be used from offsite by SSH tunnelling (port forwarding); e.g. Linux OpenSSH:

$ ssh -L 3128:trshare.triumf.ca:3128 yourid@ibm00.triumf.ca
(PuTTY/XWin32 on Windows has an equivalent feature)

The Web browser may then be configured to use localhost:3128 as a proxy; e.g. for Mozilla:

This provides encryption between the laptop and TRIUMF, and thus protection against snooping for things like website logins and general surfing behaviour. (It is not a substitute for SSL where trust is an issue, e.g. establishing the authenticity of a bank website.)