Possibly Historical Document - Last Updated Wed Oct 12 18:11:44 2005
Secure Access -
The "Internet Cafe" Problem
Previous
SSH provides secure end-to-end communication, but it does not automatically
protect other traffic such as Web or email access. These unencrypted
protocols are vulnerable to snooping on wireless LANs or untrusted
network equipment, and to diversion through DNS manipulation. However,
the port forwarding feature of SSH may be used to tunnel the access through
the untrusted network to a more trusted one, such as TRIUMF's.
Proxy at TRIUMF
A Squid proxy is running on
trshare.triumf.ca:3128. This may be used from offsite by SSH tunnelling (port forwarding);
e.g. Linux OpenSSH:
(PuTTY/XWin32 on Windows has an equivalent feature)
The Web browser may then be configured to use localhost:3128 as
a proxy; e.g. for Mozilla:
This provides encryption between the laptop and TRIUMF, and thus
protection against snooping for things like website logins and
general surfing behaviour. (It is not a substitute for SSL where trust is an
issue, e.g. establishing the authenticity of a bank website.)
