DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th April 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default encrypt my downloads

I want to encryt my downloads. Can you take a look on what i did ?

At Work, i can use an public IP address (static) for an OpenBSD Box (SDSL).
At Home, i have dynamic Ip address.

Code:
 AT WORK--------------------------------ssh_tunnel------------------AT Home
OpenBSD_Box_ssh_Server--------((Internet))-------Apple imac
So i use on my imac :
Code:
ssh -D 1080 hello.atwork.info
Tunnel is ok. After i add proxy socks : 127.0.0.1 port 1080

On the OpenBSD Box (only 1 NIC)
sshd is running, my pf.conf :
Code:
set skip on lo
set block-policy drop
nat on egress from rl0:network -> egress
block in log on egress
pass in log inet proto tcp from any to any port 22
pass out
When i use safari on imac, and type http://whatismyip.org, i can see the ip address of hello.atwork.info, so the it works. I launched a download on imac, i tried "tcpdump -i rl0" on OpenBSD_box while my imac is downloading :

Code:
00:52:02.269468 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 241921:243361(1440) ack 144 win 17280 <nop,nop,timestamp 3715967102 858590288> (DF) [tos 0x10]
00:52:02.476293 kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017 > hello.atwork.info.ssh: . ack 240481 win 65520 <nop,nop,timestamp 858590290 3715967101> (DF)
00:52:02.476328 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 243361:244801(1440) ack 144 win 17280 <nop,nop,timestamp 3715967102 858590290> (DF) [tos 0x10]
00:52:02.476335 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 244801:246241(1440) ack 144 win 17280 <nop,nop,timestamp 3715967102 858590290> (DF) [tos 0x10]
00:52:02.763498 ftp.proxad.net.www > hello.atwork.info.50031: . ack 1 win 109 <nop,nop,timestamp 4045426174 3421550309> (DF)
00:52:02.763518 hello.atwork.info.50031 > ftp.proxad.net.www: . ack 262089 win 0 <nop,nop,timestamp 3421550310 0> (DF)
00:52:02.765519 kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017 > hello.atwork.info.ssh: . ack 243361 win 65520 <nop,nop,timestamp 858590293 3715967102> (DF)
00:52:02.765568 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 246241:247681(1440) ack 144 win 17280 <nop,nop,timestamp 3715967103 858590293> (DF) [tos 0x10]
00:52:02.765576 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 247681:249121(1440) ack 144 win 17280 <nop,nop,timestamp 3715967103 858590293> (DF) [tos 0x10]
00:52:02.765586 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 249121:250561(1440) ack 144 win 17280 <nop,nop,timestamp 3715967103 858590293> (DF) [tos 0x10]
00:52:02.974385 kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017 > hello.atwork.info.ssh: . ack 246241 win 65520 <nop,nop,timestamp 858590295 3715967102> (DF)
00:52:02.974421 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 250561:252001(1440) ack 144 win 17280 <nop,nop,timestamp 3715967103 858590295> (DF) [tos 0x10]
00:52:02.974429 hello.atwork.info.ssh > kikoo-107-1-32-186.w90-43.abo.wanadoo.fr.50017: . 252001:253441(1440) ack 144 win 17280 <nop,nop,timestamp 3715967103 858590295> (DF) [tos 0x10]
^C
631 packets received by filter
0 packets dropped by kernel
I have some questions ;-)
On the imac computer, traffic is encrypted ? ISP can't see what i download ?
On the openbsd_box, it seems to me that traffic is not encrypted while my imac is downloading ?...? ISP can see what i download (from both side) ?

Can you advice me ?
or perhaps have a easiest solution to achieve my goal ?

Thank's

Last edited by Carpetsmoker; 6th April 2010 at 08:21 PM. Reason: Add [code] tags for readability
Reply With Quote
  #2   (View Single Post)  
Old 6th April 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

The encryption ceases at the end point, your home system.. the traffic would be encrypted between your work and home, but it couldn't possibly be encrypted after that point as communications with the remote host (...like whatismyip.org) would be just HTTP, not HTTPS.

There is no way to do what you ask unless the remote services you're accessing support encryption.. and I'm not sure if HTTPS can be negotiated over a SOCKS proxy, OpenSSH does support other types of tunnels though.
Reply With Quote
  #3   (View Single Post)  
Old 6th April 2010
Simon Simon is offline
Port Guard
 
Join Date: Jan 2010
Posts: 30
Thanked 0 Times in 0 Posts
Default

Thank's.

I saw software like ipredator.se and anchorfree.com.
It is not possible to build a thing like that, and so :
Encrypt downloads & hide them from our ISP ?
Reply With Quote
  #4   (View Single Post)  
Old 6th April 2010
Nightweaver's Avatar
Nightweaver Nightweaver is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Belgrade, Serbia
Posts: 47
Thanked 5 Times in 4 Posts
Default

Create your own proxy server and connect to it through Stunnel. So:

You <--> Proxy <--> Internet

Everything that goes between you and your proxy will stay encrypted via Stunnel. That is the traffic your ISP sees.
__________________
If it moves, crypt it. Unless it's static - than you should double-crypt it.
Reply With Quote
  #5   (View Single Post)  
Old 6th April 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Even with services like ipredator, the tunneled traffic is encrypted between your system and theirs.. so your own provider can't easily (..if at all) determine what you're downloading, but theirs can.

They make the connections on your behalf, unencrypted on their end.. and someone can still eavesdrop-on/tamper-with the contents en route to the destination.

Encrypt "content", not the communication channel.
Reply With Quote
  #6   (View Single Post)  
Old 7th April 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default Re to Nightweaver

Quote:
Originally Posted by Nightweaver View Post
Create your own proxy server and connect to it through Stunnel. So:

You <--> Proxy <--> Internet

Everything that goes between you and your proxy will stay encrypted via Stunnel. That is the traffic your ISP sees.
Your traffic from you to Proxy will be encrypted, but from your proxy to internet : Nothing will be encrypted...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Automating FreeBSD release downloads with a .netrc file J65nko Guides 4 11th February 2010 09:02 PM
SourceForge bars 5 nations from open source downloads J65nko News 11 27th January 2010 11:19 PM
Automating OpenBSD snapshot downloads with a .netrc file J65nko Guides 1 7th January 2010 03:09 AM
Easiest Way to Encrypt /tmp Oko OpenBSD Security 4 16th April 2009 08:13 PM
Questions about encrypt local passwords aleunix OpenBSD Security 4 2nd June 2008 02:07 PM


All times are GMT. The time now is 07:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick