The SSH protocol is normally used to log in remotely to computers. In a pinch, however, it can also serve as an excellent privacy tool by providing the same encryption and security protections as a VPN service. Here’s how to use SSH to encrypt your Web browsing session.
VPN vs. SSH
First, though, we should make clear that encrypting Web traffic is not what SSH was designed to do. Nor is it especially easy or user-friendly to configure SSH in this way. If simplicity is important, you’re better off subscribing to a VPN service to keep your browsing private.
That said, SSH has some advantages over VPNs. For one, SSH services tend to be cheaper than VPNs. There are even a fair number of sites that offer free SSH accounts to the public. Companies and universities also often allow employees and students to create SSH accounts on their servers for free.
In addition, SSH can be advantageous because it works in situations where VPN services are intentionally blocked. Since encrypting Web traffic via SSH tunnels is less common than using VPNs, and because SSH has other important uses in administering servers, many service providers do not block it even if they restrict other privacy tools.
Creating an SSH SOCKS Proxy
To use SSH to encrypt your Web traffic and hide your real location, you use a technique called an SSH SOCKS proxy. Prerequisites include:
- An SSH account on a server somewhere. Any SSH server should do. You just need to know the server address, your login username and your password. (SSH accounts that use keys to log in are beyond the scope of this tutorial.)
- An SSH client on your computer. If you use Linux, it’s very likely that the command-line SSH tool, “ssh”, is already installed. From Windows, you can use a free client like PuTTy.
- Firefox as your Web browser. You can use other browsers, too, but in this tutorial we’ll only cover Firefox.
With prerequisites in place, follow these steps to set up a SOCKS proxy:
1. Log in to your SSH server, specifying port 9999 as the bind address. (If you don’t know what this means, don’t worry. It’s not really important as long as you can follow the steps.) From the command line on Linux, you would log in with a command like this:
ssh -D 9999 firstname.lastname@example.org
If you are using a graphical front-end to connect to your SSH server, that’s fine, too. Just make sure to set port 9999 as the bind address before logging in. In most clients, you can configure the bind address using the preferences dialogue.
2. Configure Firefox to use a SOCKS proxy. First, go to Edit>Preferences (on some Firefox versions, use Tools>Options instead) to open the configuration tool. Next, click the Advanced tab, then Network. Then click the Settings button next to the line that says “Configure how Firefox connects to the Internet.” In the window that pops up, change from No proxy to Manual proxy configuration. In the SOCKS Host section, enter localhost as the server and 9999 as the port. (You could actually use any port number, as long as it is the same as the bind address you used when logging in to your SSH server.)
With all this in place, save your settings and close the configuration windows in Firefox. Then browse away. All of your Web traffic in Firefox will be piped through your SSH connection, ensuring that it is encrypted. As a bonus, your physical location and public IP address will appear to sites on the Internet to be those of your SSH server, not your actual computer.
When you no longer wish to browse anonymously, open the Firefox network settings up again and switch back to No proxy.
Some Finer Points
Bear in mind that using a SOCKS proxy in Firefox protects only traffic inside that browser. Other online activity, like torrents or chats, won’t use the proxy unless you also configure the specific apps in question to do so.
Also be aware that SSH SOCKS proxy can still leave you vulnerable to DNS leaks. Fortunately, there’s an easy fix for this in Firefox: type about:config in the address bar, find the line for network.proxy.socks_remote_dns and change its value to true. That will cause Firefox to send DNS queries through the secure SSH tunnel.