Spiped + SSH = Secure Proxy (opens in new tab)

(newlyancient.com)

20 pointsSlyShy12y ago22 comments

22 comments

20 comments · 9 top-level

dfc12y ago· 5 in thread

Why use the -f switch:

  -f Use fast/weak handshaking: This reduces the CPU time spent in the
     initial connection setup, at the expense of losing perfect forward
     secrecy.

morgante12y ago

Good catch. I'd been using the -f flag while troubleshooting (to speed up the initial connection), but have removed it now.

D9u12y ago

Maybe I'm missing something here...

On my FreeBSD and Linux systems, the ssh -f parameter sends the process to the background, and the -N prevents remote command execution.

cperciva12y ago

He's talking about the -f option to spiped.

cperciva12y ago

Maybe he wants perfect forward secrecy?

EDIT: I read the question backwards.

dfc12y ago

I thought adding `-f` meant that you lost PFS?

1 more reply

oijaf88812y ago· 4 in thread

I don't understand what advantage this has over just doing: ssh -D8080 username@server.name

Also does spiped natively act as a socks proxy? I was under the impression all it did was handle an encrypted stream of data from one socket to another.

morgante12y ago

> I don't understand what advantage this has over just doing: ssh -D8080 username@server.name

I used to do precisely that, but I think spiped has two major advantages:

1. It is more resilient on a flaky connection.

2. I trust the security of its codebase more than SSH, both due to its smaller footprint and cperciva's reputation.

dfc12y ago

As for why not the simple `ssh -D` the author states:

  In my experience, the spiped tunnel is highly reliable and
  recovers more gracefully than a standard SSH tunnel.

cobbal12y ago

From the article:

> In my experience, the spiped tunnel is highly reliable and recovers more gracefully than a standard SSH tunnel.

I've never had an issue with ssh -D though

cperciva12y ago

does spiped natively act as a socks proxy

No, it manages an arbitrary number of streams of encrypted data, but all it does is push bits (and encrypt/decrypt, of course).

lawl12y ago· 1 in thread

Are there any advantages over something like sshuttle? [0]

Doing sshuttle --dns 0/0 seems more convinient especially since a regular sshd on my box is all I need, no additional software. And it instantly tunnels all my traffic, no need to configure socks proxies. It also avoids TCP-over-TCP which it seems like you're doing?

[0] https://github.com/apenwarr/sshuttle

elementai12y ago

Probably the most convenient tunnelling tool I've ever used.

When paranoia strikes me really hard I run Tails liveCD in VirtualBox, it automagically routes everything through TOR and virtually nothing goes to hdd, except probably swapping to disk.

D9u12y ago· 1 in thread

From the link to the OpenSSL vulnerability;

  Unfortunately, there's nothing users can do to protect themselves

Um, how about a VPN, or ssh with dynamic forwarding?

I would do something like;

ssh -C -D 8080 -fN user@server.tld

Then it's as simple as setting your web connected applications to use the localhost proxy on port 8080.

morgante12y ago

> Um, how about a VPN, or ssh with dynamic forwarding?

That's exactly what the goal of this is. Except it avoids using SSH over the public network, since spiped is more reliable and also (I think) more trustworthy. One takeaway for me from the heartbleed bug is to place less trust in large, general-purpose C libraries. Compared to SSH, spiped is a comparatively much smaller codebase, maintained by the excellent cperciva.

peterwwillis12y ago

I know Colin likes to keep commenting that the simplicity of spiped makes it inherently more secure than more complex alternatives. I haven't evaluated the code, nor done a study to see if the number of lines of code always correlates to number of security holes, or if the complexity of the operations compared to the number of lines is related to the number of security holes, and what the bounds of that are. But I just took a brief look at one file and saw this:

  /* Generate a 32-byte connection nonce. */
  if (crypto_entropy_read(H->nonce_local, 32))
           goto err1;

  /* Send our nonce. */
  if ((H->write_cookie = network_write(s, H->nonce_local, 32, 32, 
       callback_nonce_write, H)) == NULL)
           goto err1;

  /* Read the other party's nonce. */
  if ((H->read_cookie = network_read(s, H->nonce_remote, 32, 32,
       callback_nonce_read, H)) == NULL)
           goto err2;

The gotos themselves aren't harmful (even though I don't get why people still use gotos). What strikes me as really funny about this code is its over-simplicity is what caused a huge crypto bug to be missed in Apple's iOS 7 recently. Take a look at the above code and then this security hole[1], and tell me if you can't spot a potential problem.

[1] http://www.wired.com/2014/02/gotofail/

azth12y ago

> As an American living in a Middle Eastern monarchy, multiple government agencies are likely monitoring my internet traffic

Ironically, living in the democracy of the United States would have yielded a similar situation (except remove "likely").

khrf12y ago

> In System Preferences, configure your network to connect to a SOCKS proxy at localhost:8089. Now all your internet activity is securely routed through your server.

That's a big surprise. all your internet activity?!?! Even when I use curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS proxy will be used by web-browser only, am I wrong?

rakoo12y ago

Just a heads up: he seems to be running ssh as root [0]. My mom always told me not to run ssh as root, but maybe things change with Docker since it's running in a virtualized OS.

[0] https://github.com/morgante/spiped-docker/blob/master/Docker...

morgante12y ago

Looks like my server is having some issues. The post is also on GitHub.

https://github.com/morgante/spiped-docker/blob/master/readme...

j / k navigate · click thread line to collapse

22 comments

20 comments · 9 top-level

dfc12y ago· 5 in thread

Why use the -f switch:

  -f Use fast/weak handshaking: This reduces the CPU time spent in the
     initial connection setup, at the expense of losing perfect forward
     secrecy.

morgante12y ago

Good catch. I'd been using the -f flag while troubleshooting (to speed up the initial connection), but have removed it now.

D9u12y ago

Maybe I'm missing something here...

On my FreeBSD and Linux systems, the ssh -f parameter sends the process to the background, and the -N prevents remote command execution.

cperciva12y ago

He's talking about the -f option to spiped.

cperciva12y ago

Maybe he wants perfect forward secrecy?

EDIT: I read the question backwards.

dfc12y ago

I thought adding `-f` meant that you lost PFS?

1 more reply

oijaf88812y ago· 4 in thread

I don't understand what advantage this has over just doing: ssh -D8080 username@server.name

Also does spiped natively act as a socks proxy? I was under the impression all it did was handle an encrypted stream of data from one socket to another.

morgante12y ago

> I don't understand what advantage this has over just doing: ssh -D8080 username@server.name

I used to do precisely that, but I think spiped has two major advantages:

1. It is more resilient on a flaky connection.

2. I trust the security of its codebase more than SSH, both due to its smaller footprint and cperciva's reputation.

dfc12y ago

As for why not the simple `ssh -D` the author states:

  In my experience, the spiped tunnel is highly reliable and
  recovers more gracefully than a standard SSH tunnel.

cobbal12y ago

From the article:

> In my experience, the spiped tunnel is highly reliable and recovers more gracefully than a standard SSH tunnel.

I've never had an issue with ssh -D though

cperciva12y ago

does spiped natively act as a socks proxy

No, it manages an arbitrary number of streams of encrypted data, but all it does is push bits (and encrypt/decrypt, of course).

lawl12y ago· 1 in thread

Are there any advantages over something like sshuttle? [0]

[0] https://github.com/apenwarr/sshuttle

elementai12y ago

Probably the most convenient tunnelling tool I've ever used.

When paranoia strikes me really hard I run Tails liveCD in VirtualBox, it automagically routes everything through TOR and virtually nothing goes to hdd, except probably swapping to disk.

D9u12y ago· 1 in thread

From the link to the OpenSSL vulnerability;

  Unfortunately, there's nothing users can do to protect themselves

Um, how about a VPN, or ssh with dynamic forwarding?

I would do something like;

ssh -C -D 8080 -fN user@server.tld

Then it's as simple as setting your web connected applications to use the localhost proxy on port 8080.

morgante12y ago

> Um, how about a VPN, or ssh with dynamic forwarding?

peterwwillis12y ago

  /* Generate a 32-byte connection nonce. */
  if (crypto_entropy_read(H->nonce_local, 32))
           goto err1;

  /* Send our nonce. */
  if ((H->write_cookie = network_write(s, H->nonce_local, 32, 32, 
       callback_nonce_write, H)) == NULL)
           goto err1;

  /* Read the other party's nonce. */
  if ((H->read_cookie = network_read(s, H->nonce_remote, 32, 32,
       callback_nonce_read, H)) == NULL)
           goto err2;

[1] http://www.wired.com/2014/02/gotofail/

azth12y ago

> As an American living in a Middle Eastern monarchy, multiple government agencies are likely monitoring my internet traffic

Ironically, living in the democracy of the United States would have yielded a similar situation (except remove "likely").

khrf12y ago

> In System Preferences, configure your network to connect to a SOCKS proxy at localhost:8089. Now all your internet activity is securely routed through your server.

That's a big surprise. all your internet activity?!?! Even when I use curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS proxy will be used by web-browser only, am I wrong?

rakoo12y ago

Just a heads up: he seems to be running ssh as root [0]. My mom always told me not to run ssh as root, but maybe things change with Docker since it's running in a virtualized OS.

[0] https://github.com/morgante/spiped-docker/blob/master/Docker...

morgante12y ago

Looks like my server is having some issues. The post is also on GitHub.

https://github.com/morgante/spiped-docker/blob/master/readme...

j / k navigate · click thread line to collapse