Secure Public Wifi Browsing / CyberCafes

Skip to first unread message

Nick Reese

Dec 4, 2010, 1:01:29 PM12/4/10
to the technomads
Hey all, I wanted to know what you all had up your sleeves with regard
to internet security.

Living the technomad lifestyle I think it is something that needs to
be addressed.

Yesterday there was an awesome discussion on Hacker News on using
Amazon's EC2 service to setup a inexpensive VPN.

While that discussion is pretty advanced it does seem like a brilliant
idea to use OpenVPN to secure all your internet traffic from prying

Along the same lines there are also several VPN providers that look

I am currently leaning towards VyprVpn as it is flat rate for
unlimited. $19.99/mo.

What do you use to protect yourselves?

Jack Bennett

Dec 4, 2010, 3:26:49 PM12/4/10
On Sat, Dec 4, 2010 at 1:01 PM, Nick Reese <> wrote:
> Hey all, I wanted to know what you all had up your sleeves with regard
> to internet security.

Is your usage of VPN a response to the recent release of Firesheep,
and the relative lack of built-in SSL security on sites like Facebook?

I ask because it's likely that while technically savvy audiences may
know about this, not everyone even knows that there's a potential
problem for those who use open wifi networks.

Thanks for the tips re: possible VPN services - it's been on my radar
as a situation to get handled in the near future :)

Best wishes,

jack bennett |
Get my personal growth tips at:
Follow me on twitter at:

Leonard Lin

Dec 4, 2010, 4:03:45 PM12/4/10
This is mentioned in the thread, but when on insecure wifi, usually I
use SOCKS proxying via SSH over a VPN.

There are a few reasons for that:
* Less brittle connection, the SSH tunnel will be maintained even when
there's extended connection problems
* More secure: when the tunnel is broken, it will stop sending data, vs
most VPN clients, which will simply send your data unencrypted if the
tunnel goes down
* Access to the local network: a VPN disables bonjour and other local
net resources whereas using a SOCKS proxy doesn't

If you're on a Mac, setting up using a SOCKS proxy is simple. Simply
create a 'Network Location' in the Network System Preferences and change
the Wifi to using a SOCKS proxy (localhost 1080). When you switch your
network location you will globally switch most Mac apps to require a
proxy (works w/ web browsers, Adium, Thunderbird, anything that respects
system level proxy settings)

And then using a tool or terminal, you can initialize the proxy tunnel
like so (alias as preferred):

ssh -N -p 22 -c 3des -D 1080 [ssh account/server]

I wrote a little doc on this a few years ago:

Nick Taylor

Dec 4, 2010, 4:04:10 PM12/4/10

> What do you use to protect yourselves?

I've started using Perfect Privacy - Openvpn.

I'm using it under Ubuntu - which doesn't (I don't think) have the
simple setup that Windows has, so needed to get the Perfect Privacy
people to help me set it up. They also offered PPtP - an alternative to
OpenVPN... which is (apparently) easier to set up, but slightly less
secure (still more than enough for casual use though)

It's marginally slower than a naked connection, but this is more than
compensated for by the way I can simply route around messages that say
"not available in your territory" - and added peace of mind that I'm not
being spied on. It's slower, but I can still stream videos - and here in
NZ, that was always an iffy proposition to start with.

I chose Perfect Privacy because it's run by activists etc - which seemed
to me a little more trustworthy than a company that could quite easily
be bought by another company etc etc.


Brink of Complexity

Dec 4, 2010, 6:54:28 PM12/4/10
Great info, Leonard :)

Eric and I also use SSH tunnels for security.  The port is configurable by the -D flag that you send to the ssh command, and the other flags listed are optional.

So, I usually initiate my proxy-able SSH session with only that flag, and leave off the others:

ssh -D 3344 lo...@host.tld.

sshd runs on port 22 by default, so unless you've configured the remote server you're tunnelling through to use something else, you don't need the -p.

The -N means "no command". If you leave that off, you'll get an ordinary ssh shell.  I usually want one anyway, both for working with data (and IRC screening) on the server I'm tunnelling through, and to clearly see when/if the connection drops.

The -c 3des flag is completely unneccessary, since 3des is the default encryption type for ssh protocol version 1, and you'll probably be connecting with version 2 anyway.  The default for version 2, without this flag is, in order of attempted use: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr. 

Eric advises using FoxyProxy Firefox add-on to enable the SOCKS proxy for browser sessions once the tunnel is open, both because it works across platforms, and because it has an option to perform DNS lookups on the remote end of the tunnel, thus securing against DNS-leakage-pwning (after any initial DNS request that might be required to open your tunnel in the first place, anyway).

- Brink


To unsubscribe from this group, send email to

Brink of Complexity

Dec 4, 2010, 7:09:49 PM12/4/10
For US travel, Eric and I have been carrying with us a mobile 4G hotspot from Clear, eliminating quite a lot of our need to use cafe wifi in most cities and some towns.  The Clear network has been popping up brilliantly and quickly across the US, and I expect their coverage to be near-total by the end of next year.  The mobile 4G service is offered for about $40/mo.  Clear also offers nationwide 3G hotspots, which do 4G when available and 3G otherwise... but of course, we can just start a hotspot on a phone for that (slow, and can't use the phone as a phone at the same time). 

Running our own hotspot allows us to completely control our own network, so we use it even when other networks are available.

- Brink

Reply all
Reply to author
0 new messages