Tweet
so, in another thread there was a discussion about the easiest way to give a person the ability to browse the web or check email with some degree of crypto or security, even if this person has limited technical skills or limited freedom on their computer.
i just knocked together the following set of instructions for a fast, easy way to surf the web without traffic being monitored by anyone who is watching the network. this method does not rely on using any well-known or established proxy service (many of which send data in the clear, and all of which are easily recognized as a proxy service which could potentially indicate what the privacy-conscious person is up to)
here it is, a fast rundown of setting up your own private proxy and connecting to it from any random computer.
for this process to work, all you need is a computer and an internet connection which you control. (you will need to have one port exposed to the world from this computer. a home computer sitting behind a consumer firewall or router device will work fine as long as you understand rudimentary port forwarding)
step 0 - acquiring necessary tools
i've put up a zip file containing all necessary tools, although you're free to download them from other locations if you desire faster speeds or don't trust me to have not meddled with the binaries. ;-)
my zip file contains three tools...
WinSSL 1.7
OpenSSL 0.9.7a
Privoxy 3.0.3
... it also contains a handful of associated .dll files which are necessary in running the above tools.
step 1 - creating an SSL key file
the rsa_keygen.bat file will call OpenSSL which will walk you through creating a .pem key file. you can answer the questions this process asks with any data you like. i tend to just use the letter X a lot. (my name: XXXXXXX, my country: XX, my email address: XXXX@XXXXX.XXX, etc)
the end result is an RSA key file named new.pem. you will use this key file on your home computer when setting up the SSL server.
step 2 - setting up a web surfing proxy
install Privoxy on your home computer using the included setup file. all the defaults are fine, for the most part. fuss with things if you like, but you're not using Privoxy for any of its advanced capabilities (at least not at the moment... but it is a great tool that i encourage people to check out more fully)
now you have a personal web browsing proxy running on your home computer. it accepts connections from the localhost on port 8118 (that's the default port). if you wanted to, you could configure 127.0.0.1:8118 as your web proxy in whatever browser you're using at home. try this, perhaps, and surf the web if possible to see that Privoxy is working fine. you will see the onscreen log and receive web pages normally if everything is functional.
step 3 - setting up the SSL server
on your home computer, run wrap.exe (it requires that libeay32.dll and ssleay32.dll either be in your system directory or in the same path as wrap.exe in order to operate)
upon first opening, WinSSL will announce to you that it has no certificate file and no services defined.
first, we will set the certificate location. open the "configuration" window and type the name of the new keyfile we just generated in step two.
OK this window, then quit and restart WinSSL. it will now load the RSA certificate data on launch, but will still complain that no services are defined.
open the "Services" window. here we will specify the connection details
click to "add" a new service and give it a useful name. (in these images you can see i chose the name of "web proxy") leave the service type set to SSL Tunnel. leave the "listen host" box blank (this is for machines with more than one ethernet card and therefore more than one IP address. you can, if desired, set WinSSL to listen only on one of your adapters. leaving it blank will listen on all of them. on a typical home PC with only one IP address at any given time this makes no difference.)
if you want to be as inconspicuous as possible, configure this service to listen on either port 80 or port 443.
the "remote" details for this tunnel will be the local machine where you're sitting (and where you've just installed Privoxy)... 127.0.0.1 on port 8118.
be certain to mark the checkbox "use SSL for listening"
when you hit "OK" the ssl tool will show a new entry in the on-screen log. it should show this newly-defined service as having started and as presently listening for connections
step 4 - make your SSL server accessible from the public internet
go into your router or firewall configuration and make sure port 80 or 443 (or whatever port you'd like to use... anyone already running a webserver would have to have chosen a different one in step three when they were setting up their SSL server) is open and forwarding to the computer where WinSSL and Privoxy is running.
consult your firewall or router documentation for details on how to do this.
step 5 - connect to your web proxy from a remote site
now, you or anyone else can surf the web using you as a proxy. no special settings or authentication needed... they just have to run WinSSL on their computer
to make things as easy as possible for someone, do the following... create a new directory on your computer. copy wrap.exe, libeay32.dll, and ssleay32.dll into this directory. fire up this instance of wrap.exe. it will start without a configuration file to load. (no .ini file will be there)
specify a new service in this instance of WinSSL. make it an SSL tunnel that listens on 127.0.0.1, port 8118. set the remote host to the external IP of your home network. set the port to either 80 or 443 (or whatever you specified above) and check the box for "use SSL for remote"
once you OK this window, quit WinSSL. you now have wrap.exe and wrap.ini configured in a way that anyone else can use quickly and easily. you could put this on a USB drive or into a zip file (with those two .dll files) and it will be a one-step process for another person to launch the SSL tunnel on their computer.
if this specially prepared SSL tunnel is running on a computer, all one then has to do is set the web browser to use 127.0.0.1:8118 as a proxy server for its connection. then, all HTTP traffic is routed through the SSL tunnel (which may be operating on port 80 or 443) and back to your house where Privoxy spits it out to the web. this doesn't provide full end-to-end encryption (since traffic beween your home and the destination web sites is in the clear) but it has a very good chance of not raising any flags on, say, a company LAN where web surfing is monitored. all they would see is a fair bit of "web like" traffic (which is totally encrypted and unreadable) to a single IP address.
the only way i see this potentially being an issue is if the client machine leaks DNS data. some browsers may attempt to do a DNS resolve of hostnames at the local machine. however, a secure and privacy-conscious browser like Mozilla will pass all traffic (DNS lookups included) to the proxy.
i just knocked together the following set of instructions for a fast, easy way to surf the web without traffic being monitored by anyone who is watching the network. this method does not rely on using any well-known or established proxy service (many of which send data in the clear, and all of which are easily recognized as a proxy service which could potentially indicate what the privacy-conscious person is up to)
here it is, a fast rundown of setting up your own private proxy and connecting to it from any random computer.
for this process to work, all you need is a computer and an internet connection which you control. (you will need to have one port exposed to the world from this computer. a home computer sitting behind a consumer firewall or router device will work fine as long as you understand rudimentary port forwarding)
step 0 - acquiring necessary tools
i've put up a zip file containing all necessary tools, although you're free to download them from other locations if you desire faster speeds or don't trust me to have not meddled with the binaries. ;-)
my zip file contains three tools...
WinSSL 1.7
OpenSSL 0.9.7a
Privoxy 3.0.3
... it also contains a handful of associated .dll files which are necessary in running the above tools.
step 1 - creating an SSL key file
the rsa_keygen.bat file will call OpenSSL which will walk you through creating a .pem key file. you can answer the questions this process asks with any data you like. i tend to just use the letter X a lot. (my name: XXXXXXX, my country: XX, my email address: XXXX@XXXXX.XXX, etc)
the end result is an RSA key file named new.pem. you will use this key file on your home computer when setting up the SSL server.
step 2 - setting up a web surfing proxy
install Privoxy on your home computer using the included setup file. all the defaults are fine, for the most part. fuss with things if you like, but you're not using Privoxy for any of its advanced capabilities (at least not at the moment... but it is a great tool that i encourage people to check out more fully)
now you have a personal web browsing proxy running on your home computer. it accepts connections from the localhost on port 8118 (that's the default port). if you wanted to, you could configure 127.0.0.1:8118 as your web proxy in whatever browser you're using at home. try this, perhaps, and surf the web if possible to see that Privoxy is working fine. you will see the onscreen log and receive web pages normally if everything is functional.
step 3 - setting up the SSL server
on your home computer, run wrap.exe (it requires that libeay32.dll and ssleay32.dll either be in your system directory or in the same path as wrap.exe in order to operate)
upon first opening, WinSSL will announce to you that it has no certificate file and no services defined.
first, we will set the certificate location. open the "configuration" window and type the name of the new keyfile we just generated in step two.
OK this window, then quit and restart WinSSL. it will now load the RSA certificate data on launch, but will still complain that no services are defined.
open the "Services" window. here we will specify the connection details
click to "add" a new service and give it a useful name. (in these images you can see i chose the name of "web proxy") leave the service type set to SSL Tunnel. leave the "listen host" box blank (this is for machines with more than one ethernet card and therefore more than one IP address. you can, if desired, set WinSSL to listen only on one of your adapters. leaving it blank will listen on all of them. on a typical home PC with only one IP address at any given time this makes no difference.)
if you want to be as inconspicuous as possible, configure this service to listen on either port 80 or port 443.
the "remote" details for this tunnel will be the local machine where you're sitting (and where you've just installed Privoxy)... 127.0.0.1 on port 8118.
be certain to mark the checkbox "use SSL for listening"
when you hit "OK" the ssl tool will show a new entry in the on-screen log. it should show this newly-defined service as having started and as presently listening for connections
step 4 - make your SSL server accessible from the public internet
go into your router or firewall configuration and make sure port 80 or 443 (or whatever port you'd like to use... anyone already running a webserver would have to have chosen a different one in step three when they were setting up their SSL server) is open and forwarding to the computer where WinSSL and Privoxy is running.
consult your firewall or router documentation for details on how to do this.
step 5 - connect to your web proxy from a remote site
now, you or anyone else can surf the web using you as a proxy. no special settings or authentication needed... they just have to run WinSSL on their computer
to make things as easy as possible for someone, do the following... create a new directory on your computer. copy wrap.exe, libeay32.dll, and ssleay32.dll into this directory. fire up this instance of wrap.exe. it will start without a configuration file to load. (no .ini file will be there)
specify a new service in this instance of WinSSL. make it an SSL tunnel that listens on 127.0.0.1, port 8118. set the remote host to the external IP of your home network. set the port to either 80 or 443 (or whatever you specified above) and check the box for "use SSL for remote"
once you OK this window, quit WinSSL. you now have wrap.exe and wrap.ini configured in a way that anyone else can use quickly and easily. you could put this on a USB drive or into a zip file (with those two .dll files) and it will be a one-step process for another person to launch the SSL tunnel on their computer.
if this specially prepared SSL tunnel is running on a computer, all one then has to do is set the web browser to use 127.0.0.1:8118 as a proxy server for its connection. then, all HTTP traffic is routed through the SSL tunnel (which may be operating on port 80 or 443) and back to your house where Privoxy spits it out to the web. this doesn't provide full end-to-end encryption (since traffic beween your home and the destination web sites is in the clear) but it has a very good chance of not raising any flags on, say, a company LAN where web surfing is monitored. all they would see is a fair bit of "web like" traffic (which is totally encrypted and unreadable) to a single IP address.
the only way i see this potentially being an issue is if the client machine leaks DNS data. some browsers may attempt to do a DNS resolve of hostnames at the local machine. however, a secure and privacy-conscious browser like Mozilla will pass all traffic (DNS lookups included) to the proxy.
Comment