Monday, March 30, 2009

Encrypt Everything

Nowadays, most people involved with computer security know that they should use encrypted protocols. With the rapid development of open wireless networks, the systematic use of encryption is becoming increasingly critical. How many people still use FTP or POP3 on the Internet? Too many...


Use Encrypted Equivalent Protocol

Most clear-text protocols on top of TCP as an encrypted counter part. Here are a few examples:
  • telnet -> SSH
  • FTP, kermit -> SCP/SFTP over SSH- or FTPS over SSL
  • POP3/IMAP/SMTP -> POP3S/IMAPS/SMTPS, SMTP + TLS, etc.
  • Webmail over HTTP -> HTTPS
Additionally, although service proiders may offer encrypted protocols, they do not always make them available by default due to the fact taht encryption does add processing overhead. Webmail providers, for example, will typically default to an HTTP only page. It is up to end users to explicitly requests an HTTPS page when accessing the service.


Add your own SSL encryption

For the TCP protocols, you can always use an SSL tunnel such as stunnel. You can use stunnel in different ways:
  • Install it on a client which does not support SSL to communicate with an SSL-enabled server.
  • Install it on a server which does not support SSL to communicate with SSL-enabled clients
  • Install it on both the client and the server to encrypt any TCP traffic
If your System Administrator tells you he doesn't want to touch that critical HTTP server to enable HTTPS, let him know he can install stunnel to encrypt any traffic coming to port 443 and forward it to the local HTTP port 80. That way you get an HTTPS server without needing to reconfigure the exiting HTTP server.


Use an SSH Tunnel

If using SSL encryption with stunnel is not possible in your environment, you can use an SSH tunnel. Using SSH port redirection (-L option on Unix), you can redirect any remote port to a local port through an SSH tunnel. For example, ssh login@your-domain.net -L8000:127.0.0.1:80 allows you to browse your domain.net through SSH by using the address http://locahost:8000/.

You can also use an intermediate machine for your SSH encryption. ssh login@intermediate.net -L8000:192.168.1.10:80 would encrypt the traffic between your client and intermediate.net. In this case, the traffic between intermediate.net and 192.168.1.10 would not be encrypted.


Use Tor

Tor is becoming a popular way encrypt traffic. There is a plugin for Firefox to enable/disable Tor with one click, a proxy to redirect any browser through Tor, etc. Also it is a very young project, this might be the most user-friendly solution, especially on Windows. The down side is taht it does increase significantly the latency, using Tor might slow down your web browsing.


- Julien

1 comment:

VincentP said...

Hello Julien,

Thanks for your clear summary.

I fell on this article looking for the way to use SSH through Zscaler proxy (working with people outside the company).

I am logged in zscaler in my browser, and then from the console I try a "ssh clients_host", having in .ssh/config a "ProxyCommand" that used to work with our previous proxy.
I get "Tunnel established" in the log, but no loggin popping up then.

Any explanation?

Thanks