Law in the Internet Society

Secure Proxy Browsing

In this project you will be setting up a secure connection between your computer and the mainframe computers at Columbia, then you will be instructing your web browser to route your web traffic through this secure connection. This will accomplish two things. First, you will block other users on your network, or the ISP on your local internet connection, from snooping on your network traffic. This means that other coffee shop customers sitting near you cannot hijack your connection to various web sites and that no one between your computer and the Columbia servers will be able to tell what sites you are browsing. Second, by sending your web traffic through the Columbia mainframe you will be mixing it with the web traffic of others at the University, making it substantially more difficult to determine whose traffic is whose.

Step 1: Connect to Columbia

In this step you are going to create a secure connection or "tunnel" to the Columbia Unix cluster. You can use this same general procedure with any other machines to which you may have access, whether that is a box you leave at home, a web hosting account to run a web site, or anyone else who gives you ssh access. All you need is an SSH client program.

Windows 10 / OS X (Mac) / Linux users

If you use the Windows 10, OS X or Linux operating systems, you are in luck! A standard ssh client is already installed on your machine. On Windows 10 press the "windows" key or just click the start menu search box, then type "cmd" and press enter. On Linux machines you should be able to find a program called "terminal" or "command line" in you standard application menu. On OS X you can find the terminal program in your Applications directory under "Utilities". The terminal program is a general purpose text environment for running any number of different programs and commands, of which ssh is only one. While a text-based environment may not suit all tasks, you will see in this case how it enables you to accomplish some tasks very simply that would otherwise require multiple programs and steps.

Once you have opened the terminal application simply enter this command "ssh -D 7070 uni@cunix.columbia.edu" where "uni" is your own UNI, e.g. abc1234. When you hit enter it will try and connect to the Columbia CUNIX cluster. Assuming your network connection is working, the next thing you see will be a message asking if you wish to accept the host key for the CUNIX machine. Hit enter to accept it and then you will be asked for your Columbia UNI and password. Log in normally and it should complete setting up the tunnel and return you to a blinking cursor with no further chatter. Now you are logged in to the CUNIX machines. From here you could run other programs on the CUNIX machines, but that would be for another lesson. For this exercise, simply leave your terminal window open and move on to step two.

Note for Windows 10 users

The OpenSSH? Client in Windows 10 was added in 2018. If for any reason your machine has not been updated since that time, here are instructions to download the application from Microsoft.

Android Users

The following method for secure proxy browsing on Android mobile devices requires (1) an SSH Client with port forwarding (tunneling) capabilities, and (2) the Firefox Browser named "Firefox Nightly" There are several free SSH Clients available on Android, many of which can be found on the free, open-source Android app repository F-Droid and the Google Play Store; While this may not be the only SSH Client, ConnectBot? has worked well. Also, Firefox Nightly is currently the only version of Firefox that allows users to adjust advanced settings by typing "about:config" into the browser search bar.

ConnectBot? Instructions: Download and open the ConnectBot? app. Press the "+" symbol to create a new "host." Type "UNI@cunix.columbia.edu" (without quotes) then press the "+" symbol again in the upper right corner. This will take you back to the main "Hosts" screen. Next, long press on the newly created host and press "Edit port forwards." Select "Dynamics (SOCKS) as the "Type" and change the "Source port" to "7070," then press "Create Port Forward." Navigate back to the "Hosts" page and click on your newly created host. You will be prompted to enter your UNI password and should then be connected. Next, go to "Step 2" below and read the instructions for "Firefox Nightly."

Step 2: Tell your browser to use the secure tunnel

As part of connecting to CUNIX in step one we told ssh to set up a take an address or "port" on your local machine and forward it to the CUNIX machine that you logged into. In particular we forwarded port "7070". This created a "SOCKS proxy," between your machine's port 7070 and the Columbia computer. We now want to tell your web browser to send all its requests for websites through the proxy port. The particular way to do this depends on which browser you are using.

As a first step for all browsers visit https://duckduckgo.com/?q=what+is+my+ip+address and write down the IP address associated with your browsing. Later, when you are using the proxy, you can return to that page and observe that your apparent IP address has changed.

Firefox

In Firefox, open your "Preferences" window. That should either be under the "Edit" or the "Tools" menu. In the Preferences window, click on "Advanced" at the very top then on the "Network" tab underneath it. The first item there is "Connection: configure how Firefox connects to the web", which is what you want to do. Click on the "Settings" button right next to that text.

You should now have a new popup window named "Configure Proxies to Access the Internet". You are almost there. Click on the "manual proxy configuration" option and then enter the following settings. For "SOCKS Host" enter "localhost" and for "Port" right next to it enter "7070".

You're done. You can close those configuration windows and you should be ready to check your IP address again with https://duckduckgo.com/?q=what+is+my+ip+address. If the apparent IP address known to the server has changed, you are proxying your web traffic. If not, something has gone wrong. Take a look at the proxy settings again. Make sure that manual settings box is selected and check that your ssh connection is still running in either PuTTY or the terminal.

When you are back to a network you trust and wish to stop proxying your traffic, simply return to the same configuration menu in Firefox and change "Manual proxy configuration" back to "no proxy configuration". Otherwise Firefox will continue trying to access the web through your proxy even after you are no longer connected, which will lead to an inability to access any websites.

If you find this process is too cumbersome for frequent use, you can consider third party browser extensions like FoxyProxy? , to shortcut the process.

Chrome

Chrome has no capability to set proxy settings natively, so you need to rely on third party plugins to make any proxy connection without having to change your system-wide network settings. Thankfully, there is a free software plugin called proxy-switchy that you can use. Download and install that then give it the following settings:

* Protocol: Socks5 * Host: 127.0.0.1 * Port: 7070

Internet Explorer and Safari

Both of these browsers are so tightly embedded in the operating system that the only way to use a proxy with them is to change the system-wide network settings. If you wish to do that the settings to use should be:

* Protocol: Socks5 * Host: 127.0.0.1 * Port: 7070

but I offer no guarantees.

Firefox is the simplest browser to use when proxying web traffic. If you are not already using it, you could consider downloading and using it specifically for proxyed connections. That way you can simply leave the proxy settings in Firefox on all the time and use whatever other browser you wish for non-proxyed web activity.

Firefox Nightly (For Android Users)

(Steps copied from developer Tyler Burton - Step 5)

In order to make Firefox [Nightly] connect via the SSH tunnel, you'll need to modify some settings. Once you are finished the browser will only work if the SSH tunnel is connected.

In the Firefox [Nightly] address bar type "about:config" with no quotes. In the page that loads search and modify the following values (ignore all quotes):

(search for) "network.proxy.proxy_over_tls" --> Change to true

(search for) "network.proxy.socks" --> Change to "127.0.0.1"

(search for) "network.proxy.socks_port" --> Change to the SSH Tunnel Local Port set above (7070)

(search for) "network.proxy.socks_remote_dns" --> Change to true

(search for) "network.proxy.socks_version" --> Change to 5

(search for) "network.proxy.type" --> Change to 1

Step 3: Proof

Once you have successfully proxied your web connection through the CUNIX machines you are ready to demonstrate your success here. While your browser is still proxied simply add a comment to this page saying that you are finished. The comment will look no different to you but the logs for this website, like the logs of every website, will record your IP address. If you are successfully using your new proxy all we will see is a connection from one of the CUNIX machines. Otherwise we will see exactly where else you are connecting from.


finished -- KjSalameh - 21 Nov 2020

Finished -- JakeGlendenning - 22 Nov 2020

Finished -- JeremyLee - 22 Nov 2020

Finished

-- JoseMartinez - 24 Nov 2020

I'm using OS X and after entering the command and proceeding to accept the host key, it shows the following: "myuni@cunix.columbia.edu's password: [a key symbol]" And then I entered my uni password but it provides: "Permission denied, please try again.“

I am using another VPN now and will that affect this setting?

-- YingLiu - 25 Nov 2020

Same "permission denied" error on Step 1 as YingLiu? above, except I'm on Windows and not using another VPN. I've contacted CUIT to check whether there's something wrong with my UNI pw/configuration. UPDATE: CUIT referred me to the instructions on this page, which did not resolve the "permission denied" issue.

-- BenWeissler - 25 Nov 2020

finished

-- ElaineHuang - 25 Nov 2020

Finished

-- AlisonRobins - 25 Nov 2020

-- EstherStefanini - 25 Nov 2020

Permission keeps getting denied frown

-- EstherStefanini - 25 Nov 2020

Finished - I think my previous attempt was unsuccessful. I switched to firefox, and I believe it is working now.

-- ElaineHuang - 25 Nov 2020

Finished

-- JohnClayton - 25 Nov 2020

Finished

-- JessieChao - 30 Nov 2020

Finished

-- JessieChao - 30 Nov 2020

Finished -- WanTingHuang - 30 Nov 2020

Finished

-- JohnJMartin93 - 02 Dec 2020

Finished (contacted CUIT to have them set up a Unix account for my UNI)

-- BenWeissler - 03 Dec 2020

Finished

-- MaikoHayakawa - 08 Dec 2020

I'm a transfer and it seems like I did not have a CUNIX account set up for me. I've requested CUIT do so but still awaiting action.

-- CharlesRice - 09 Dec 2020

Permission still denied. I have sent an email as well

-- MilanPree - 10 Dec 2020

It worked!

-- LouisEnriquezSarano - 11 Dec 2020

Finished!

-- LiasBorshan - 14 Dec 2020

@esther how did you overcome the permission denied response? I keep getting permission denied too

-- JulieLi - 16 Dec 2020

 

Navigation

Webs Webs

r70 - 16 Dec 2020 - 00:18:19 - JulieLi
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM