Kiran Jonnalagadda (jace) wrote,
Kiran Jonnalagadda

  • Music:

How to beat a transparent proxy

Today I discovered that Touchtel is running a transparent HTTP proxy that is potentially logging everything I read. It freaked me out enough that I installed Squid at, set it to serve only localhost, then created an SSH tunnel between my localhost:3128 and’s localhost:3128. As a bonus side-effect, all my wireless HTTP traffic is also encrypted now.

If you didn’t understand what I just said, here is the non-geek version:

I’ve discovered that Touchtel has computers that are making a copy of all the Web pages I see—for the stated purpose of giving that copy to anyone else who wants to see the same page, making it faster for them—but that can be easily subverted to keep a tab on me or any other user. Since they have no business doing this, and I have no means to stop them, I’ve created an encrypted link from my computer to a server beyond their control.

As a bonus side-effect, since the encrypted link runs uninterrupted from my computer to the remote server, it also protects me on my wireless network. I run an open wireless network that anyone can use to connect to the Internet, and that anyone can also potentially use to read the web pages of other users.

Update: Here’s how you can do it too. You will need:

1. The SSH command-line client. Linux users will already have this. Windows users can get it here.
2. A shell account on a remote server like at If you know anyone giving away free shell accounts, please leave a comment.
3. A proxy server that allows connections from your remote server. Look in the directory for one.

Once you have these, simply issue this command: ssh -N -p 22 -C -c blowfish -L 3128/proxy-server/8080

Where is your login to the shell account, 3128 is the port on your computer, proxy-server is the name or IP address of the proxy server, and 8080 is the proxy server’s port number.

If you don’t have an authentication key, you’ll be prompted for a password. You should use an authentication key if you want to start a tunnel automatically when you login or connect to the Net. Use ssh-keygen -t dsa with a blank pass-phrase and copy ~/.ssh/ on your computer to ~/.ssh/authorized_keys2 on the remote side. I’m not sure where is located under Windows.

Finally, in your browser’s preferences, set the proxy server to localhost, port 3128, and you’re ready to go.

If you use PPP or PPPOE and want to start the tunnel automatically when you connect (Linux/BSD only), edit /etc/ppp/ip-up.local and add the above SSH command. Debian users should put the line in a new file in /etc/ppp/ip-up.d/ and mark it executable.
  • Post a new comment


    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened