
Spiped + SSH = Secure Proxy - SlyShy
http://newlyancient.com/2014/04/09/spiped-ssh-secure-proxy
======
peterwwillis
I know Colin likes to keep commenting that the simplicity of spiped makes it
inherently more secure than more complex alternatives. I haven't evaluated the
code, nor done a study to see if the number of lines of code always correlates
to number of security holes, or if the complexity of the operations compared
to the number of lines is related to the number of security holes, and what
the bounds of that are. But I just took a brief look at one file and saw this:

    
    
      /* Generate a 32-byte connection nonce. */
      if (crypto_entropy_read(H->nonce_local, 32))
               goto err1;
    
      /* Send our nonce. */
      if ((H->write_cookie = network_write(s, H->nonce_local, 32, 32, 
           callback_nonce_write, H)) == NULL)
               goto err1;
    
      /* Read the other party's nonce. */
      if ((H->read_cookie = network_read(s, H->nonce_remote, 32, 32,
           callback_nonce_read, H)) == NULL)
               goto err2;
    

The gotos themselves aren't harmful (even though I don't get why people still
use gotos). What strikes me as really funny about this code is its over-
simplicity is what caused a huge crypto bug to be missed in Apple's iOS 7
recently. Take a look at the above code and then this security hole[1], and
tell me if you can't spot a potential problem.

[1]
[http://www.wired.com/2014/02/gotofail/](http://www.wired.com/2014/02/gotofail/)

------
azth
> As an American living in a Middle Eastern monarchy, multiple government
> agencies are likely monitoring my internet traffic

Ironically, living in the democracy of the United States would have yielded a
similar situation (except remove "likely").

------
lawl
Are there any advantages over something like sshuttle? [0]

Doing sshuttle --dns 0/0 seems more convinient especially since a regular sshd
on my box is all I need, no additional software. And it instantly tunnels
_all_ my traffic, no need to configure socks proxies. It also avoids TCP-over-
TCP which it seems like you're doing?

[0]
[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)

~~~
elementai
Probably the most convenient tunnelling tool I've ever used.

When paranoia strikes me really hard I run Tails liveCD in VirtualBox, it
automagically routes everything through TOR and virtually nothing goes to hdd,
except probably swapping to disk.

------
khrf
> In System Preferences, configure your network to connect to a SOCKS proxy at
> localhost:8089. Now all your internet activity is securely routed through
> your server.

That's a big surprise. _all your internet activity_?!?! Even when I use
curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS
proxy will be used by web-browser only, am I wrong?

------
rakoo
Just a heads up: he seems to be running ssh as root [0]. My mom always told me
not to run ssh as root, but maybe things change with Docker since it's running
in a virtualized OS.

[0] [https://github.com/morgante/spiped-
docker/blob/master/Docker...](https://github.com/morgante/spiped-
docker/blob/master/Dockerfile)

------
D9u
From the link to the OpenSSL vulnerability;

    
    
      Unfortunately, there's nothing users can do to protect themselves
    

Um, how about a VPN, or ssh with dynamic forwarding?

I would do something like;

ssh -C -D 8080 -fN user@server.tld

Then it's as simple as setting your web connected applications to use the
localhost proxy on port 8080.

~~~
morgante
> Um, how about a VPN, or ssh with dynamic forwarding?

That's exactly what the goal of this is. Except it avoids using SSH over the
public network, since spiped is more reliable and also (I think) more
trustworthy. One takeaway for me from the heartbleed bug is to place less
trust in large, general-purpose C libraries. Compared to SSH, spiped is a
comparatively much smaller codebase, maintained by the excellent cperciva.

------
morgante
Looks like my server is having some issues. The post is also on GitHub.

[https://github.com/morgante/spiped-
docker/blob/master/readme...](https://github.com/morgante/spiped-
docker/blob/master/readme.md)

------
oijaf888
I don't understand what advantage this has over just doing: ssh -D8080
username@server.name

Also does spiped natively act as a socks proxy? I was under the impression all
it did was handle an encrypted stream of data from one socket to another.

~~~
morgante
> I don't understand what advantage this has over just doing: ssh -D8080
> username@server.name

I used to do precisely that, but I think spiped has two major advantages:

1\. It is more resilient on a flaky connection.

2\. I trust the security of its codebase more than SSH, both due to its
smaller footprint and cperciva's reputation.

------
dfc
Why use the -f switch:

    
    
      -f Use fast/weak handshaking: This reduces the CPU time spent in the
         initial connection setup, at the expense of losing perfect forward
         secrecy.

~~~
D9u
Maybe I'm missing something here...

On my FreeBSD and Linux systems, the ssh -f parameter sends the process to the
background, and the -N prevents remote command execution.

~~~
cperciva
He's talking about the -f option to spiped.

