

Protect yourself from FireSheep with Amazon EC2 + OpenVPN for $0.50 a month - packetwerks
http://www.stratumsecurity.com/blog/2010/12/03/shearing-firesheep-with-the-cloud/

======
ronnier
I'm use my LinkSys router loaded with a Linux firmware to do this at no
additional costs.

I wrote up how I did it,

<http://ronnie.me/articles/rdp_over_ssh_with_a_linksys_router>

~~~
chopsueyar
When I read the original article, I thought "Why can't every consumer have
this who has home broadband?"

I'm sure comcast would not like it, and the dynamic ip issue.

~~~
ronnier
I use the router to solve the dynamic IP issue. It updates to
<http://www.dyndns.com> when my IP address changes.

~~~
tpahax0r
That is a great option for people who have a dd-wrt/tomato/etc. compatible
wireless device.

The goal of the post was for folks who don't already have a solution setup and
to get people familiar with EC2 now that it has a Free Tier and see some of
the "not so obvious" things we can do with.

~~~
chopsueyar
The goal of the post was to drive traffic to the blog, and then to the main
consultancy site.

Otherwise, the goal of the post was to generate dicussion in places such as
HN.

Also, you are referencing the parent comment in response to RDP protocol
tunneling only, fyi.

...and your account was created an hour after the original comment.

Just seems strange to create an account and then tell us the goal of the
article.

------
prosa
It's worth noting that the quoted "$0.50 a month" only applies for the first
year, after which it will cost $0.02 an hour or ~$15 a month.

~~~
MicahWedemeyer
Seems like a perfect use case for EC2 on demand. Only run the VPN node when
you are on an open wireless network and need the VPN security. Shut it down
otherwise.

That would make it harder to run, but it would greatly reduce the cost. I'd
pay $0.02 for an hour's worth of security while stopping off at a coffee shop.

~~~
kayoone
couldnt attackers then grab your EC2 dashboard cookie and possibly compromise
your EC2 instance ?

I mean if you need to login there first via an unsecure session, its not
really that much safer

~~~
trueluk
Your AWS dashboard would be compromised if you waited until you were on the
open wireless network to run the EC2 instance, but attackers would not be able
to compromise the EC2 instance. Once the instance has been created you can't
change the Key Pair. You also can only download the private key associated
with the Key Pair once, which is right when you create it. But of course, an
attacker could stop or terminate your instance if he gained access to your AWS
dashboard.

~~~
scraplab
Not true: the dashboard runs entirely on SSL - which is still encrypted on an
open wifi network. Compromising SSL isn't out of the question though, but
highly unlikely.

------
slay2k
Ah, so easy! Only 28 steps filled with remote Linux shell commands,
certificate creation, and downloaded software! I'm sure that's exactly what
his wife wanted to hear when she asked how to avoid being Firesheeped.

Whatever happened to good old ssh -ND ? Wouldn't that solve 90% of most casual
hotspot users' problems ? And I'd be wary suggesting even that one-liner to
someone who isn't a techie, which I'm assuming his wife isn't since she asked
the question.

~~~
spindritf
> Whatever happened to good old ssh -ND ?

YouTube doesn't work.

Also, it's not a one-liner on a Windows client. OpenVPN is really, really easy
to use once someone set it up for you. Two clicks and you're connected.

~~~
wfm_123
Works for me.

ssh as a SOCKS proxy, Firefox uses it, Flash uses it.

about:config set network.proxy.socks_remote_dns to true.

------
trueluk
I normally just do my tunneling with ssh -D. Is there an advantage of using
SSH VPN instead of SSH as a SOCKS proxy?

~~~
riobard
I was wondering the same thing. The post went through all the steps to setup
SSH VPN while SSH tunneling works pretty well and requires almost-zero config
on the server…

OTOH I saw the value of using PPTP or L2TP-based VPN. It is supported on most
systems by default. I set up one for iPhone because you cannot do SSH
tunneling on it. On non-*nix systems there is usually no SSH installed by
default. I opened my PPTP/L2TP VPN for friends running Windows.

It's also slightly easier to connect to PPTP/L2TP VPN with a single click on
the menubar of OS X without installing any additional software.

Otherwise I stick with SSH tunneling with SOCKS proxy.

Could someone explain the benefits of SSH VPN please?

~~~
tpahax0r
SideStep basically automates ssh -D for you and sets up a local SOCKS proxy.
However SOCKS proxies (and thus the current version of Sidestep) can only
protect TCP traffic that supports SOCKS proxies. For example, you can't tunnel
your DNS requests over a proxy (without tinkering with Firefox's
about:config).

Also, since ssh -D is not a true VPN tunnel, your machine is exposed to the
hostile network (if you don't have a firewall).

If you want complete privacy where ALL of your IP traffic is tunneled out,
OpenVPN (or other tunneling layer 3 solution) is the way to go.

~~~
riobard
Thanks for the explanation! There are a few things I don't understand fully,
could you please talk a bit more?

“since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile
network (if you don't have a firewall).”

I believe on OS X the SOCKS proxy is applied globally, unlike Windows where
you have to do per-application settings. So aside from DNS queries, I guess
other TCP connections should go through SOCKS? That should cover the major
problem of FireSheep.

Also, since on Windows/OS X/iOS there is no default OpenVPN clients, I use
PPTP/L2TP/IPSec-based VPN instead because they are available by default. Is
there any advantage of OpenVPN over them?

~~~
tpahax0r
For the purpose of defeating FireSheep, ssd -D works just fine.

OpenVPN in the configuration of the blog post utilizes 443/tcp, which is open
at most places, while the ports required for PPTP/L2TP/IPSec could be closed.

~~~
draebek
Worst than just "ports" AFAIK: last I checked PPTP required use of either GRE
or its own protocol (I can't remember which)--so not TCP nor UDP, and thus
more likely to be blocked or simply NATed incorrectly. I don't recall how L2TP
works, but I bet it uses a different IP protocol as well. I'm not sure if it's
common to use L2TP unless it's tunneled in IPsec these days. IPsec can run
over UDP if configured correctly. (I always encountered the UDP transport in
the context of NAT-T which has/had its own set of problems. For example, it
used to be the case that many IPsec "servers" had a problem with more than a
single NAT-T client behind the same NAT. Not sure if that's still the case as
this stuff is no longer my job, thankfully.)

------
trotsky
Better choice than a lot of the VPN services out there. The free services
should be presumed to have some sort of ulterior motive to get a look at your
traffic (including, potentially, much more nefarious ones than a firesheep
user). Even premium services should be considered carefully, you have little
way of knowing what amount of tracking or inspection of your packets is going
on - and such concentrators make an excellent target for hackers.

~~~
chopsueyar
Do you think Amazon has root access to anything you virtualize on their cloud?

~~~
trotsky
Yeah, obviously AWS has access to your traffic and host data if they choose to
inspect it, but I wasn't trying to suggest it was a perfect secrecy situation
(nor that thats needed). I'm inclined to trust amzn here over most providers,
they have a bigger reputation to protect than most VPN hosts, and their scale
and focus makes provider level intrusion or consumer focused tracking less
likely.

------
epo
Just curious, if you already have decent hosting couldn't you just implement
this by installing openvpn on your existing virtual machine (or whatever)? Is
there anything which specifically requires EC2?

~~~
chopsueyar
I guess you just have to be careful of bandwidth overage. Don't use it with
Netflix too much.

~~~
rmc
The same caveat about bandwidth usage applies to EC2. You have to pay (twice
in & out) for EC2 traffic.

------
jey
How to start a SOCKS proxy on localhost:12345 proxying through your account
foo on bar.example.com:

    
    
      ssh -D 12345 -N -f foo@bar.example.com

~~~
jjcm
Tip: you can group the flags together like so:

    
    
        ssh -fND 12345 foo@bar.example.com
    

Also, the -f flag will cause it to fail if you don't have passwordless auth
set up. If you don't have it set to use private/public key pairs, just tunnel
like so:

    
    
        ssh -ND 12345 foo@bar.example.com

~~~
jey
Nah, -f will prompt for password before backgrounding the process.

------
m0shen
Why not just setup something like PFsense ( <http://www.pfsense.org/> ) at
home with OpenVPN configured?

------
noodle
this sounds like a pretty viable business idea, actually. in the past, i've
looked for a simple VPN service provider to help secure non-techie friends'
laptop work at a starbucks or whatever. couldn't find anything decent. seems
like people might be willing to pay some $ for this if it were turned into
something commercialized.

~~~
crocowhile
AlwaysVPN is what I use.

~~~
tpahax0r
Looking at the cost, the EC2 setup is a lot cheaper.

~~~
crocowhile
Depends on usage. I bought $5 or $10 worth of GB traffic few years ago and I
have most of it still left to be used. Even just 1gb is plenty for the
occasional browsing at starbucks or at the airport.

------
ary
28 steps, and he didn't think to create a new AMI to share with the world.

~~~
deno
With default Ubuntu configuration you just have to enable/install OpenVPN
server (1) (server), generate one user certificate (2) (server) and configure
NetworkManager profile (3) (client).

All the other steps are just intro to using Linux and/or Amazon EC2
infrastructure or such technicalities as copying files or (unnecessary)
configuring time zone.

------
badmash69
Apologies in advance for being off-topic, but am I the only one who hates
people hunched over their laptops while hogging starbucks' chairs for hours .
I work in a downtown location and its impossible to have your coffee at
starbucks as there is no place to sit. I really wish Starbucks could charge
for seating ;-)

------
dhess
I just found out a few weeks ago that my ISP, Sonic.net, offers an IPsec VPN
endpoint to all of its customers, with no additional fees. I highly recommend
them if you're in the SF Bay Area.

Note that while their help page suggests that you use the Cisco client
software to connect to their VPN endpoint, the service works just fine with
Mac OS X's built-in Cisco IPsec client, as well as with the IPsec client in
iOS. Dunno about other platforms, but Sonic.net provides the Cisco client for
Windows and GNU/Linux, at least.

<http://www.sonic.net/features/vpn/>

------
david_shaw
To anyone who desires this level of security but doesn't want to have to go
through the trouble of a VPN, using SSH tunnels works just as effectively.

Assuming you have access to a remote Linux/BSD box, you can (from Linux) `ssh
-D 1025 remote.host.address` then proxy your browser's SOCKS proxy to
localhost:1025.

On Windows, using PuTTY, one can simply go into the Tunnel menu, hit the
"Dynamic" radio button, type in 1025 and click "add" to achieve the same
effect.

~~~
tpahax0r
SideStep does all of this for you. You can forgo the whole OpenVPN section
(Steps 12 through 22) if you just want to use SideStep.

------
mfringel
This looks like a great way to get started with EC2, VPN or no. I've been
thinking about it, but one thing still puzzles me. You choose an AMI, but does
Amazon effectively create an EBS instance for you and populate it with a copy
of the AMI?

I don't see any mention of an EBS instance being created, so I'm not quite
sure how you can write to the filesystem at all. I'm sure I'm missing
something here, but I'm not quite sure what. Thoughts?

~~~
rmc
You don't need an EBS to run an instance on EC2.

You can just run the instance as normal. It has a root filesystem, you can
write to it etc. However if you stop the instance, then all your changes are
lost. The EBS is only needed if you actually need disk space.

~~~
arst
Micros (which are what you get on the free tier) are only available as EBS-
backed instances.

~~~
deno
It's worth noting that 20GB EBS space is provided with free tier. Though all
default Ubuntu AMIs use 25GB EBS by default AFAIK.

------
jorgem
What's a good solution for iPhone/iPad over wireless?

~~~
chopsueyar
iPad has VPN built in, not sure about iPhone.

~~~
riobard
It's the same: L2TP/IPSec, PPTP, Cisco IPSec.

It's annoying though because it is unable to auto-reconnect to VPN after it
locks for a few minutes

------
Florin_Andrei
I keep a server up-n-running 24/7 anyway, doing lots of things (file server,
UPnP, the whole nine yards), it's on cable Internet with a dynamic DNS. So I
installed OpenVPN on it and all my laptops automatically connect to it when
they boot up. The server also runs a proxy.

So I've a secure proxy available any time, from anywhere.

~~~
ShabbyDoo
How's your latency? An advantage of connecting to an EC2 instance seems to be
that you're getting your traffic onto the backbone without eating a "last
mile" roundtrip to your house.

EC2 scenario:

coffee shop -> backbone -> EC2 -> backbone -> remote site (probably hosted
somewhere close to your EC2 instance, especially if a CDN is in use)

Home scenario:

coffee shop -> backbone -> cable provider -> home -> cable provider ->
backbone -> remote server

------
marklabedz
Good timing - I just had this thought "in the shower" a day or two ago. I
wouldn't utilize a VPN enough to make some of the more traditional providers
cost-effective, so something along these lines is probably Just Right.

------
andre
28 steps??

