Encrypted Browsing in Windows using OpenSSH

Are you looking for some way to achieve a more secure browsing experience on your Windows PC? You might want to give OpenSSH a try. This open source technology may not be as secure as HTTPS encryption, but it is better than transmitting your information "in the clear."

This is the first application of having an OpenSSH server in Windows XP Home computer. A detailed tutorial on how to install SSH server in Windows is available here: “Installing SSH Server in Windows XP Home.”

OpenSSH is an open source technology that can encrypt transmission and reception of data using different and strong encryption algorithms. By default, network communications in Windows computers are not encrypted; this means there is some risk of the data being compromised as it travels in the network.

One of the most popular forms of network communication is browsing. Browsing itself is a way of communicating between the client (“You” using your personal computer running in Windows) and the server (the host of the website files which you will be downloading).

The communication is governed by HTTP (hypertext transfer protocol) which sends all data in “clear text form.” Data in clear text form can be intercepted using proper eavesdropping equipment, thus compromising the security of your transmission.

Another form of protocol which is common is HTTPS (secure HTTP). This will encrypt the transmission and reception of data , but not everyone can afford HTTPS connections. HTTPS can be issued by a certification body, and it is a hassle for an average Windows user to have this protocol installed in the computer.

Use of this protocol is really only applicable for shopping websites that ask for credit card numbers from their customers. These websites have “HTTPS” certificates installed in their server that enable them to encrypt the transmission.

This tutorial deals with the implementation of OpenSSH (secure shell) server to encrypt the browsing experience in Windows XP. This is not HTTPS encryption, but rather transmission of encrypted data over the HTTP network.

{mospagebreak title=Basic Requirements and Starting SSH}

The following are the basic requirements and the scope of this tutorial:

  • Installation of a fully running OpenSSH server in your local area network.
  • Browsers
  • Putty SSH Client (you will be downloading this; see later sections).
  • A wireless network.

Detailed installation of SSH server is covered in the article linked to in the previous section. 

Any browsers will work, but we will be using Internet Explorer in this tutorial.

Browsing encryption can be most helpful when you are using a wireless Internet connection, as you would be at an airport or some hotspots. Eavesdropping can be pretty easy in that scenario since you are using one of the third-party wireless routers (such as in an Internet café or at some coffee houses offering wireless Internet connections).

Once your data passes into eavesdropping equipment, malicious hackers using the equipment can observe the things that you do; they can even steal your usernames and passwords. This is because they are transmitted in clear text form.

OpenSSH encrypts the data before it leaves your computer, so the moment those packets pass that kind of equipment, they cannot be understood because, they are encrypted.

{mospagebreak title=How does OpenSSH work and how do you begin?}

You will need to configure OpenSSH as a proxy server. A proxy is a middle man in the communications network. So if your data is unencrypted and you are broadcasting it in clear text form, it is mainly a communication between you and the server. All those other things are just watchers or listeners. See diagram.

Without using Proxy Server:

Your Computer -> <passes to the router or eavesdropping equipment, in a café or company IT personnel, for example> -> To the website server

Using OpenSSH server as a Proxy:

Your Computer -> <OpenSSH server encrypts the data transmission or reception> -> < router or any eavesdropping equipment > -> to the website server

Your browser will be the one that needs to be configured so that it will connect to the OpenSSH proxy server first before transmitting the data to the outside world.

Suppose you have installed OpenSSH server, and you need to make sure that its associated Windows service is fully operational. In the SSH server, go to Start -> Control Panel -> Administrative tools -> Services and look for OpenSSH server. Double click it, and make sure that the service status is set to “Started.”

If you have at least two computers within your LAN (with a client computer that is using a wireless connection), we can conduct a test setup. See screen shot:

Okay, if it is started, go to your client computer (the one that needs to use the SSH Proxy server). You need to open an SSH tunnel using Putty: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Download this to your desktop. Double click it and then configure the following:

IMPORTANT NOTE: Only click “Open” in the Putty configuration in Step 5.

Step 1: In the” SSH” category:

  • Under protocol options, set it to “Enable Compression.” This will compress the packets as they travel in the communication network, which will help with slow connections.
  • Under Preferred SSH protocol version, set it to “2.” (We are using SSH protocol version). 

Step 2: Find “Tunnels” in the SSH category and under “Source Port,” enter any port number from 1000 to 10,000, and then click “ADD.” In my case, I am using Port 7200. Leave the “Destination” blank but check the “Dynamic” checkbox. This will tunnel all the browsing data to port 7200, which will be encrypted using SSH.

Step 3: Once this is done, go to “Session” (located in the top most), and then configure the following:

  • Under hostname, fill in the IP address of your SSH server. 
  • Enter the port number used by your SSH server (in my case, the SSH server is configured to use Port 22; you can find the port number used by your SSH server by looking in the sshd_config file). 
  • Then, for the connection type, click “SSH.”

For example, in my test client computer, the local IP address used is 192.168.2.101 while the IP address of the server is 192.168.2.100.

Step 4: In your SSH server, go to Control Panel and double click on Windows firewall. Now go to the Exceptions tab, click “Add port” and enter the port number of your SSH server — in my case, I am using Port 22. You can use any name. Then click OK. This will open port 22 during connections.

Step 5: Now that you have already opened port 22 and configured putty to use SSH, click “Open” on Putty. This will initiate the connection to SSH server.

Putty will now ask for this information:

Login as: Use your Windows username, the one you used during the configuration of OpenSSH server.

Then if putty displays any key, please type “yes” to accept.

Password: Use your Windows password, the one you used in the OpenSSH configuration.

If there are no other errors displayed after typing in your password, you have successfully connected.

{mospagebreak title=Testing OpenSSH Server Proxy Installation}

Once the port has been opened for SSH tunneling, we are ready to use it and divert all browser communications to use that port. So let’s use Internet Explorer 8 (other browsers are similar):

Configuration for Internet Explorer 8.0

Navigate to Tools -> Internet Options -> Connections -> and click LAN settings. Uncheck “Automatically Detect Settings” and Check “Use a Proxy Server for your LAN,” and then click “Advanced.” Configure the following:

After that, click OK three times to close all windows. Restart Internet Explorer (or press F5) and you are connected to an OpenSSH server. If you are not using IE, the configuration is basically very similar in all browsers; you just need to select proxy connection, and then type “localhost” for proxy address, using SOCKS connection type and the port number.

To confirm the encryption, if you are using eavesdropping software such as Wire shark, this is what you will see:

On the right, you will see that the packets are now encrypted using SSH.

Overall tip: the IP address illustrated here is using a local address. If you are outside of your LAN, you need to use an external IP address (public IP address) in connecting to your SSH server. Go to http://www.whatismyip.com/ to learn your external IP, and then make sure your ISP allows you to do this.

[gp-comments width="770" linklove="off" ]