I don't understand what advantage this has over just doing:
ssh -D8080 username@server.name
Also does spiped natively act as a socks proxy? I was under the impression all it did was handle an encrypted stream of data from one socket to another.
Are there any advantages over something like sshuttle? [0]
Doing sshuttle --dns 0/0 seems more convinient especially since a regular sshd on my box is all I need, no additional software. And it instantly tunnels all my traffic, no need to configure socks proxies. It also avoids TCP-over-TCP which it seems like you're doing?
Probably the most convenient tunnelling tool I've ever used.
When paranoia strikes me really hard I run Tails liveCD in VirtualBox, it automagically routes everything through TOR and virtually nothing goes to hdd, except probably swapping to disk.
> Um, how about a VPN, or ssh with dynamic forwarding?
That's exactly what the goal of this is. Except it avoids using SSH over the public network, since spiped is more reliable and also (I think) more trustworthy. One takeaway for me from the heartbleed bug is to place less trust in large, general-purpose C libraries. Compared to SSH, spiped is a comparatively much smaller codebase, maintained by the excellent cperciva.
I know Colin likes to keep commenting that the simplicity of spiped makes it inherently more secure than more complex alternatives. I haven't evaluated the code, nor done a study to see if the number of lines of code always correlates to number of security holes, or if the complexity of the operations compared to the number of lines is related to the number of security holes, and what the bounds of that are. But I just took a brief look at one file and saw this:
/* Generate a 32-byte connection nonce. */
if (crypto_entropy_read(H->nonce_local, 32))
goto err1;
/* Send our nonce. */
if ((H->write_cookie = network_write(s, H->nonce_local, 32, 32,
callback_nonce_write, H)) == NULL)
goto err1;
/* Read the other party's nonce. */
if ((H->read_cookie = network_read(s, H->nonce_remote, 32, 32,
callback_nonce_read, H)) == NULL)
goto err2;
The gotos themselves aren't harmful (even though I don't get why people still use gotos). What strikes me as really funny about this code is its over-simplicity is what caused a huge crypto bug to be missed in Apple's iOS 7 recently. Take a look at the above code and then this security hole[1], and tell me if you can't spot a potential problem.
Just a heads up: he seems to be running ssh as root [0]. My mom always told me not to run ssh as root, but maybe things change with Docker since it's running in a virtualized OS.
> In System Preferences, configure your network to connect to a SOCKS proxy at localhost:8089. Now all your internet activity is securely routed through your server.
That's a big surprise. all your internet activity?!?! Even when I use curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS proxy will be used by web-browser only, am I wrong?
23 comments
[ 4.3 ms ] story [ 57.1 ms ] thread?
Also does spiped natively act as a socks proxy? I was under the impression all it did was handle an encrypted stream of data from one socket to another.
No, it manages an arbitrary number of streams of encrypted data, but all it does is push bits (and encrypt/decrypt, of course).
I used to do precisely that, but I think spiped has two major advantages:
1. It is more resilient on a flaky connection.
2. I trust the security of its codebase more than SSH, both due to its smaller footprint and cperciva's reputation.
> In my experience, the spiped tunnel is highly reliable and recovers more gracefully than a standard SSH tunnel.
I've never had an issue with ssh -D though
EDIT: I read the question backwards.
On my FreeBSD and Linux systems, the ssh -f parameter sends the process to the background, and the -N prevents remote command execution.
Doing sshuttle --dns 0/0 seems more convinient especially since a regular sshd on my box is all I need, no additional software. And it instantly tunnels all my traffic, no need to configure socks proxies. It also avoids TCP-over-TCP which it seems like you're doing?
[0] https://github.com/apenwarr/sshuttle
When paranoia strikes me really hard I run Tails liveCD in VirtualBox, it automagically routes everything through TOR and virtually nothing goes to hdd, except probably swapping to disk.
https://github.com/morgante/spiped-docker/blob/master/readme...
I would do something like;
ssh -C -D 8080 -fN user@server.tld
Then it's as simple as setting your web connected applications to use the localhost proxy on port 8080.
That's exactly what the goal of this is. Except it avoids using SSH over the public network, since spiped is more reliable and also (I think) more trustworthy. One takeaway for me from the heartbleed bug is to place less trust in large, general-purpose C libraries. Compared to SSH, spiped is a comparatively much smaller codebase, maintained by the excellent cperciva.
[1] http://www.wired.com/2014/02/gotofail/
Ironically, living in the democracy of the United States would have yielded a similar situation (except remove "likely").
[0] https://github.com/morgante/spiped-docker/blob/master/Docker...
That's a big surprise. all your internet activity?!?! Even when I use curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS proxy will be used by web-browser only, am I wrong?