23 comments

[ 4.3 ms ] story [ 57.1 ms ] thread
I don't understand what advantage this has over just doing: ssh -D8080 username@server.name

Also does spiped natively act as a socks proxy? I was under the impression all it did was handle an encrypted stream of data from one socket to another.

does spiped natively act as a socks proxy

No, it manages an arbitrary number of streams of encrypted data, but all it does is push bits (and encrypt/decrypt, of course).

> I don't understand what advantage this has over just doing: ssh -D8080 username@server.name

I used to do precisely that, but I think spiped has two major advantages:

1. It is more resilient on a flaky connection.

2. I trust the security of its codebase more than SSH, both due to its smaller footprint and cperciva's reputation.

From the article:

> In my experience, the spiped tunnel is highly reliable and recovers more gracefully than a standard SSH tunnel.

I've never had an issue with ssh -D though

As for why not the simple `ssh -D` the author states:

  In my experience, the spiped tunnel is highly reliable and
  recovers more gracefully than a standard SSH tunnel.
Why use the -f switch:

  -f Use fast/weak handshaking: This reduces the CPU time spent in the
     initial connection setup, at the expense of losing perfect forward
     secrecy.
Maybe he wants perfect forward secrecy?

EDIT: I read the question backwards.

I thought adding `-f` meant that you lost PFS?
Oops, I read the question backwards. In that case, maybe because he wants higher performance? ;-)
Wouldn't -C (compression) help to speed an ssh connection?
Good catch. I'd been using the -f flag while troubleshooting (to speed up the initial connection), but have removed it now.
Maybe I'm missing something here...

On my FreeBSD and Linux systems, the ssh -f parameter sends the process to the background, and the -N prevents remote command execution.

He's talking about the -f option to spiped.
Are there any advantages over something like sshuttle? [0]

Doing sshuttle --dns 0/0 seems more convinient especially since a regular sshd on my box is all I need, no additional software. And it instantly tunnels all my traffic, no need to configure socks proxies. It also avoids TCP-over-TCP which it seems like you're doing?

[0] https://github.com/apenwarr/sshuttle

Probably the most convenient tunnelling tool I've ever used.

When paranoia strikes me really hard I run Tails liveCD in VirtualBox, it automagically routes everything through TOR and virtually nothing goes to hdd, except probably swapping to disk.

From the link to the OpenSSL vulnerability;

  Unfortunately, there's nothing users can do to protect themselves
Um, how about a VPN, or ssh with dynamic forwarding?

I would do something like;

ssh -C -D 8080 -fN user@server.tld

Then it's as simple as setting your web connected applications to use the localhost proxy on port 8080.

> Um, how about a VPN, or ssh with dynamic forwarding?

That's exactly what the goal of this is. Except it avoids using SSH over the public network, since spiped is more reliable and also (I think) more trustworthy. One takeaway for me from the heartbleed bug is to place less trust in large, general-purpose C libraries. Compared to SSH, spiped is a comparatively much smaller codebase, maintained by the excellent cperciva.

I know Colin likes to keep commenting that the simplicity of spiped makes it inherently more secure than more complex alternatives. I haven't evaluated the code, nor done a study to see if the number of lines of code always correlates to number of security holes, or if the complexity of the operations compared to the number of lines is related to the number of security holes, and what the bounds of that are. But I just took a brief look at one file and saw this:

  /* Generate a 32-byte connection nonce. */
  if (crypto_entropy_read(H->nonce_local, 32))
           goto err1;

  /* Send our nonce. */
  if ((H->write_cookie = network_write(s, H->nonce_local, 32, 32, 
       callback_nonce_write, H)) == NULL)
           goto err1;

  /* Read the other party's nonce. */
  if ((H->read_cookie = network_read(s, H->nonce_remote, 32, 32,
       callback_nonce_read, H)) == NULL)
           goto err2;
The gotos themselves aren't harmful (even though I don't get why people still use gotos). What strikes me as really funny about this code is its over-simplicity is what caused a huge crypto bug to be missed in Apple's iOS 7 recently. Take a look at the above code and then this security hole[1], and tell me if you can't spot a potential problem.

[1] http://www.wired.com/2014/02/gotofail/

> As an American living in a Middle Eastern monarchy, multiple government agencies are likely monitoring my internet traffic

Ironically, living in the democracy of the United States would have yielded a similar situation (except remove "likely").

> In System Preferences, configure your network to connect to a SOCKS proxy at localhost:8089. Now all your internet activity is securely routed through your server.

That's a big surprise. all your internet activity?!?! Even when I use curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS proxy will be used by web-browser only, am I wrong?