Secure Tunnels

A big thing in the computer security spotlight right now is secure communications between a trusted network (your home, your office), and a remote system (your laptop, your laptop using a Starbucks free wi-fi access point).

I hope this won't surprse any of you out there, but when you check your Hotmail with an unsecured wi-fi connection, everybody around you can potentially read your mail. Your wireless network card is basically a big radio transceiver, sending and receiving ones and zeroes. And malicious people can pretty much use their own computers to act like a sort of police scanner, literally eavesdropping on conversations to which they shouldn't be listening.

Encrypting your traffic with IPsec or an SSH tunnel is one way to protect yourself. Eavesdroppers can still peek in on your ones and zeroes, but they won't have any kind of meaning to someone who isn't on either end of the connection. Hence the term "SSH tunnel". It's plaintext on your client, and it's plaintext on the remote system, but it's totally gibberish at every point in between.

I don't see the problem with VPNs. VPNs are easy. Remember kids, you can't spell "SSH tunnel" without "ssh -TNL". But tunneling is apparently not enough for some people, because SSH tunnels aren't a true VPN so much as they are a secure port forwarding mechanism, which is true. You aren't connecting securely to "imap://your.isp:143/". You're connecting insecurely to "imap://locahost:1143", which SSH then intercepts and redirects to your.isp:143 via some intermediate system of your choosing over port 22.

It's all quite complicated under the hood, even if you just use "ssh -TNL" to set it all up. This is why I'm excited to hear about the new features in OpenSSH 4.3, which is promising to establish "true" VPN connectivity, whatever that may mean. Kevin Devin is excited too, or so he says over at In the Trenches, where he points to Steve Gibson's recent review of a turn-key VPN application called Hamachi.

I'm just going to stick with SSH tunnels until OpenSSH 4.3 comes out, thankyouverymuch. It should be interesting.