[shmoolie]

I'm concerned that the guy in charge of IT here can use tools to see what sites I visit and even pull account names and passwords via packet snifing software. How can I encrypt my internet traffic from him? I have complete admin access on my Mac - OS X 10.4.4.

Note: I'm only concerned with blocking or spoofing or encrypting my traffic. I already know how to remove local traces (cookies, history, caches, etc on my Mac.

[ghporter]

Are you asking how to keep the network administrator on a work network from watching what you do? There may be ways, but it really is NOT YOUR NETWORK. I have serious ethical concerns about even pointing someone toward ways to screw around with other people's networks.

Really, are you worried about them grabbing account info or about them noticing that you're surfing instead of working? Most sites that require a login for anything serious use SSL security, so there's a session-level encrypted link between the computer you're using and the distant end-your IT guys CANNOT see that data.

[shmoolie]

Originally Posted by ghporter

Are you asking how to keep the network administrator on a work network from watching what you do? There may be ways, but it really is NOT YOUR NETWORK. I have serious ethical concerns about even pointing someone toward ways to screw around with other people's networks.

Really, are you worried about them grabbing account info or about them noticing that you're surfing instead of working?

Well, you don't have to answer if you have concerns. The internet policy here is very liberal and we are allowed to use it for personal use. In fact I'm using my own personal laptop here. I'm concerned that he may be grabbing account info. And I'm not asking for help in screwing other peoples networks. I'm asking if there's something I can install on MY computer here to mask my internet traffic info.

[mduell]

If the sites you're logging into use SSL/HTTPS, then he can't steal your account info.

If the sites you're logging into use straight HTTP with plaintext passwords, they're functionally retarded and anyone upstream of you or the site can see your password.

[ghporter]

What mduell said-it's clearer than what I said. If I came off as hostile, I'm sorry, but I have been asked on many occasions to help foil the perfectly legitimate IT policies of more than a few workplaces. Recently I was asked by a high school student how he could get around the admin restrictions on the iBook the school issued him so he could install a chat program-and obviously do something other than school work at school. This tends to make one behave like everyone's motives are suspicious.

As Mark said, (restating my stuff) any site you log into that handles important information should have at least the login session encrypted by SSL and/or HTTPS protocols (I've seen a few that not only use BOTH but also require a plugin to allow authentication). If it's just a news site, for example, then you're not doing much more than saying "hey, it's me" so you may or may not have any security there.

The bottom line is that if it's cool with your company for you to surf via their network, and you've been paying at least a little attention to basic Internet security, you should be immune to anyone in your IT department sniffing anything important and useful from watching your traffic.

[legacyb4]

Encryption requires that the sender and the recipient be involved in the process in order for it to work.

In the case of web surfing or webmail, that means that the remote server offer some method of encrypting traffic (SSL/TSL). However, while this encrypts the data being passed, it won't prevent your destination host from being logged on both the network's DNS server and/or the firewall.

If you are sending e-mail and your mail server doesn't offer encrypted SMTP/POP/IMAP on the server, then consider using S/MIME or PGP to encrypt the contents of your actual mail message. This does require that the recipient of your messages also be configured similarly so they can decrypt the message.

If you are really paranoid about that, then a VPN to a remote destination (ie. home router/server) then routing traffic through the remote network onwards to the Internet is your safest bet.

I'm not saying that you *should* try to circumvent your network's policy, but if you believe you are allowed to conduct the actions that you intend, then these are the basic ways to protect yourself.

[shmoolie]

I think I'm asking a simple question but I'm getting answers that go off on tangents. I'm asking if there is any way for me to block/encrypt/mask from someone who has access to view the raw data as it streams. I guess it would have to be at a packet level, right? I am an IT administrator and have full privileges to do this but I am not familiar enough with the routing side to know if this is even possible. I simply want someone not to be able to read any traffic coming from my computer via web surfing.

The purpose of this is that I am working as a full-time contractor with my own laptop and I have to log on to other clients' websites during the day and I don't want the guy in charge here snooping and getting my client names.

[ghporter]

As legacyb4 says, you need the distant end to cooperate if you want to encrypt your traffic in both directions. Otherwise, anyone with access to the raw data will indeed be able to see everything. Of course if you use a VPN, that handles the "cooperation" issue. This means your other clients must have a VPN server running on their sites.

Really, that's not only the most secure way, it's the simplest way too. A VPN establishes an encrypted connection between YOUR COMPUTER, however it's connected, and the distant end. Many companies do this so their workers can log into private resources remotely.

Does that help?

[shmoolie]

Originally Posted by ghporter

As legacyb4 says, you need the distant end to cooperate if you want to encrypt your traffic in both directions. Otherwise, anyone with access to the raw data will indeed be able to see everything. Of course if you use a VPN, that handles the "cooperation" issue. This means your other clients must have a VPN server running on their sites.

Really, that's not only the most secure way, it's the simplest way too. A VPN establishes an encrypted connection between YOUR COMPUTER, however it's connected, and the distant end. Many companies do this so their workers can log into private resources remotely.

Does that help?

Using a VPN is not going to be possible.

So you're saying that there no other way to make the packets coming from my computer when I am on the web show up as unreadable to anyone else here? Example: say I'm going to www.macnn.com and I want the packet info to show up so that no one can see where I'm going. There's no software I can install on my laptop (other than VPN software) that would mask that and would not require the other site to cooperate?

[f1000]

Originally Posted by shmoolie

The purpose of this is that I am working as a full-time contractor with my own laptop and I have to log on to other clients' websites during the day and I don't want the guy in charge here snooping and getting my client names.

When I'm traveling, I conduct my secure transactions over my GSM EDGE phone. As far as I know, using GSM is more secure than utilizing unsecured public Wi-Fi or Ethernet networks. I do my email, banking/trading, and anything else that might send a password or sensitive financial information over my cellphone. I realize that GSM+Bluetooth isn't entirely secure, but I am picking the lesser of two evils.

Look into EV-DO, UMTS, and EDGE.

[Tomchu]

This is possible, and decently easy. If you have a Mac at home on a broadband connection, you've got all you've need. OS X comes with both Apache and SSH installed. It's possible if you have a Windows machine at home as well, but you'll need to download and install the Win32 versions of Apache and OpenSSH.

Mac-at-home instructions:

Start by editing the /etc/httpd/httpd.conf file. Enable the mod_proxy module (uncomment the two lines for LoadModule and AddModule). Paste this code somewhere in the config file:

<IfModule mod_proxy.c>
ProxyRequests On

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from YOUR_WORK_IP_ADDRESS
</Directory>
</IfModule>

Also find the line that reads "Port 80". Change this to "Port 8080".

Save this. Start Apache (System Preferences -> Sharing -> Personal Web Sharing). You now have a proxy running on your Mac. :-)

Next up is SSH. Check off "Remote Login" in the Sharing panel. That's it.

Write down these IPs:
- Your home Mac's IP address. If it's in the form 192.X.X.X, then you are behind a router of sorts, and this is your LAN IP. Forward ports 22 and 8080 from the outside to your Mac now.
- If the above applies, also go to whatismyip.com and write that down. This is your WAN IP address.
- While at work, also go to whatismyip.com and write THAT down (this is what you would put in place of YOUR_WORK_IP_ADDRESS above)

Mac-at-work instructions:

When connected to your workplace's network, just fire up a Terminal, and type the following:

If behind a router at home:
ssh username@WAN_IP -L 8080:LAN_IP:8080

If not behind a router at home:
ssh username@WAN_IP -L 8080:WAN_IP:8080

The 'username' is your Mac OS X short username on your *home* Mac. Since this is the first time you're connecting to the SSH server from your computer, you will be asked about adding it to the known hosts list. Just type 'yes', and hit return. It'll then ask you for a password -- this is the password you use for your home Mac, for the corresponding username that you just typed in.

If all works out, then you've just established an encrypted "SSH tunnel" to your home Mac. :-)

Now all you have to do is go into the Network preference pane, click Proxies, check off Web Proxy, and type "localhost" into the Server field, and 8080 into the Port field. Click apply. Open Safari. Go to whatismyip.com. You should see it reporting your home WAN IP.

The illustration of how this works looks like the following:

Work computer + Safari --> (connects to self as proxy server on port 8080) --> SSH takes local connections on port 8080 --> SSH forwards local connections on 8080 to "local" connections on SSH server at your home, over an encrypted tunnel --> Computer at home is running an Apache proxy server on port 8080, accepts connection from the SSH tunnel --> Fetches site you requested, sends it all back to your work computer.

It's a bit of a complex topic, but I'm sure others here can explain it better.

Anyway, once all of that is set up, all you need to do from now on is to run that ssh command whenever you go into work, and check off Web Proxy in the Proxies tab. Uncheck it when you leave. If you want to quit the SSH tunnel session running in your Terminal, just type "exit", but remember that that will also kill the proxy connection.

[f1000]

Hmm, that's a pretty nifty idea Tom.

[ghporter]

Tomchu's suggestion is great. This both encrypts your traffic AND proxys the traffic so that it goes to the intended destination in the clear. I hadn't thought of this because you said VPN wasn't a player and SSH tunneling is a form of VPN.

No that's not true-I never even thought of SSH tunneling. It IS a form of a VPN, sort of, but I just plain didn't think of it.

Now it seems that all you have to do is some seetup and make your home computer accessible from the outside, and with Tom's steps you should be in business. Literally!

[shmoolie]

Originally Posted by Tomchu

This is possible, and decently easy. If you have a Mac at home on a broadband connection, you've got all you've need. OS X comes with both Apache and SSH installed. It's possible if you have a Windows machine at home as well, but you'll need to download and install the Win32 versions of Apache and OpenSSH.

Mac-at-home instructions:

Start by editing the /etc/httpd/httpd.conf file. Enable the mod_proxy module (uncomment the two lines for LoadModule and AddModule). Paste this code somewhere in the config file:

<IfModule mod_proxy.c>
ProxyRequests On

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from YOUR_WORK_IP_ADDRESS
</Directory>
</IfModule>

Also find the line that reads "Port 80". Change this to "Port 8080".

Save this. Start Apache (System Preferences -> Sharing -> Personal Web Sharing). You now have a proxy running on your Mac. :-)

Next up is SSH. Check off "Remote Login" in the Sharing panel. That's it.

Write down these IPs:
- Your home Mac's IP address. If it's in the form 192.X.X.X, then you are behind a router of sorts, and this is your LAN IP. Forward ports 22 and 8080 from the outside to your Mac now.
- If the above applies, also go to whatismyip.com and write that down. This is your WAN IP address.
- While at work, also go to whatismyip.com and write THAT down (this is what you would put in place of YOUR_WORK_IP_ADDRESS above)

Mac-at-work instructions:

When connected to your workplace's network, just fire up a Terminal, and type the following:

If behind a router at home:
ssh username@WAN_IP -L 8080:LAN_IP:8080

If not behind a router at home:
ssh username@WAN_IP -L 8080:WAN_IP:8080

The 'username' is your Mac OS X short username on your *home* Mac. Since this is the first time you're connecting to the SSH server from your computer, you will be asked about adding it to the known hosts list. Just type 'yes', and hit return. It'll then ask you for a password -- this is the password you use for your home Mac, for the corresponding username that you just typed in.

If all works out, then you've just established an encrypted "SSH tunnel" to your home Mac. :-)

Now all you have to do is go into the Network preference pane, click Proxies, check off Web Proxy, and type "localhost" into the Server field, and 8080 into the Port field. Click apply. Open Safari. Go to whatismyip.com. You should see it reporting your home WAN IP.

The illustration of how this works looks like the following:

Work computer + Safari --> (connects to self as proxy server on port 8080) --> SSH takes local connections on port 8080 --> SSH forwards local connections on 8080 to "local" connections on SSH server at your home, over an encrypted tunnel --> Computer at home is running an Apache proxy server on port 8080, accepts connection from the SSH tunnel --> Fetches site you requested, sends it all back to your work computer.

It's a bit of a complex topic, but I'm sure others here can explain it better.

Anyway, once all of that is set up, all you need to do from now on is to run that ssh command whenever you go into work, and check off Web Proxy in the Proxies tab. Uncheck it when you leave. If you want to quit the SSH tunnel session running in your Terminal, just type "exit", but remember that that will also kill the proxy connection.

Excellent advice! This is what I was looking for when I posted here. I'm going to give this a try.

Thanks.