A short review on the different parts of this system so far...

1. Automatic starting

The OpenVPN client installed can be made to autostart and run as a background service, (re-)connecting to the VPN automatically whenever there's network connectivity to the OpenVPN server.  Coupled with automatic configuration of the client's DNS resolver list this allows for automatic protection/privacy of the DNS queries sent out.  The automatic configuration of the DNS resolver can be disabled too if need be.

2. Ease of use

Connecting to the proxy afterward is a "simple" proxy configuration change in the browser of choice.  This can be conveniently done (and undone) with extensions like Proxy Switchy! for Google Chrome, or FoxyProxy for Firefox.

3. Initial setup efforts needed

All this is working nice and dandy for me now, with little inconvenience involved in activating SecureMe. Now one of the problems faced in making this user-friendly/"idiot-proof" would be the high setup efforts needed (really plenty of hoops to jump through, especially for the no-so-technically-inclined user).  One way would be to come up with some sort of "portable" package that has been preconfigured as much as possible, or an installer that helps you to do most of the work.

4. DNS requests leakage

Another issue is the small possibility of DNS request leaks.  For example, the behaviour of the OpenVPN client in linux is to add the DNS resolver at the top of the resolver list (/etc/resolv.conf), but if the DNS query is deemed to take "too long", the request goes out to the next DNS resolver in the list, which usually is the DNS resolver for the public wifi hotspot.  Though this won't cause things to break, it does allow some queries to go out in the open network.  One of the ways I know of to solve this would be to configure a SOCKS proxy, so that it would be possible for browsers like Firefox to send all DNS queries to the SOCKS proxy.

Conclusion:

This seems to be working well so far, with Linode's rare downtime the past months.  More work could be done to make this simpler for others to setup, but I guess I will only do this sparingly in my free time.  No one seems to be geeky/interested enough to want to have this available to them for free so far, heh. ]]> http://blog.rayfoo.info/2010/02/secureme-so-far/feed 0 http://blog.rayfoo.info/2009/11/project-secureme http://blog.rayfoo.info/2009/11/project-secureme#comments Fri, 20 Nov 2009 18:33:46 +0000 ray http://blog.rayfoo.info/?p=369 Will start to write some posts on how to get things up and running with the project that I mentioned last week, thanks for the wait.

In order for everyone to be on the same page, let's call this project "SecureMe", hopefully this would increase the basic protection you'd get when surfing from a public hotspot.

I can't (and won't) guarantee that you will be 100% safe from all those bad guys out there, but with this it would make it a lot harder for any Tom, Dick or Harry to sit down in the same cafe/MacDonalds/BK/your-favourite-hangout-place and start looking into your Facebook account and whatnot.

If your machine has been compromised with a virus/malware/adware/botnet, all bets are off.  This would require a cleanup before you can trust what your machine does (unfortunately).

This is a simple VPN tunnel + HTTP proxy + DNS resolver, so that your traffic will not be modified, or listened to by the fellows mentioned above.  As such, no anti-virus screening/protections for now.  One thing that might help is that I'm using OpenDNS to help resolve the DNS queries, and it automatically comes with a certain amount of protection against phishing sites

You won't be totally anonymous with this service: I won't hesitate to turn over information if you have been found to be using this service to do nefarious deeds against other people/servers, of if you use it to access stuff that's illegal anyway.

I'll be using this project to learn, so I will need to keep some logs for my own analysis and accountability (see above).  But I will not use this to infringe on your privacy (duh!), not as if I'd want to anyway.

Lastly, though this is workable, it's not perfect yet.  I'll be changing things here and there from time to time if needed to improve this service, so no promises that you won't ever have to change anything ok?  It's a free(/donor) service anyway, so no one has to be obliged, ok?

Hope this helps you whoever you are, and pleaseeee do give me feedback ok?  Have fun!

PS: Signups are still available for now, for those who wish to help trial this free service

Using a combination of easily available/open-source/free tools, it would provide pretty good basic protection against network sniffers/attackers for thse folks.

Why free/donor-ware?  I'm not looking to earn big bucks (if at all) out of this, probably just enough to cover the running costs would be nice.  And this project would be more of a learning experience for me rather than a business opportunity.

More details to be released soon, thanks to those who've responded to my initial call for trial helpers!

For tonight it was the changing and limiting of the DHCP address range served by my router to be a non-standard one (i.e. not in the 192.168.1.0/24 range), as one of the defences against CSRF attacks against the router.

The change turned out to not to be as smooth as I thought it would be, even though I had very few devices in the network as compared to an office one. Would keep this in mind as I think about/recommend this to others.

Additional reading on the topic of CSRFing home routers, for those who're interested:
GNUCITIZEN: BT HOME FLUB: PWNIN THE BT HOME HUB
GNUCITIZEN: ROUTER HACKING CHALLENGE