Open source software security

Chrome Clobbers Local Proxy

4 February 2011
In today's age of open wifi hotspots and untrusted guest networks it is nice to have a way to protect your communications from snooping eyes. Luckily, it is quite easy to jump on any network connection and still maintain security (even if the connection is over an untrusted or unencrypted network). The solution is to use an Secure Shell (SSH) server and tunnel all of your traffic over SSH. This allows you to connect to any network, then send all your communications over an encrypted connection to an endpoint on a trusted network and then on to your destination. The easiest way to set up such a tunnel on Linux is to use the command line SSH client program with the '-D' flag like so:
$ ssh -D 8080 user@target.ssh.server
This sets up a local proxy that forwards connections to the target server over SSH. Once you have established a connection you can change your browser proxy settings so that it uses the SOCKS proxy 'localhost' on port 8080 (as specified in the -D flag during the connection). This allows you to surf the web while protecting all communication between your machine and the SSH server. Sadly, Google Chrome has some issues with this setup. You can easily set Chrome to use your proxy settings by opening your Preferences, then clicking the 'Under the Hood' tab and then the 'Change proxy settings' button. This opens a new dialogue window where you can select 'Manual proxy configuration' and input your SOCKS host and port. The problem is that changing this setting will unexpectedly update your Gnome network configuration settings. If you check your ~/gconf/system/proxy/%gconf.xml file after updating Chrome you'll see that your Gnome proxy settings have changed. This will cause any other client program on your machine (Thunderbird, Firefox, Pidgin, etc.) that is configured to use your system proxy settings to use the localhost SOCKS proxy. This is optimal if you're using the proxy for all your services, but it becomes problematic if you later change locations, end the SSH connection, or attempt to use a client in a situation where you don't want to use the proxy. It is quite easy to fix this issue simply by resetting your Gnome network settings. In the Gnome menu if you click on the 'System' -< 'Preferences' -< 'Network Proxy' you can open the Gnome Network Proxy Preferences. You can then "reset" your settings by clicking the 'Direct internet connection' radio button. A more effective use of the proxy is probably to set up a 'New Location' in the Network Proxy Preferences to use the local SOCKS proxy. A new location called 'untrusted net' or similar, makes it easy to change all your system settings at once, to ensure private connections. Being aware, however, that Chrome alters this setting is extremely useful for troubleshooting networking issues after using an SSH proxy (for instance, connection failure messages in your IM client). Using a proxy will also slow your connections so you may want to use it selectively (say for web browsing, but not for an email client that connects over an encrypted channel).