HOW TO: Securely access your webmail using SSH tunnels
I came across a number of situations where I needed to access my business e-mail from an insecure environment. I am talking about conferences, exhibitions, as well as airports and open WLAN hotspots. Majority of free e-mail providers, such as Google GMail and Yahoo! have options to login by using a https connection over secure sockets layer (SSL) or transport layer security (TLS). However, in my case, a couple of business mailboxes can be accessed via a webmail that doesn't offer any kind of encryption. The solution is pretty simple - create your own SSH Tunnel.
SSH Tunnel Manager is a free Mac OS X software that offers point and click setting up of a secure connection from your computer to your mail server. We are trying to create this kind of interaction:
When using a public network, the main potential security risk is that your interactions can be sniffed by a bad guy. In this case, we will create a totally secure connection from our notebook, over a public WLAN network to a secure remote server. This should be a trusted server where you must have an SSH account. I am emphasizing that it should be a trusted server because connection from that point to the mail server isn't encrypted. Using an SSH tunnel in this scenario isn't a full proof 100% sure solution, but it helps with the most problematic part of the transfer - bypassing the insecure public wireless network.
Step 1: Download and setup the software
SSH Tunnel Manager can be downloaded from Tynsoe.org. The current stable version is 1.0.3. I came across a number of bugs while trying to get the best out of this software, but if you are using it for the stuff this article is all about, you don't have to worry about it.
In the connection setup part of the screen you need to fill in a profile name, as well as SSH and address for the trusted server. This username hasn't got anything to do with your e-mail username. We are just setting up a tunnel over which you will access your webmail. The next important thing is to setup a local port, address of your webmail and the remote port (usually port 80 as this is the default port for a web server). After setting up these things, just hit "Apply".
Step 2: Start the tunnel
If this following window doesn't popup automatically, do close and reopen SSH Tunnel Manager. Chose your tunnel profile (I have three of them) and hit start.
If this is the first time you are connecting with SSH to the remote server, the software will alert you that you need to accept the remote key. Just type in "yes". If you were already connecting to the server (usually over some kind of Secure FTP client or a SSH command line utility), you will just need to enter your password. If everything is OK, the previous window will refresh with a green dot just in front of your profile name.
Step 3: Access the webmail
Now you can access your webmail over a local address and port number.
The point of this SSH tunnel is that when you access http://localhost:2222 it creates a connection to http://e-mail.nonstopmac.com. By doing this you are bypassing any potential attackers that are sniffing the public network that your notebook is connected to.
Comments
Simple and to the point, my fave articles.
Posted by: XIII | May 29, 2006 11:22 PM
For Windows I found a very simply and secure encryption solution called "iPig" (http://www.iopus.com/ipig) Does anybody know if a similar tool exists for the Mac?
Posted by: Frank Groete | May 30, 2006 10:36 AM
You can buy a SSL certificate (trusted by 99% of all OS/browsers) for less than $50,00. Saves you the trouble of getting to know SSH.
The Webmail-via-SSH option is nice for freaks who want to show off. Implementing it alone costs more than $50,00 in labour (don't forget the maintance on the SSH server etc.)
Posted by: Willem | May 30, 2006 02:10 PM
@Willem - buying an SSL certificate is OK, but in the majority of cases (especially SOHO businesses) mail servers are located co-hosted on hosting providers and you don't have any access on setting up SSL certificates there.
Posted by: Berislav | May 30, 2006 05:05 PM
@Berislav - In that case the hosting provider sucks, and it's time to move to a different provider. Even the basic ISP's in Holland provide https (webmail), secure smtp and secure pop3 for their users.
And if you are suspicious of eavesdropping / corporate espionage etc. you shouldn't host your mail etc. at a hosting provider who doesn't know the term security.
Posted by: Willem | May 30, 2006 08:47 PM
You can do this from the command line using ssh, no software to download.
For example
ssh -f -N -C -L 2222:dns-name-of-mail-server-here:80
Which I believe will do the same thing as the example in this article.
In my case I have multiple tunnels setup with a single ssh command, and authentication via keys, and my keys loaded using sshkeychain.
Posted by: Chad Stewart | May 31, 2006 02:28 AM
I forgot must include the name of the trusted server
ssh -f -N -C -L 2222:dns-name-of-mail-server-here:80 Name-of-Trusted-Server
Posted by: Chad Stewart | May 31, 2006 02:30 AM
personalVPN is an easily installed SSL VPN for $39.99 a year htp://www.witopia.net
Posted by: VPN Lover | September 10, 2006 08:47 AM
WiTopia's personalVPN is an easily installed SSL VPN for Windows Mac or Linux for $39.99 a year available here htp://www.witopia.net
Posted by: VPN Guy | September 10, 2006 08:50 AM
Thanks for all comments.
JACK - http://www.chinabboss.com
Posted by: JACK | March 3, 2007 04:35 AM
Nice work!
Posted by: David Mendez | May 17, 2007 10:43 PM
Thanks, you have a good website.
JACK - www.made-in-china.com/showroom/sgtoothbrush
Posted by: JACK | July 23, 2007 03:05 AM