Router sniffing addresses even though I'm using an openSSH SOCKS proxy

[Mears]

I have most of my applications set up to use a SOCKS proxy server that I run on my local computer . The SSH connection is to a server on a completely separate network reachable across the internet. I know that my apps are relying on the SOCKS proxy server, but my understanding is that the tunnel I create to the server should be an encrypted channel. However, my router keeps track of recent web sites visited and it's identifying sites I browse even through I'm using the secure tunnel. Does this make sense? I would expect all traffic to just look like SSH communication to the router.

 

[spidey07]

So you think the URLs are encypted?

 

[Mears]

Originally posted by: spidey07
So you think the URLs are encypted?

I think the router should only see encrypted packets being sent to the offsite server where they are decrypted and forwarded to the appropriate website. i.e. the router should only see outbound data to the server I'm tunneling through. The only thing I can think of is that the router is monitoring inbound traffic to update that table.

 

[spidey07]

Look deeper into layer 5.

 

[Mears]

Originally posted by: spidey07
Look deeper into layer 5.

Of what protocol? It still isn't going to answer my connection. I'm expecting the only connection from my computer to be to encrypted one to the server I am SSH'd to. There are people that use this technique to bypass corporate firewalls, so if my router is seeing my page visits, something doesn't seem right.

 

[spidey07]

Originally posted by: Mears

Originally posted by: spidey07
Look deeper into layer 5.

Of what protocol? It still isn't going to answer my connection. I'm expecting the only connection from my computer to be to encrypted one to the server I am SSH'd to. There are people that use this technique to bypass corporate firewalls, so if my router is seeing my page visits, something doesn't seem right.

Everything seems right.

I'm the guy you are trying to bypass.

 

[Nothinman]

I have most of my applications set up to use a SOCKS proxy server that I run on my local computer . The SSH connection is to a server on a completely separate network reachable across the internet. I know that my apps are relying on the SOCKS proxy server, but my understanding is that the tunnel I create to the server should be an encrypted channel. However, my router keeps track of recent web sites visited and it's identifying sites I browse even through I'm using the secure tunnel. Does this make sense? I would expect all traffic to just look like SSH communication to the router.

If the router can see the URLs then the browsing isn't going through the SSH SOCKS proxy, break out a packet sniffer and verify that.

 

[Mears]

Originally posted by: spidey07

Originally posted by: Mears

Originally posted by: spidey07
Look deeper into layer 5.

Of what protocol? It still isn't going to answer my connection. I'm expecting the only connection from my computer to be to encrypted one to the server I am SSH'd to. There are people that use this technique to bypass corporate firewalls, so if my router is seeing my page visits, something doesn't seem right.

Everything seems right.

I'm the guy you are trying to bypass.

You're awful insightful. Actually, I'm trying to get this setup at home so I can encrypt traffic when I'm at wireless hotspots, but you probably already knew that.

 

[Mears]

Originally posted by: Nothinman

I have most of my applications set up to use a SOCKS proxy server that I run on my local computer . The SSH connection is to a server on a completely separate network reachable across the internet. I know that my apps are relying on the SOCKS proxy server, but my understanding is that the tunnel I create to the server should be an encrypted channel. However, my router keeps track of recent web sites visited and it's identifying sites I browse even through I'm using the secure tunnel. Does this make sense? I would expect all traffic to just look like SSH communication to the router.

If the router can see the URLs then the browsing isn't going through the SSH SOCKS proxy, break out a packet sniffer and verify that.

I know that the proxy server is being used because if I kill it, I can't browse. If I sniff packets using wireshark, DNS requests are in the clear and everything else is encrypted.

 

[tyanni]

I think what spidey07 is alluding to, in his own wonderful way 🙂 is that DNS requests are still in the clear when using SSH Tunneling\Socks Proxy. Thus, your router knows exactly what pages you are requesting. I believe you can set up your SOCKS Proxy, however, to force the DNS lookups to occur on the remote end, rather than locally, which prevents your router or local machine from caching them.

After some googling, it appears that Firefox itself can force the DNS Lookups to be done remotely when using a SOCKS5 Proxy - see:

http://outflux.net/blog/archives/2006/12/07/paranoid-browsing-with-squid/

Please note, I am not an expert on this, just a very good googler (is that a word??)

Tim

 

[JackMDS]

If the information that is needed to maneuver the Internet is encrypted how the Internet should work?

If the Internet?s traffic system can unencrypt your specific traffic then were is the security?

 

[Nothinman]

I think what spidey07 is alluding to, in his own wonderful way is that DNS requests are still in the clear when using SSH Tunneling\Socks Proxy. Thus, your router knows exactly what pages you are requesting.

Actually it should know the hosts but not the specific pages within that host.

After some googling, it appears that Firefox itself can force the DNS Lookups to be done remotely when using a SOCKS5 Proxy - see:

Or use a full SSH VPN and pick a DNS server on the other side of the tunnel.