I know Colin likes to keep commenting that the simplicity of spiped makes it inherently more secure than more complex alternatives. I haven't evaluated the code, nor done a study to see if the number of lines of code always correlates to number of security holes, or if the complexity of the operations compared to the number of lines is related to the number of security holes, and what the bounds of that are. But I just took a brief look at one file and saw this:<p><pre><code> /* Generate a 32-byte connection nonce. */
if (crypto_entropy_read(H->nonce_local, 32))
goto err1;
/* Send our nonce. */
if ((H->write_cookie = network_write(s, H->nonce_local, 32, 32,
callback_nonce_write, H)) == NULL)
goto err1;
/* Read the other party's nonce. */
if ((H->read_cookie = network_read(s, H->nonce_remote, 32, 32,
callback_nonce_read, H)) == NULL)
goto err2;
</code></pre>
The gotos themselves aren't harmful (even though I don't get why people still use gotos). What strikes me as really funny about this code is its over-simplicity is what caused a huge crypto bug to be missed in Apple's iOS 7 recently. Take a look at the above code and then this security hole[1], and tell me if you can't spot a potential problem.<p>[1] <a href="http://www.wired.com/2014/02/gotofail/" rel="nofollow">http://www.wired.com/2014/02/gotofail/</a>
> As an American living in a Middle Eastern monarchy, multiple government agencies are likely monitoring my internet traffic<p>Ironically, living in the democracy of the United States would have yielded a similar situation (except remove "likely").
Are there any advantages over something like sshuttle? [0]<p>Doing sshuttle --dns 0/0 seems more convinient especially since a regular sshd on my box is all I need, no additional software. And it instantly tunnels <i>all</i> my traffic, no need to configure socks proxies. It also avoids TCP-over-TCP which it seems like you're doing?<p>[0] <a href="https://github.com/apenwarr/sshuttle" rel="nofollow">https://github.com/apenwarr/sshuttle</a>
> In System Preferences, configure your network to connect to a SOCKS proxy at localhost:8089. Now all your internet activity is securely routed through your server.<p>That's a big surprise. <i>all your internet activity</i>?!?! Even when I use curl/wget/IRC/netcat? Skype, xmpp, git, email client? As I understand SOCKS proxy will be used by web-browser only, am I wrong?
Just a heads up: he seems to be running ssh as root [0]. My mom always told me not to run ssh as root, but maybe things change with Docker since it's running in a virtualized OS.<p>[0] <a href="https://github.com/morgante/spiped-docker/blob/master/Dockerfile" rel="nofollow">https://github.com/morgante/spiped-docker/blob/master/Docker...</a>
From the link to the OpenSSL vulnerability;<p><pre><code> Unfortunately, there's nothing users can do to protect themselves
</code></pre>
Um, how about a VPN, or ssh with dynamic forwarding?<p>I would do something like;<p>ssh -C -D 8080 -fN user@server.tld<p>Then it's as simple as setting your web connected applications to use the localhost proxy on port 8080.
Looks like my server is having some issues. The post is also on GitHub.<p><a href="https://github.com/morgante/spiped-docker/blob/master/readme.md" rel="nofollow">https://github.com/morgante/spiped-docker/blob/master/readme...</a>
I don't understand what advantage this has over just doing:
ssh -D8080 username@server.name<p>Also does spiped natively act as a socks proxy? I was under the impression all it did was handle an encrypted stream of data from one socket to another.
Why use the -f switch:<p><pre><code> -f Use fast/weak handshaking: This reduces the CPU time spent in the
initial connection setup, at the expense of losing perfect forward
secrecy.</code></pre>