Your browser or any other client software which passes the requests via the proxy first tries to resolve the hostname via the DNS specified on your network interface, the DNS requests are NOT passed via the ssh tunnel. A misconfigured VPN server can suffer the same, although the DNS requests are passed via the VPN interface and are encrypted, if the DNS server is run by an untrusted party such as your ISP the resolved IPs cannot be trusted as they may be transparent proxies which log requests.
Another thing to keep in mind when browsing via SSH tunnel is flash, connections made by the flash plugin are NOT passed via the SSH tunnel but the actual direct internet connection which may compromise your anonymity, same applies for JAVA applets and other browser plugins which are able to create remote sockets which bypass the proxy settings in your browser.
They would need to break SSL to read your gmail/facebook etc or get a CA to sign a valid certificate, but for non encrypted traffic they can run transparent proxies which log data and a rogue DNS server which returns the IPs of their transparent proxies. Since DNS mostly works over UDP the source IP can be spoofed.
I see... The unencrypted traffic doesn't bother me, and I guess they don't do that, they just log the data.
It's all the rest that bothers me (banking accounts, email, facebook, etc), so I guess I can say that I am somehow safe.
Thanks anyway for enlightening me!
In theory of course it applies that they would have to break SSL or get a CA to sign a valid certificate. However, if you use a compromised DNS they can direct your traffic to their own server and proxy facebook for you with a self signed certificate. Your browser would then notice that the certificate has changed and if you don't pay attention to it you will be MITMed. I have encountered such behaviour in a military network where absolutely every web request you made showed "Get me out of here" firefox warning so to browse the internet you had to add every page as exception. What's worse is disabling https altogether. OkCupid.com for example does not have HTTPS and those assholes silently change the protocol for you. So for example you go to
https://okcupid.com and it will immediately become
http://okcupid.comI think the snoopers can disable HTTPS for you similarly to how okcupid has done it. You will have to pay close attention to your address bar.
But if you create as SSH tunnel to a trusted machine (a home server, for example) and point your browser (or other software like bitcoind) to your local proxy tunnel, you are already encrypting all and no compromised DNS servers, isn't that right?
Or does the DNS spoof takes place earlier the tunneling?
Oh great... my only hope then, is if they're not that bright!!!
Thank you for the explanation!
