Secure Chat using privoxy and ssh

by Marion Bates <mbates at>

Note: I have tested this with the "real" AOL Instant Messenger client under Mac OS X. It may work with other clients but they must support HTTP as a proxy option.

  1. On your UML, install privoxy:
    	cd /pub/mirrors/redhat/.../RPMS/
    	(sudo) rpm -Uvh privoxy-3.0.0-8.i386.rpm 
  2. In /etc/privoxy/config, change line 671:
    	toggle 1
    	toggle 0

    Save and exit.

  3. Restart privoxy:
    	/etc/init.d/privoxy restart
  4. Run netstat -anp | less and look for this line:
    	tcp        0      0*               LISTEN      2039/privoxy        
  5. Save the following into an executable shell script on your local machine (the machine on which you'll be using AIM):
    	# Create ssh tunnel to http proxy for encrypted AIM chat
    	ssh -g -L 1080:localhost:8118 -N
  6. Open AIM client. Edit preferences -> Connection. Check the box that says "Connect Using Proxy Server" and set the options accordingly:
    	Port: 1080
    	Name: localhost
    	Protocol: HTTP
    	Password: (leave blank)

    Do NOT check the "use proxy to resolve host names" box. Save changes.

  7. Start up the ssh tunnel (./name-of-script). Enter the password for your uml account. Minimize or hide that terminal window, but leave it open.
  8. Start AIM and connect. Should seem totally normal, perhaps a tad slower than usual.
  9. Test:
    	sudo tcpdump -i en0 -s 1500 -X 'host your-local-host' > dump.txt
    	(send an IM or two)
    	(ctrl-c the tcpdump session)
    	less dump.txt

    Look for your IM content. It should NOT be visible -- you should only see ssh ciphertext.

  10. For bonus points, set up your web browser to use localhost port 1080 as its proxy. Now your web content is encrypted too. :)


AIM seems more prone to unexpected disconnects after doing this. Could be unrelated (client bug, bad internet link, etc.) and I don't see anything relevant in privoxy's logs when it happens. However, when it does, I usually have to quit and relaunch AIM to get it to reconnect. YMMV.

Also, keep in mind that this only encrypts the AIM traffic between your local machine and your UML. The connection between your UML and the AIM server(s) is still clear-text.

Thanks to Bill Stearns for telling me how to make this be like 37 fewer steps than it originally was. :)