1

I am wondering about the security of tunneling services such as ngrok or pinggy.io (which I believe works via ngrok, but doesn't require downloading, just an SSH connection). I don't know and haven't read much about networking and don't really know where to start. Presumably many connect to Github via SSH... etc... but it's not like they personally know the people at Github. How does it work, what are the risks, what risks might be associated with using pinggy.io?

A pinggy.io tunnel is instantiated by running the command ssh -p 443 -R0:localhost:80 [email protected].

Is it more secure to tunnel to a virtualized local development environment, such as via virtualbox/libvirt/vagrant/docker? But then do you run the command on the host machine so that you can specify a URL to a single site in the environment, or from the virtual machine via SSH, but then you can't specify the URL to a single site? (I haven't tried Docker but I guess in that case you could do it from the Docker env with a single site.)

EDIT: Do these services pose any risk/vulnerability such as granting access to the host server/computer? or only intercepting the data being transferred via HTTP/HTTPS, like the web pages/traffic?

Improve this question

1 Answer 1

Reset to default
1

Ngrok and Pinggy.io are two different and independent tunneling tools. The difference you are concerned about is how they connect to their servers. Ngrok uses TCP / TLS to connect to their servers, and Pinggy uses the SSH protocol, which also uses TCP and TLS to connect to their servers.

Both the services forward traffic from their server to some local port of your computer. For example the -R0:localhost:80 suggests that traffic from Pinggy url will be forwarded to your localhost:80

The security concern is who can read this traffic. Technically both ngrok and pinggy can read this traffic since they are handling the HTTPS on their servers or clients. However, you can use the TLS tunnel feature (https://pinggy.io/docs/tls_tunnels/) to get end-to-end encrypted tunnels. It is a bit tricky to setup since you basically need to run one HTTPS server with your own domain and certificates. Ngrok or Pinggy will just give you the connectivity.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

What is the 0 in -R0? I can't find it in the docs
Thank you for replying, by the way; although I still don't quite understand. Is reading the traffic the extent of the security risk?
0 in -R0 is just the port at Pinggy's end. You can put anything in place of 0. Pinggy will ignore it and forward traffic from your tunnel's domain.
inherent risk of exposing one port to the internet is there. An application will be listening on that port, and the security of the application determines the security of the setup to a large extent. Suppose you open a tunnel to port 80 where nginx is running. Then nginx is responsible for handling all traffic securely. Other than that ssh tunnels are well known to be secure so other than the forwarded port nothing else should be affected. And since traffic is moving through the tunnel, that service provider can view / modify traffic unless you are using end-toend encrypted TLS tunnels

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.