A personal VPN won’t save you from the Internet, but it doesn’t hurt
By ANDY IHNATKO firstname.lastname@example.org September 9, 2011 10:12PM
Updated: September 9, 2011 10:25PM
I’m guessing that most of you are in the Purgatory zone on the subject of “using public Internet connections safely.” You’re at least aware that using an open public WiFi access point is risky, and you know you Ought To Figure Something Out About That some day. But you’ve have yet to take those necessary steps toward Salvation.
Let’s see if we can’t fix that today. First, I slap the Fear of God into you and then I recommend that you try out one of two great personal VPN services. We should have you out of here in plenty of time to catch the Sunday brunch buffet at the Indian restaurant down the street.
The standard harangue on this topic boils down to three points:
1) You should be concerned about any kind of shared Internet connection. The unsecured and unencrypted free WiFi at the local coffeeshop is just the most obvious example. But even the in-room broadband service at a hotel shouldn’t be trusted. The basic principle is that if you don’t physically have control of all of the full chain of hardware that gets you onto the Internet, from your computer all the way to the final router that’s connected to a subscription broadband pipeline, then you should think of this connection as public Internet service and secure your communications appropriately.
Granted, the $18 a day Internet connection in your $350 a night hotel room seems like the very least-public kind Internet imaginable. But anything can happen with those electrons after they flow out of your PC and drop through the little hole in the wall. For all you know, the whole hotel network might be managed by a Windows machine that hasn’t received a security update since “Seinfeld” went off the air. Has this machine acquired a piece of malicious software at some point?
2) The tools for sniffing the unencrypted traffic on an public Internet connection are widely available, easy to use, sophisticated and bag dramatic results. You start off with the whimsical apps that do nothing but sniff the stream for image URLs being loaded by other people on the network and builds a live slideshow. Yes, the Moleskine notebook, the Pelikan fountain pen, and the copy of the Penguin Classics edition of Jane Austen’s “Mansfield Park” says “I stand among the modern-age New Romantics” but the pictures that flitted on the screen of your network sniffer after he opened his Dell say “I really dig Smurf porn.” And then you move on to automated scripts that live on the service router that constantly grab login credentials and anything in the unencrypted text stream that greps like it’s an account number of some kind.
Just as importantly:
3) Networking, and network security in particular, was never, ever meant to be understood by civilians. Not even by civilian nerds. Your understanding of “when it’s safe to use an public Internet connection” is a lash-up of deadly oversimplifications, I promise you.
You think you’re fine and that you’ve taken all the proper precautions, But a true professional can look at your setup and tell you that although your email client is configured to encrypt your login password, the actual text of your messages is being sent in the clear. She can also tell you that your traffic is moving through a router with a known vulnerability, that your browser isn’t equipped to warn you when a seemingly secure website is using suspicious security certifications, and that of the three available WiFi hotspots that are identifying themselves as “Free Hotel Lobby WiFi,” only one has any association with the fine men and women of Marriott International Inc.
And incidentally, the phrase “a true network security professional” doesn’t mean that the “Education” section of this person’s resume mentions two months at an IT night school. It means that the “Previous work experience” section lists at least one and ideally three entries marked “[Redacted by NSA directive.]”
If you’re not that person, then assume that you know nothing and that anything you thought you knew is highly suspect. Yes, make sure that your client apps are set up to use SSL, and you should absolutely keep a wary eye on the address bar of your browser to make sure that all of your online shopping happens through secure (https://) webpages. But above and beyond what you already know, you need to accept that you don’t have the knowledge or experience required to know when a system is no longer working properly or when the Bad People have perfected a new trick or discovered a new vulnerability that nullifies all of your best-practices. You can’t certify that there are no weak points and no failures along any of the uncountable steps in this chain of trust between your computer and whatever’s at the other end of that pipeline.
Making the case
And that’s why you need to secure your Internet connection. It’s way more important than replacing the incandescent lightbulbs in your house with compact fluorescents.
Fortunately, you’re not responsible for securing and cleaning up the entire Internet. I mean, good God, just think of all the Pine-Sol you’d need for that.
No, all you have to do is secure the last end of it ... the bit that leads to your notebook there at the Starbucks. The basic technique for this is called “secure tunneling.” Normally, your path to the Internet starts at your notebook, hops across that horrible open WiFi at your local coffeeshop where it can be examined by absolutely anybody, arrives at the coffeeshop’s WiFi router and out to the main highway of Internet itself.
With secure tunneling, your notebook uses the horrible open WiFi only to forge a secure, private link between itself and another computer that you can trust. Imagine a thick steel pipeline laid across a high-crime district, only it’s made out of bulletproof encryption. Your data pops out safely at the other end of the tunnel, where the trusted computer shoots it onto the Internet through its own secure router. For all intents and purposes, you’re accessing the Internet from the secure network at the other end of the tunnel, not from the coffee shop WiFi. In fact, the websites you visit will only see the network address of the second computer, not the address of the machine you’re actually typing on.
Software on both machines establishes and maintains the tunnel automatically. You might have to click a button to fire up the secure tunnel but after that it works like any other Internet connection.
There are plenty of ways of establishing a secure tunnel, but the only practical solution for securing your personal Internet connections is to subscribe to a personal VPN service. Anonymizer.com and WiTopia.net are the two worth knowing about and they both work along much the same lines. You sign up for an annual subscription to the service, you download and run an installer that configures your laptop for Virtual Private Networking (which is a set of industry-standard protocols for extending a local network across the Internet) and adds a couple of tools that makes the secure connection dirt-simple to open and close. Then you can establish a secure connection to the Internet through the company’s servers in just a second. It doesn’t matter what WiFi network you’re using or if you’re connecting across Ethernet. With the VPN enabled, your computer asks for a connection to the Internet and the VPN invisibly delivers it.
By their nature, personal VPNs actually deliver two privacy features. They allow you to use public Internet securely, but they also mask your computer’s IP (Internet Protocol, a numeric label assigned to every device on a network) address. This denies the websites you visit access to a valuable piece of personally-identifiable information.
Have you ever been creeped out by a localized web ad that said something like “Woman in URBANA, IL, KIND OF ACROSS THE STREET FROM THE BECKMAN INSTITUTE, I THINK discovers secret to younger skin”? The ad identified your location from your home Internet connection’s IP address. Tracking sites can often use that address to identify you specifically.
Suffice to say that when I’m surfing via a VPN and a cheery pop-up spokesmonkey says “Homeowners like you in LISBON, PORTUGAL are saving thousands by refinancing ... find out how!” I just smile and smile.
Anonymizer might have a slight edge in this category. As the service’s name implies, they consider online anonymity to be a banner feature rather than a side-effect, and claim to have implemented additional custom measures to make your machine harder to identify. I’m not sure how successful those measures can be. IP addresses are just one way that a webpage or an ad profiler can identify you. To achieve total anonymity, you would need to flush your browser and Adobe Flash caches at the end of each browser session and even that level of diligence won’t necessarily prevent jerkwad marketers from identifying you.
Both services of these services have been around for a good while ... more than long enough to have established good reputations that they’re now highly-motivated to protect. I recommend each of them highly, but they have individual strengths.
Anonymizer vs. WiTopia
Anonymizer beats out WiTopia for its thrillingly simple setup. Download an app, launch it, plug in the username and password you chose when you signed up on the website and that’s it: You’ve got an active, private connection to the Internet. It went so quickly and with such little fuss that I instinctively grumbled and started retracing my steps; I assumed that the installer hadn’t actually done anything or that the instructions had left out another page full of steps.
Nope! With Anonymizer, there’s nothing to set or tweak. Just an icon in your System tray or Mac OS Dock that glows reassuringly blue (to confirm the secure connection) or red (to warn you that you’ve turned it off or that it isn’t working for some reason).
Anonymizer Universal works with both Macs and PCs, and there’s even a dirt-simple installer that lets your iPhone or iPad connect securely. Mobile broadband networks are generally considered to be safe. But you can never be too sure, and besides, you’ll want protection for your WiFi activity.
Anonymizer has no custom settings at all, apart from simple checkbox option for having Anonymizer launch and connect automatically at startup. That defines the major difference between the two services. I could recommend Anonymizer to anyone and be filled with serene confidence that they’ll get it up and running without any problems.
WiTopia is more complicated. Setting it up isn’t challenging by any definition, but the experience isn’t even close to the utter bunny-headed simplicity of Anonymizer.
At the same time, WiTopia’s relative complexity is its strength. You can actually tweak it. I mentioned before that the websites and services you visit through a VPN see the IP address of the service’s VPN server, not the IP address of your actual laptop. WiTopia has servers all over the world. Would you like to watch a wonderful documentary about P.G. Wodehouse that aired on BBC2 recently? Too bad. The show can be streamed from the BBC’s website, but the service blocks streaming to non-UK IP addresses.
It’s no problem if you’re using WiTopia. You can just disconnect from your US VPN server and select one that’s based in London. Presto!
The tweakability also becomes an asset when A) things go wrong and; B) you know what you’re doing. Anonymizer will work in almost every scenario that the casual user might encounter. But every public Internet signal is like a baby with a full diaper. You never know what you’re going to encounter until you get in there.
If the hotel WiFi at your Barcelona hotel is blocking all VPN tools, or is just flaking out for some reason, WiTopia at least offers you some options. You can try using an alternative VPN protocol, or see if you can open a VPN connection on unblocked ports.
The technie nature of WiTopia also comes into play in situation C) -- when you’d like to use VPN on a random device. Anonymizer specifically supports Mac, Windows, and iOS (iPhone and iPad). WiTopia will work with just about anything that natively supports VPN. So, all of the above, plus Linux, Android, Windows Mobile or what have you.
I should also point out a potentially troubling item in Anonymizer’s Support FAQ: The service doesn’t support peer-to-peer or other file-sharing programs and “access to the Anonymizer Universal servers may be limited or stopped if your usage at a site or port is excessive.”
In truth, based on conversations with the company, Anonymizer is simply saying “We’re not going to let you use our service to anonymously and illegally download hundreds of gigabytes of pirated music and movies.” If you experience problems using Anonymizer with a peer-to-peer file sharing service, they’re not going to do anything to help you out.
WiTopia’s support pages say something similar, though the language is a little friendlier and more transparent. It doesn’t matter which service you use. if you connect to the site IllegalCopiesOfAllOfTheRawDigitalFootageOfAllOfTheStarWarsMovies.com through the VPN and and Torrent about 200 gigabytes of movie files a day for a week, the service will A) become aware of this fact and B) hand you your hat and coat.
Which brings up another issue: trust. The whole point of signing up for these services is to make sure that your online business is PRIVATE. Doesn’t it seem . . . odd . . . that you’re achieving this by redirecting all of your traffic through a computer you know nothing about?
Well, yeah. I suppose. But that’s life in the NFL. For what it’s worth, both services have what I consider to be satisfactory privacy policies. They promise not to ever collect personally-identifiable information about you and your Internet habits. Furthermore, they don’t have the wherewithal to track your habits in the first place. WiTopia refers to a somewhat amorphous wake of data that their users leave behind and which can only serve to alert the staff that somebody somewhere is somehow doing something that’s very wrong. Finding out the who, where, what and when is then a matter of laborious forensics rather than simply pulling up some usage logs.
Even when they make exceptions for purposes of maintenance and troubleshooting, they say that all data that was maintained is immediately destroyed.
They also acknowledge that if someone with a badge in one hand and a stack of signed, sealed, and stamped legal paperwork in the other knocks on their front door (presumably with an elbow), they’ll happily hand over any data demanded by law enforcement. However, if their data-retention policies can be taken at face value, it’s unclear that WiTopia or Anonymizer would even have any useful data of your Internet habits. On that basis, I certainly trust these VPN services over many home broadband ISPs, who can store tracking data forever and often will hand it over to private companies looking for pigeons to sue, let alone members of the law enforcement communities, just after they ask nicely.
Nonetheless: WiTopia and Anonymizer’s intolerance for illegal activity is clearly stated. And, I think you’ll agree, their policies are appropriate for the kind of service they deliver. Many people are up to awful business on the Internet -- you understand that I’m not talking about downloading an episode from a “Who’s The Boss?” DVD set here -- and it’s a bit much to expect Anonymizer or WiTopia to be an active or even a passive participant in an ongoing crime.
The other difference between the two services is price. Anonymizer offers their Universal service for $79 a year, with an initial two-week free trial. WiTopia’s basic personal VPN service is just $39 a year, and $69 buys you the Pro package, which adds OpenVPN (and all the tweakability that comes with it) and that nice popup menu for quickly switching between WiTopia VPN servers from different countries.
It does look as though the lines separating them will narrow in the coming months. WiTopia says that they’re working on a new client app that makes the service easier to install and manage, and Anonymizer tells me that they’ll soon start beta-testing of an OpenVPN version of their service. OpenVPN is an alternative VPN platform, already supported by WiTopia, that would deliver customization features that Anonymizer currently lacks.
Not so fast
So, you subscribe to one of these services and you’re perfectly safe, right?
Oh, my word, no. All a personal VPN service can do is protect you from eavesdroppers when you’re on public Internet connections. It’s still very easy for you to cheerfully click on an online game and unwittingly download and install a keylogger that captures your passwords and credit-card numbers. But hey! At least when that piece of malware transmits your financial account information, you can have faith that it will all be sent to a European crime syndicate securely. And it’s still possible to click a link that you think takes you to your online banking site, but which in truth lands you on a phishing page. And so it goes.
Anonymizer.com and WiTopia.com work great and they’ll allow you to use a public Internet connection without worrying too much about bad consequences. But they can’t negate my Third Point about network security: Always assume that you know nothing, and that anything you do on the Internet will inevitably end in tears. Because that’s probably closest to the truth.