Defending against insecure hotel networks with a VPN

My point last month, when I wrote that Ethernet connections in a hotel room are not secure, was that wired Internet connections in a hotel are no more secure than wireless connections. The issue I described involved a technically savvy guest, reconfiguring the network to place their computer logically between you and the outside world. Thus positioned, they might as well be watching over your shoulder.

A few days ago Leo Notenboom cited two additional reasons why wired hotel connections can't be trusted: hotel employees can snoop and, if the rooms are connected with a hub, even a nontechie person in another room can easily snoop on your Internet connection (see "Can hotels sniff my internet traffic?").

There are two approaches for dealing with this, a good one and a bad one.

The bad one involves dealing separately with each Internet application. For Web browsing, this means only viewing sensitive pages through an encrypted HTTPS connection. For e-mail using client software such as Thunderbird (as opposed to Web mail), it means a nontrivial reconfiguration of the e-mail environment, which may not even be possible, since not all e-mail providers offer encryption. Then still, instant-messaging, FTP, and other applications have to be dealt with individually. What a mess.

The good approach is to use a VPN, or virtual private network, to encrypt everything.

Virtual private networks

Often VPNs are spoken of in terms of corporate employees connecting back to their corporate LAN. But there are also VPNs for the rest of us. A handful of companies rent out VPNs to anyone, and they're not very expensive.

These rented VPNs provide a secure, encrypted pathway (techies use the term "tunnel") between you and the company renting the VPN. For example, if the VPN company is in Cleveland, your computer makes a secure connection to Cleveland. Everything traveling between you and Cleveland is encrypted. No matter who does what in a hotel, all they can get from you is a useless encrypted bunch of bits.

When your Web pages, e-mail messages, instant messages and whatnot get to Cleveland, they are decrypted and dumped onto the Internet just like everything else. The encryption is only between you and Cleveland, not end to end.

Put another way, someone staying at a hotel in California looking at my personal Web site, michaelhorowitz.com, in Texas would send an encrypted request for a Web page to the VPN company in Cleveland, where the request is decrypted and forwarded to Texas. My Web site responds and sends a Web page back to Cleveland (as far as my Web site knows, the request came from Cleveland) where the VPN company encrypts it and sends it to the hotel in California.

This does slow things down a bit, but with a broadband connection the trade-off is certainly worth it and probably not noticeable.

To use the VPN service, you first connect to the Internet, then start up the VPN software. At this point you are safe, secure and happy. When you are done, first shut down the VPN software, then disconnect from the Internet.

Where to rent

Two companies that rent VPNs are Witopia and HotSpotVPN. Both offer two types of VPNs, PPTP and SSL. The pros and cons of each type of VPN are not something I'm ready to get into. Suffice it to say that a PPTP VPN is usually cheaper, probably won't require software to be installed, and is not as secure when compared to an SSL-based VPN.

The HotSpotVPN-1 service is based on PPTP, while the HotSpotVPN-2 is based on SSL. HotSpotVPN-1 is roughly $9 per month, and HotSpotVPN2 ranges from roughly $11 to $14 per month depending on the strength of the encryption. According to Steve Gibson, the cheapest encryption strength is sufficient. In both cases, yearly charges are 10 times the monthly charge. HotSpotVPN-1 is also available by the day or week.

WiTopia calls their rented VPN service PersonalVPN. The SSL-based version of PersonalVPN is only $40 a year (the equivalent service from HotSpot is $110 to $140 per year). Witopia does not offer the PPTP version by itself, instead they currently throw it in for free when you purchase/rent the SSL-based product.

HotSpot also throws in a PPTP-based VPN when you order their SSL-based product. Both companies point out that Apple's iPhone supports PPTP-based VPNs.

Using a VPN is a small annoyance, but security and convenience will forever be at odds.

For more on this see More about VPNs: Price and Trust from March 14, 2008.

See a summary of all my Defensive Computing postings.

[jg0097]

I spend a lot of time in hotels and airports and wouldn't be without a VPN. A good Google search will reveal all anyone needs to know regarding how to tap into the wireless or sniff the network. It doesn't take a "hacker" to hack these days. I prefer a SSL based VPN as being more compatible with all applications. I've tried a few of the offerings out there but have settled on Surfbouncer as my VPN of choice.

SurfBouncer

[mhinnewyork]

I have used both HotspotVPN and Witopia and would be wary of SurfBouncer.

For one, a Google search shows the few pages of hits are all at eBay. This appears to be an attempt to rig the Google search. I didn't find any reviews of the service in the first few pages of Google results. Their own web site has no links to independent reviews of the service.

They are using the domain hotspotvpn.org which seems shady since they compete with hotspotvpn.com.

Finally, nowhere on their website does it say anything about the company or the people behind it. There is no About Us page. Not even a mailing address. I know nothing about the people or company behind HotSpotVPN either. I have spoken to people at Witopia though and got good vibes.

Michael Horowitz

[bbelnap]

I like the idea of using a VPN service, especially since WiFi is provided with my apartment and I don't want my landlord virtually snooping around. But which of the two is a better service? I like Witopia's price because I could afford to buy an account for each of my computers. How does HotspotVPN justify the higher price.

Also, I can't find any information on either as to the information they keep about my surfing habits, marketing data, etc. Why should I trust either of these companies more than my landlord, a hotel, or Starbucks?

[anonymous surfing]

Surfing the Web Anonymously ? Questions to Ask

When you surf the web it is possible to learn information about you even when you don't want to advertise who you are. This is true even if your system contains no virus or malware software. Specifically information that is easily available online includes your IP address, your country (and often more location information based on IP address), what computer system you are on, what browser you use, your browser history, and other information. It gets worse. People can get your computer's name and even find out your name if your machine supports programs like finger or identd. Also, cookies can track your habits as you move from machine to machine.

How do people get this basic information about you?

When you visit another web site, information about you can be retrieved. Basically, information is intercepted and used by others to track your Internet activities.

How do you stop this from happening?

First of all, it is possible to surf the web anonymously and thereby stop leaving a trail for others to find. Note that this is not fool-proof, but it makes it much harder for people to know who you are. There are products called anonymous vpn service that help protect you. The anonymous vpn replaces your Internet address for its own. This has the effect of change your IP address and making it much harder for people to track you.


How do I get an anonymous vpn?

There are many vendors who sell anonymous vpn service. There are also free proxy servers available to you. Two such products are vpnprivacy.com and Vpn Privacy. VPN Privacy (http://vpnprivacy.com) offers pptp vpn service for anonymous and secure access to the web. It provide anonymous surfing at their site for low cost price. There are many others, but here are two that are frequently used.

Another interesting product, given the recent news about the Google search engine filtering its findings for the Chinese government, is Anonymizer (http://www.anonymizer.com). This company, among others, recently (Feb 1st, 2006) pressed that it "is developing a new anti-censorship solution that will enable Chinese citizens to safely access the entire Internet filter-free" (http://www.anonymizer.com/consumer/media/press_releases/02012006.html).

Does an anonymous vpn make you 100% safe?

No. Still, you are much better off if you use such technology.

What other things should I be concerned about when trying to keep my private information private?

Three other items come to mind when trying to keep your information private. First, you can use an encrypted connection to hide your surfing. This article does not go into detail on this, but search the web and you will find a lot of information on this. Secondly, delete cookies after each session. Third, you can configure your browser to remove JavaScript, Java, and active content. This actually leads to limitations, so you need to think about the cost/benefit of this course of action.


Anything else?

Wishing you happy and safe surfing!

[blacklogic1]

You can also use VPN service from Blacklogic VPN
http://blacklogic.com/anonymous-surfing.php

I use www.thenetgate.org from yousab ltd great service!

[velbon]

I use <a href="http://world-secure-channel.com/">vpn service</a>. It's a great service!

[reliablehosting.com]

http://www.strongvpn.com Accounts in USA, UK and NL
Easily switch from one country to another.

[borg_tribble]

I open a SSH connection (using PuTTY) to my home Linux server, and tunnel everything over it. It's the same setup I use at work to keep my personal Internet activity segregated from my work.

Depending on how the hotel has their service set up, you can do this and surf, check email, use your IM clients, or whatever, without ever seeing their Terms of Service web page.