More about VPNs: Price and Trust
Last month I wrote about using a rented VPN (Virtual Private Network) service to provide encryption for everything you do on the Internet (see Defending against insecure hotel networks with a VPN). The need for a VPN on a wireless WiFi network is pretty obvious, but, as I wrote, it is equally important for anyone who travels, as there are a number of ways to be spied on when you use a wired connection in a hotel room. I mentioned two companies that rent VPN service, Witopia and HotSpotVPN.
A reader left an interesting follow-up comment:
"I like the idea of using a VPN service, especially since WiFi is provided with my apartment and I don't want my landlord virtually snooping around. But which of the two is a better service? I like Witopia's price because I could afford to buy an account for each of my computers. How does HotspotVPN justify the higher price. Also, I can't find any information on either as to the information they keep about my surfing habits, marketing data, etc. Why should I trust either of these companies more than my landlord, a hotel, or Starbucks?"
I ran this question by each company and their responses are below. First, some background on pricing and services.
Both companies offer an SSL based VPN for a yearly fee.
The Witopia service is called PersonalVPN, the HotSpotVPN service is called HotSpotVPN-2. Witopia charges $40/year and uses 128 bit encryption using the Blowfish cipher. HotSpotVPN charges $109 for similar 128 bit Blowfish encryption and more for higher grades of encryption.
In his Security Now podcast, Steve Gibson said the lowest level of encryption from HotSpotVPN is sufficient. On this subject, Witopia's website says "Depending on other factors, higher levels of encryption may simply bog down your processor without providing the security you might think."
Both companies also offer PPTP based VPN service, thrown in when you purchase their SSL based VPN. I'm no expert on the technical differences between the two types of VPNs, but SSL is more secure whereas PPTP can often be used without installing software. Both companies note that PPTP is the only type of VPN supported on an Apple iPhone.
(Credit:
Matalyn)
HotSpotVPN offers a stand-alone PPTP based VPN service, Witopia does not. Being techies, they gave it the imaginative name HotSpotVPN-1. Quoting their website: "HotSpotVPN-1 is perfect for the infrequent traveler because it is available in 1,3, and 7 day increments for only $3.88, $5.88, and $6.88 respectively." On a yearly basis, HotSptVPN-1 is $89.
Witopia
Addressing the reader comment, Bill Bullock, President of Witopia says:
"These are good and fair questions. I can't comment too much on HotspotVPN's pricing model, but as far as we know, WiTopia's PPTP + openVPN SSL bundle is technically identical to HotspotVPN's PPTP and openVPN SSL bundle...at least as far as the protocols offered. I hear they offer a fine service and have a loyal following. It may just be a difference in strategic approach to the market.
We believe the personal VPN market will experience huge growth as people become increasingly concerned about security and privacy online. The move to mobility is also key here as although it isn't a bad idea to use a VPN at home for privacy, when you connect at hotspots or "networks not your own" a VPN is a necessity. Although the need is clear, there is a learning curve as there was with anti-virus and firewalls.
When we were at UUNET, we gained a "religious zeal" for building massively scalable and repeatable UNIX-based architectures that can take a beating. We built personalVPN to scale easily, inexpensively, and be rock-solid reliable as you would expect from UNIX systems.
So, with a huge potential market, the technical ability to scale to the moon while keeping costs low and service level high, we thought a really aggressive price was the best way to capture market share. The folks buying VPNs now are likely the technical ones in their family or circle of friends so they understand the value of a VPN service and will help us spread the word if we treat them right and the price is fair. It's already happening.
As far as trust, that is a valid point. You need to trust your VPN provider. Not only their philosophy, but their technical prowess. There are a lot of new entrants in the market now with "sketchy" approaches, and many others seem to be single-server shops that may unknowingly make errors compromising your data as they try to scale. I would hope that any established VPN company that has a track record and has been covered positively on the Internet by customers and the press is a safe bet. What needs to be understood, is that our livelihood depends on keeping you safe and honoring your privacy. If we ever compromised that, unwillingly or with bad intent, I would imagine word would get out pretty fast. I can say that here at WiTopia, we take it very very seriously."
HotSpotVPN
Glynn Taylor President of WiFiConsulting, the company behind HotSpotVPN says:
"Our higher price reflects that you will get two vpn's for the price of one. You will get an openVPN VPN and a PPTP VPN for your iPhone or whatever you want to run it on. Also we have a boatload of bandwidth that is intelligently biased towards VOIP. I think we also offer higher encryption than most."
Do Something
Serious techies take another approach altogether. They have computers running all the time that run VPN server software. For a secure Internet connection, they phone home (so to speak) and surf the Internet from the wired connection at their home base, be it a home, office or a rented server.
Whichever approach/company you use, the time really has come for VPNs to be added to the list of standard defensive software for everyone using the Internet.
Update. March 15, 2008: For more on this see A VPN debate: WiTopia and HotSpotVPN
Note: Witopia is witopia.net. Witopia.com seems to be owned by a person rather than a company and there is no such website. All prices are rounded off.
See a summary of all my Defensive Computing postings.
Michael Horowitz is an independent computer consultant and the author of several classes on Defensive Computing. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure. 
Trust is one of the most important things in the security business. Our privacy policy consists of some strong simple statements that we have stood by for five years. We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN user?s Internet traffic. Beware any VPN vendor that will use your information for other purposes.
Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.
TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the client?s computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer. Ad blocking prevents this attack vector from being used against our users.
Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.
Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.
Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).
Thank you.
GT
Glynn said:
We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN userâ??s Internet traffic. Beware any VPN vendor that will use your information for other purposes.
Reply:
Same with WiTopia as governed by our privacy policy. We absolutely do not record or monitor customers' data, sites visited, etc. and also certainly do not share customer information with any third party. Again, we take the privacy aspect of the service deadly serious.
Glynn said:
Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.
Reply:
Yes. We use our own service too. :) I think words like "most" may be misunderstood. I don't believe any VPN provider (or any network service) can accurately claim "most usable," "most safe," "most flexible." We have comprehensive security and usability features in place. Some simply keep "bad guys" off the service, thwart attacks, and enforce solid security policy, and some are convenience such as providing zero-config SMTP relays, certificate regenerators, etc. This gets into network design elements and "secret sauce" that would likely be quite boring to most people. Again, I would sincerely hope both services have serious networking expertise behind them.
Glynn said:
TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the clientâ??s computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer. Ad blocking prevents this attack vector from being used against our users.
Reply:
I have a legitimate question on TunnelGuardian, but HSVPN may have a great answer. Don't know. It sounds like a neat feature if you think ads are slowing your connection.
Here's the question:
To deliver the TunnelGuardian service, wouldn't HotspotVPN have to inspect the html code before encrypting it to block malware, on-line ads, etc.? Wouldn't the traffic have to be scanned?
Glynn said:
Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.
Reply:
ok. again with the "most" stuff. :) We will soon allow customers to "customize" on the client side and choose different ports, etc. We optimized a standard configuration/bundle which would suit the needs of most everyone before we allowed customization. This ensures easier support, scaling, and allows us to offer a lower price to more people.
WiTopia's openVPN SSL service is optimized for video and VoIP (using udp) and we designed the PPTP to be more "scrappy" using tcp as its error-correcting ability is superior if there are network irregularities.
Glynn said:
Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.
Reply:
We do agree moving gateways closer to customers is a factor of performance so we have several spec'ed out to be deployed over the next quarter. Although, there are other factors... and from personal and customer experiences from all over the world, I'm not sure this matters as much as even we once thought. Improvements in routing, capacity, peering points etc. on the Internet have lessened the need for geographical proximity. Still, we'll be doing our rollout too. Purchasing shiny new gear.
Glynn said:
Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).
Reply:
So I don't crash CNET's servers with my response, I'll just conclude with, we don't throttle any bandwidth whatsoever. Our only policy is if usage falls completely outside reasonable customer norms, e.g., you try to run a phone company over it, we have the right to be "unpleasant." Haven't had to do it yet!
Trust is one of the most important things in the security business. Our privacy policy consists of some strong simple statements that we have stood by for five years. We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN user?s Internet traffic. Beware any VPN vendor that will use your information for other purposes.
Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.
TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the client?s computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer.
Ad blocking prevents this attack vector from being used against our users.
Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.
Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.
Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).
Thank you.
GT
- by mhinnewyork March 16, 2008 8:31 AM PDT
- Regarding the comment above:
- Reply to this comment
-
(6 Comments)I have used both HotspotVPN and WiTopia and would be wary of SurfBouncer.
For one, a Google search shows the few pages of hits are all at eBay. This appears to be an attempt to rig the Google search. I didn't find any reviews of the service in the first few pages of Google results. Their own web site has no links to independent reviews of the service.
They are using the domain hotspotvpn.org which seems shady since they compete with hotspotvpn.com.
Finally, nowhere on their website does it say anything about the company or the people behind it. There is no About Us page. Not even a mailing address. I know nothing about the people or company behind HotSpotVPN either. I have spoken to people at Witopia though and got good vibes.
Michael Horowitz