Safe Hotspotting With For-Hire VPNs

When I travel, I'm a one-man show without an IT organization behind me to support my connectivity. That's particularly frightening at Wi-Fi hotspots, where enterprise users can be secure using their company's virtual private network (VPN).

One solution for the rest of us is to use service-by-service encryption, such as using SSL (Secure Sockets Layer) for retrieving e-mail messages, but VPNs are better because capture and encrypt all incoming and outgoing data. Combined with a firewall and an anti-virus program, a VPN-equipped laptop can be virtually impregnable.

Fortunately, while VPNs have previously been the domain of enterprises, publicly available VPNs that you can use for a reasonably low monthly fee are now available for individual travelers. Two in particular, HotSpotVPN and WiTopia's personal VPN provide different approaches, but both deliver strong security.

The Two Contenders

HotSpotVPN.com was founded a few years ago to offer a VPN-for-hire for mobile people who don't have enterprise VPN and IT support. Priced at $8.88 per month or a prepaid year at $88.80, the PPTP (Point-to-Point Tunneling Protocol) service works with any operating system that has a PPTP client built in or on which one will run. Windows XP and Mac OS X 10.2 and later both have built-in support for this standard.PPTP has a password weakness problem in which poorly chosen passphrases composed of words found in a dictionary can be cracked with relative ease. HotSpotVPN doesn't allow passwords to be chosen, but rather assigns strong passwords that sidestep this weakness.

In the last couple of weeks, HotSpotVPN received some competition at the same time as it quietly revised its own offerings. WiTopia.net, a division of outsourced IT provider Full Mesh Networks, announced two separate services. One handles WPA Enterprise authentication, which I'll be testing alongside other similar services in the near future. The other, personalVPN, is a low-fee VPN service that competes directly with HotSpotVPN.

Instead of PPTP, WiTopia's personalVPN uses SSL to handle the transport for traffic passing over a network. Specifically, personalVPN relies on OpenVPN, an open-source SSL VPN system, for the client side of the transaction. This will ultimately allow the company to support virtually all platforms, not just Windows XP, which is the only platform the service supports today. The service costs $79 per year with no monthly rates.

An SSL VPN is functionally no different from one based on PPTP or IPsec. There has been a lot of accidental and intentional obfuscation around SSL use in VPNs partly because early systems were designed to secure applications on arbitrary computers. The OpenVPN approach, like many commercial ones, is designed to extend a network through tunneled encryption.

SSL-based VPN systems have two key advantages over PPTP and IPsec. First, many forms of encryption are available for the tunnel, not just the ones designed for those two protocols. Second, SSL transactions can often be tunneled through port 443, the secure Web port, when a VPN connection might not be allowed.Coincidentally -- if such coincidences exist -- HotSpotVPN took the opportunity in the last week to bring their newest offering live: an OpenVPN-based SSL option that they price based on encryption level.

HotSpotVPN's SSL offering will be $10.88 per month for Blowfish encryption (128 bits), $11.88 for AES-192 (192 bits), and $13.88 for AES-256 (256 bits). Annual rates are ten times those amounts. The last of those standards is considered government grade, and is de facto required for financial and medical security. WiTopia confirmed that they are starting with just the 128-bit Blowfish offering to provide the fastest performance.

HotSpotVPN's SSL subscribers also receive a free PPTP subscription as a fallback. PPTP service will continue to be available for short terms (1, 3, and 7 days) for infrequent travelers, and for 6 or 12 month terms.

Putting It To The Test

I recently tested both personalVPN and HotSpotVPN. As one might imagine, the two services operate almost identically given their identical client software.

PersonalVPN requires as part of the sign-up process that you download their version of the OpenVPN software from their Web site, and follow their directions to create a certificate signing request (a CSR). The CSR is pasted into a secure Web page form they direct you to. The company reviews these requests manually and then e-mails you a certificate file (a CRT) which you import into OpenVPN. The CSR and CRT are protected by password-based encryption, which means the transaction conducted over e-mail is still secured and the private key you generated as part of the CSR is password protected in a strong fashion, too.HotSpotVPN has chosen to generate certificate information themselves: once you sign up for service and connect to their secure Web site, the client software you download has the certificate installed and is ready to go. Because this occurs on a secure Web site, there's no danger of a compromise of this information, either.

However, HotSpotVPN, when it sends you your credentials, does so via open e-mail. This doesn't actually open you up to fraud -- anybody who intercepts that information still can't access your user information. However, it could potentially allow somebody who stole that information to use your account for their own protection. This isn't a serious flaw, but it's still one worth noting.

In testing on two separate computers to avoid configuration problems, I found that, except for that extra out-of-band step used with personalVPN, OpenVPN performed identically on both systems. An icon in the System Tray activates the service: right-click it and choose Connect.

I didn't like the fact that both services show too much of the guts of the system for the average user in a status window -- the average user only needs to know whether the connection works or not.

Also slightly problematic is that making changes to default settings requires editing a configuration file. It's not complicated, but I would rather not have to tell a user "if you're using VoIP, then right-click the System Tray icon, select Edit Config, find the line that says 'proto tcp' and change that to 'proto udp'."This can surely be fixed through small improvements to the GUI that I imagine both companies would be eager to see from the OpenVPN project. Since it is open source, they also can contribute improvements back to the project.

Both companies expect to have a Mac OS X version of the client software ready in the near future.

One potential weakness that both HotspotVPN and personalVPN share (and which is unavoidable for this type of service), relates to the nature of VPNs. With a corporate VPN, the protection is end-to-end, starting at the mobile device and ending inside the corporate firewall.

However, with both these services, the VPN security terminates at a server operated by the vendors. Once your data leaves the co-lo server, it moves out into the open Internet. In truth, this is pretty much the same as, say, occurs for home users and shouldn't be problem. But it's worth knowing.

Which service is better? When comparing apples to apples, it's hard to say. Both companies have robust infrastructure and years of dealing with the routine hassles of NOC management. For the absolute simplest approach with the broadest security options, HotSpotVPN.com comes out on top. On pure cost, personalVPN is the winner.0