Michael Horowitz

What your mother never told you about VPNs

September 10, 2009 6:07 PM EDT

When you are using a public wireless network, there are two approaches to insuring that data coming and going from your computer is encrypted.

One approach involves securing each individual application. For web browsing, this means only using secure HTTPS pages. For reading email, it means using secure protocols such as POPS or APOP rather than normal POP.

The downsides to this are both human and technical.

On a technical level, some applications can not be run securely. It may be, for example, that your favorite Instant Messaging program always sends everything in plain text. On a human level, it's a pain to configure applications to run securely and then to always be aware of which applications are secure and which are not.

A better approach is a Virtual Private Network (VPN) which creates a secure, encrypted connection used by all data coming into and out of your computer. Whether the data is a web page, an email message, an IM or an FTP file transfer, the VPN encrypts it - without making any changes to the applications themselves.

I'm writing this because I fear that many people are unaware of the VPN option. Anyone reading Jay Lee's HelpLine column in the Houston Chronicle wouldn't know about it

In part this may be due a mis-conception that VPNs are only for large companies. In fact, a number of companies market VPNs to consumers.

There is, however, a difference between corporate and consumer VPNs.

Corporate VPNs create an encrypted pathway (tunnel being the official term) between a traveling employee and their home office. Consumer VPNs create an encrypted path between the computer or smartphone and servers run by the VPN company.

With a corporate VPN, data is encrypted until the point it hits the home office. With a consumer VPN, data is encrypted until it hits the servers of the VPN company at which point it is decrypted and sent out on the Internet to its eventual destination. The purpose of a consumer VPN is to encrypt everything traveling over the air. The purpose of a corporate VPN is to encrypt data end-to-end.

In the September 3rd edition of the Security Now podcast, Steve Gibson was asked about the free HotspotShield.com VPN service. 

He wouldn't recommend the service saying "...they're monitoring the websites you visit, and they are changing in some fashion the content of the pages you download to insert their own ads."

The VPN service that Leo Laporte and Steve Gibson like is HotSpotVPN. HotSpotVPN offers two services: HotSpotVPN-1 is a PPTP VPN, HotSpotVPN-2 is an SSL VPN. The services are sold by the day, week, month or year.

The VPN service that I have used, and feel comfortable recommending is from Witopia. They also offer both an SSL and a PPTP option, both of which are sold on a yearly basis.

If you travel rarely, and can live with just webmail when traveling, then you may not need a VPN.

But be aware that some webmail systems only encrypt the page where you enter the userid/password. The pages where you read and write messages are not encrypted. Yahoo falls into this category.  

Yahoo offers free "classic" and "new" webmail systems. Neither says anything about encrypting web pages with HTTPS. Even upgrading to Yahoo's Mail Plus doesn't seem to offer an option to encrypt all pages. No surprise then that the Privacy page at Yahoo Security says nothing about encrypting webmail pages.

Gmail defaults to encrypting only the login page, but offers an option (Settings -> Browser Connection) to encrypt all pages.

Earthlink customers are fortunate, their webmail system serves up all pages using HTTPS.

If you can get through the techie lingo that comes hand-in-hand with the service, having a VPN is great security while traveling.