Using a public Wi-Fi spot without a VPN is like shouting everything across the room in plain English—anyone who wants to listen in, can. Using a VPN is more like shouting in a made-up language that only you and your twin sibling understand. A VPN will encrypt anything you send from your laptop to the Wi-Fi router, so that nobody else in the coffee shop, student center, or hotel can see what you're doing.
If you work for a large company, odds are your IT department has already got you using a VPN when you're traveling or working away from the office. If you're everyone else—a freelancer, a student, a small business owner with one or two computers and no real "back-end" system—then many of those VPN solutions are out of your reach. Either they're too complicated to set up without computer skillz or they're too expensive.
Luckily, there are cheap VPN programs you can install on your laptop that are more or less self-contained: you install the app, then launch it when you log on to a Wi-Fi network, and everything you do online from that point forward will be encrypted. There's also a hardware-based solution—a USB drive that you can plug into any computer for a quick VPN environment.
A couple of things to note:
So with those caveats, here are some options you can consider. The first two programs listed below install the same as any other app, but I haven't tested the other three. If you've tried any of these and can share an opinion, please join in the comments below.
AnchorFree's Hotspot Shield
Free, but ad-supported. While browsing, you'll see ads appear occasionally at the top of the browser window. It's great if you infrequently need it, but annoying if you find yourself in a Starbucks once a week.
Witopia's PersonalVPN
$40 per year
HotSpotVPN
$9 per month (listed as a temporary price reduction as of October 2008)
iPig
Free with a 10MB cap / $30 for 30GB of data transfer
PublicVPN
$70 per year, or $7 per month
About that hardware solution: IronKey is a USB flash drive that offers a few extra features you can't get with the software above. It encrypts any files you store on it, and it comes with its own VPN software that runs automatically when you plug it into a Windows PC. It comes with the Firefox browser included, so you can surf the web through the IronKey no matter what PC you're using. It costs $80 for a 1 GB drive with a 1-year VPN subscription.
And finally, Consumerist reader Ein2015, who provided an invaluable service by vetting this article before I posted it, pointed out that there's an awesome open source VPN solution called OpenVPN. It's cross-platform and free, so if you're feeling techy and want to set up your own virtual private network using your home computers, you might check it out.
(Many, many thanks to Ein2015!)
(Photo: Getty Images and stevecadman)
VPN all you want. The fact is, if you are sitting on an open wireless network dozens of other computers are probabaly also connected and in turn connected to you unless you have your computer protected properly. When I was younger I used to sit at starbucks and pick out people whos computers I could practice "security auditing" on. VPN is a good solution, but it will only protect your data in transit. If somone decides to load a decent key logger on your system, then they have you data eitherway. My point is, no single solution will ever be enough.
]]>@mariospants: All you are doing right then is connecting to the internet. What if the guy next to you decides you look like a good mark and then drops a virus on your computer? now a week or a month down the road, you think you secure on your home network and type in your CC info, now he has it.
]]>My router is not WRT compatible but I have pocket pcs I wouldn't mind running. Or what about vpn or tunneling through a NAS? I have been looking at the buffalo linkstation or Mybook world edition
My logic is I trust my home connection and somewhat "free"
]]>Regarding VPN's, what you are describing is called split tunneling. If it's on, anything non-office related goes out through the internet UNENCRYPTED. If it's enabled, all traffic goes through the VPN tunnel.
In cases with the Cisco VPN, you can enable the option to Enable Local LAN access and you can then access your local printers.
Anyhow, This whole VPN thing is silly because you NEED something to VPN to. And, chances are if you are using work VPN and split tunneling is disabled, they are probably keeping logs of everything you access. Read the fine print of their acceptable use policy...
]]>It should be pointed out that everything discussed here is not limited to laptops, it also applies to any device you carry that connects to the Internet over WiFi. This means you, iPhone! When I get around to buying an iPhone, setting up a secure tunnel will be one of the first things I do, but I keep reading that Apple does not make it easy or seamless especially when switching between 3G and WiFi.
If you don't use a VPN, at least find out how your email provider supports SSL so that your emails can at least be encrypted. People treat email so lightly, but there are so very many personal details in your emails. So...down at the local coffee shop you got an email receipt from Amazon for a big-screen TV and then 5 minutes later you got an email receipt from Southwest about your vacation between December 15 and 30? If you are using email in plaintext, then great, you just told any hacker in the room that your new TV will be unprotected during that time...
]]>I wasn't paying attention and read on the homepage of lifehacker. I read the second sentence and thought: wtf... yes, you are lifehacker!
]]>https://secure.logmein.com/products/hamachi/vpn.asp
-249-
]]>LogMeIn FREE is, well, FREE and enrypted so any remote surfing you do is much safer than the open air at your favorite hotspot.
Did I mention that it was FREE?
]]>L2TP is pretty tricky to get working unless you have public IPs on both sides. the reality probably is that the helpdesk people didn't want to deal with it.
]]>Of course then you have to make sure it's not a publicly-accessible proxy or then you might have more problems... :)
]]>I'm running OS X 10.5, though... so you might want to look at some tutorials for 10.3. The important part to remember is that you have checked the important protocols. I'm not at my laptop right now, but feel free to send me a site message and I'll walk you through it later on.
]]>When you're connected via ethernet to a cable modem, you really don't have to worry about people spying on your traffic (disclaimer: FISA stuff not included). But even when you're on your own home network, just using WEP makes you vulnerable to sniffing... as WEP is insanely easy to crack.
Thus, when on a laptop, VPN is a very good idea... even when keeping it simple. It's an added layer of protection that can easily be forgotten, so it should be left on (so if you forget, it's still on). Having to ask yourself "is this security issue enough to warrant using a VPN?" will only make you more at risk.
]]>https://www.relakks.com/?cid=gb
Relakks is the only one I know of that contractually obligates themselves NOT to look at or store logs of your data as it moves through their network. Plus, they are based out of Sweden, and run by the pirate party. woot.
Keep in mind, using any of these solutions (including Relakks), that your data is only secure up until the point where it leaves the internet from your VPN providers connection. It may protect your data from being sniffed from the people around you, but that doesn't the VPN provider from snooping in on it. The only way to transfer data home or back to your office safely is by encrypting the connection end-to-end.
]]>WPA and especially WPA2 better security... but hotels usually don't use that because it's easier to just have WEP.
]]>you also could use RDP to a home computer...
]]>@Ein2015: It's just that I hear so much about wireless security "issues" and aside from the sniffing aspect the vulnerabilities exist equally if you're on a wireless network or just surfing from home on a cable modem. In other words - if you keep it simple - nothing to freak out about.
]]>Hope that makes sense. :)
]]>However, instead of forwarding the whole Firefox window over a remote X session, I set up a proxy on the remote computer, and used that.
If you trust the local computer, then it would be faster to only use a proxy and keep the browser running locally.
]]>With that said, there are a LOT of good uses for old computers... VPN, storage, web server, media center, etc! :)
]]>The article is targeted to error on the side of caution.
]]>I used Witopia and so far have been very happy with it (just started using it about 2 months ago).
]]>This should also be helpful for everybody... with pictures! :D [forums.bit-tech.net]
]]>If you need help setting it up, reply here and I'll be happy to walk you through it. :)
]]>Don't forget that TrueCrypt will not encrypt your traffic, just your hard drive.
]]>This is my favorite solution to this particular problem, and I've been doing this for years at home. It's obviously more difficult to set up than a paid service, and it is theoretically possible your ISP might get annoyed about it depending on how aggressively they interpret their TOS (this is largely just for fair warning in my experience, but it is possible.)
]]>For example, I use SSH to connect to my linux box. All traffic between me and the linux box is encrypted. If you trust linux box's connection (for example: it could be at your house or at a secured hosting environment), and you have a *nix laptop, you should be able to use X-forwarding... so you can run Firefox on that linux box and see the results on your screen... totally encrypted between the two.
If you have windows, X-forwarding is a bit more difficult to do and may cost money... but anybody who is interested should send me a message and I'll see what information I can provide. :)
If I remember correctly, you should be able to remote desktop through SSH as well, regardless of operating systems. I can look for more information on this as well if necessary.
Hope this helps!
]]>This is why I wrote they weren't really an end-all in privacy, because technically you're letting another party deal with encrypting your traffic. But it's better than nothing.
]]>@putch: Well and great advice, but I'm already running a firewall, not accessing sites that require personal information and Windows + dlls and apps that require access to the Internet are either updated to latest or disabled (i.e. no IM). So, can anybody access my system via Wifi or not?
]]>@courtarro: I disabled my IM client as soon as it installed itself without my permission and my advice still stands, right? I recommend NOT entering anything with a username and password and avoiding online shopping.
]]>No connection is secure unless it offers a certificate authenticating who you are actually connecting to. Sad part is, anyone can spoof that and you are never actually secure. The only way to be safe is to check with the people who work there and find out which connection is legit. The danger on a public network is minimal, it's a little harder to get your data. They like you to connect directly to them as though they are a router.
]]>@post_break: Well, I hope whoever I'm connecting to right now likes burritos because that's what they're getting.
However, any intruder who's around can send packets to your computer, and if your OS (*ahem*Windows*ahem) or some program running on your computer handles them incorrectly, then there could be problems.
Generally, turn off any servers that you don't need for a particular reason; on Windows, the only server you'd need on most laptops is file sharing, and it's a good idea to turn it off when you're not using it. Also, Windows computers should use a software firewall to add one more level of protection against your OS's doing something stupid when an unexpected packet comes in.
]]>that was a creepy, helpful and all-around awesome post
]]>@mariospants: It is true, in the same way that you cannot be injured in any way (outside the potential vulnerability related to specific tissues and organs).
A machine with no applications has no attack surface... it's also about as useful as glowing stone tablet except with limited battery life. The point of hooking it up to a network is to use an application to reach out across it. In fact, the software used to implement network connectivity is, in fact, a kind of application in and of itself.
Security is always a balance of usability and protection.
]]>http://www.grc.com/securitynow.htm
I personally use Hamachi to secure my VNC and RDP traffic and a VPN account with SwissVPN for when I'm in hostile territory.
]]>This post is geared toward people who don't know what VPN or SSH means, who don't want to know, and who won't or can't bother with anything more complicated than the sort of installation they're already used to.
]]>If you don't look at your SSL certificate closely you can have your username and password stolen easily.
Just because it says SSL or [] does not mean it is secure in any way.
Remember that just because a network is open doesnt mean that its fair game. Who knows who is on the other end, it could be me.
]]>For example, 100% of apple macs with dashboard widgets make periodic or on-demand connections over http-on-plain-tcp (not https, not ssh tunnelable, ...) requests to joe random server.
The dashboard widgets are really safari, javascript and all, so a local host that chooses to spoof the response faster than the actual server is subject to a javascript payload attack (through no user action). Yahoo widgets for Windows and google desktop widgets have similar issues.
The ___only___ easy to manage, safe way to access a public hotspot of any kind is to use a VPN client and immediately connect to the VPN. The downside is that almost no vpn client, including Cisco's, does the right thing and installs a 100% drop policy for non-VPNed packets prior to establishing the tunnel. Part of this is that there is no good way to do it; most hotspots require some sort of host spoofing http-to-https redirect to get you to the hotspot authentication page. While this is happening, if you get unlucky, you are fucked.
Pretty much all network communication at this point should use SSL with certificate validation (and proper enforcement for any autonomous agent, including things like th dashboard widgets, email, ...). No one should ever use pop-on-plain-tcp again, no plain http, etc. Ever.
But this isn't practical, so "hurry up and get on the vpn" is about as close as you can get. Running vpnless or attempting to craft hyour own via ssh is hopelessly naive.
]]>Just a question for you uber geeks: after a little researching, I could find no real way (outside of the potential vulnerability related to specific applications) for an intruder to enter into your system while you are hooked up to a shared wifi network. Is this true?
]]>@mercnet: The same people would've gone there for "VPN" without the explanation of the article; it doesn't mean that it's necessarily a difficult concept to grasp, convey, or implement (though it very well may be... hence my wondering about the level of SSH versus the level of the article).
]]>Sadly, I turn off my router when I'm not home, so this isn't a viable solution. I can't shell out the funds for an Ironkey either. My solution is to not keep any personal information on my laptop, and to not sign-on to vital services (financial websites, email to a lesser extent) while surfing in the public view. As for files? One of my goals is to start experimenting with TrueCrypt.
]]>well, if all you're doing is surfing consumerist while at Starbucks - and not entering any sensitive information such as a username and password - the easiest advice is not to do anything in public you wouldn't do if a stranger was looking over your shoulder.
]]>Would SSH tunnelling be a viable option? Or is that too tech-y for this overview?
]]>