Computerworld - It's a truth universally acknowledged that public Wi-Fi hotspots aren't secure, but they're so convenient that most of us use them anyway. That's why there was something of a panic last year when Eric Butler showed everyone how easy it is to hijack Facebook, Twitter and PayPal accounts on open Wi-Fi networks via his FireSheep Firefox add-on.
Of course, not everything you do in an open Wi-Fi environment can be picked up by digital eavesdropping. Secure HTTPS servers are great, but it's likely that your e-mail account and many social networking sites don't use HTTPS servers, or maybe just use them for logging in. Or worse, have you submit your user name and password from an HTTP page to get to an HTTPS server. {There is at least one add-on for Firefox that offers HTTPS protection, but only for certain sites.}
In the end, online transactions are only as secure as their most open link, and the most open link of all is the gap between the laptop and the wireless access point. The technology that can really close that link is a tunneling virtual private network (VPN). VPNs establish a secure tunnel between your device and the first server you connect to.
Theoretically, if you're employed at a company that uses a VPN, you could use that corporate VPN to secure your coffee-shop connection -- but most companies frown on such use of their resources. So the obvious choice is to rent a connection from a personal VPN provider.
Personal VPN services have been marketing themselves as hotspot security measures for almost a decade. Once you get past the initial learning hump, it's a relatively simple and inexpensive way to lock down your communications. I looked at three of the more established players: HotSpotVPN, StrongVPN and WiTopia.
The first step is to understand what these providers offer. For a fee, personal VPN providers provide an end-to-end secure connection to one of their servers, which can be located in a variety of places. Personal VPN providers offer some choice of servers, so you can pick those nearest to you for better response time, but some charge extra for wider choice. In addition to security, this can provide you with anonymous browsing and a virtual regional presence (so that if you're abroad, you can appear to be logging on in the United States and retain access to regionally restricted sites like Hulu or Netflix On Demand).
The personal VPN providers reviewed here offer two basic flavors of VPN. The most basic (and slightly cheaper) is built into the operating systems of practically every computing device: point-to-point tunneling protocol (PPTP). VPN providers give you settings for their servers to plug into your operating system. It's robust enough for most people, but is blocked in certain regions and by certain service providers. It also requires mucking around in your operating system for configuration and selection of a separate network device, which might not be feasible if you're on the road using a company laptop for some personal surfing.
A more robust and recent development is an SSL-based technology from OpenVPN, which uses client software to manage connections. This works on Windows, Mac and various Linux and Unix platforms.
Once configured, these services all work the same way: You turn on the OpenVPN client software when you're ready to connect to a public hotspot and make sure the OpenVPN software isn't showing a red (not connected) or yellow (attempting to sync up) color. If it's green, you're connected to a VPN server that's either owned or leased by your VPN provider, and can enter passwords in a public Wi-Fi hotspot with confidence.
To evaluate the three services in this roundup, I signed up for each and used online documentation and technical support resources to configure and set up connections on three identical netbooks. The servers I picked for each were geographically as close to the test location as I could find: New York City.
All the services provided the degree of privacy required (they effectively blocked information from a nearby machine running FireSheep), and so to differentiate between them, I looked at these key factors:
Setup: Configuring PPTP sets up a new network connection, a process that's as hard or easy as your operating system makes it. The personal VPN provider gives you a user name, password and server address, and you set up the network connection accordingly.
An installation of OpenVPN requires a key and certification files, which are copied to a configuration folder. The OpenVPN client software is off-the-shelf, but each vendor has a slightly different approach to configuration. WiTopia and HotSpotVPN include key and certification details in a customized installer download; StrongVPN required more tinkering.
All three services I tested offer both PPTP and OpenVPN options. For the purposes of this review, I used OpenVPN because it was easier to implement, more flexible and easier to remove afterwards.
Ease of server selection: A VPN connection tunnels through the local access point to a specific VPN server: With personal VPNs, you pick the server nearest to your access point. This will, of course, vary if you travel. Each personal VPN provider has different servers. At the very least, you'll want easy access to a pick list of servers.
Pricing: It's not simply a question of what costs less. It's a question of paying for what you'll use. WiTopia provides buffet-style pricing: access to all its servers worldwide for an annual prix fixe. At the other end of the spectrum, HotSpotVPN provides day rates and weekly rates, while Strong VPN bundles servers into packages based on location.
Performance: Using a fourth netbook as a control, I timed connection and load times at various times for common sites, including Facebook, YouTube, and several news sites and e-mail providers. Several loads included long videos to test buffering time. To eliminate latency, I set up a dedicated 802.11n access point and ran identical tests serially on each netbook.
As expected, the control was more responsive in stopwatch testing than the machines using VPN services, but except for video buffering, not noticeably so. Server load responses are notoriously hard to evaluate in this kind of test, but StrongVPN's servers seemed to show the least latency when buffering and streaming videos.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
