Monday, October 29, 2007

WiTopia personalVPN

We all know that it's trivial to intercept unencrypted 802.11 wireless communications.

Happily most cafe net sessions are too boring to interest the average hacker, but there are always kids with too much time on their hands. So I'd been thinking for a while I needed a personal VPN solution.

Personal VPN also comes in handy if you ever have to deal with an overly aggressive "webwasher" type environment -- the encrypted communications goes through a remote proxy, so if the proxy isn't blocked (big if), and if the right ports are open (bigger if) then you can bypass the "washing".

I decided to do a 30 day trial of WiTopia personalVPN. I paid the $40 for the one year subscription, I have 30 days to get my money back. I picked them because Tidbits recommended them as an OS X friendly solution. Their web site is improving quickly, a week ago it was pretty confusing. There are basically two products you get when you sign up for the personal VPN:
  • PPTP VPN: This is built into OS X, though in 10.4 it works through the peculiar "Internet Connect" application rather than the network preferences (where I looked for it). Easy to use, requires no additional software. This style of VPN is disdained by experts for some security issues, but of course it only has to be better than nothing -- which is what everyone else at the Hotspot is using. It's the old "park next to the better bicycle" theory.
  • SSL VPN: This requires a client installation.
The SSL VPN is their core product, the PPTP is a bit of a freebie. This is what they say about it (the writing could use some work, they are confusing IPsec and SSL VPNs, I think they left out a sentence somewhere):
... With the widely praised openVPN™ software at its core, our service deploys a 128 bit encrypted SSL VPN using the powerful and efficient Blowfish™ cipher. Depending on other factors, higher levels of encryption may simply bog down your processor without providing the security you might think. Versus an SSL VPN, PPTP based VPNs have their limitations and have been shown to have vulnerabilities. IPsec VPNs are superior to PPTP but suffer from tremendous complexity that can affect reliability and security. [jf - this is where they need to say they took a 3rd approach -- SSL VPN]... 
Lastly, we set up our own Secure Certificate Authority and "sign" your unique public key during setup. The private key is never released and resides on our secure systems. These must match before the service will activate and no one can ever see your data without possessing both keys This adds a step in the setup process, and was additional work on our part, but is superior to static or shared key approaches. Beware of any VPN service that skips it. [jf: The certificate security means WiTopia has to create a custom install for each customer. So if you want to use SSL VPN on OS X and XP you have a problem.] ... 
personalVPN™ is not just a VPN service. It's an Internet privacy solution. Beyond encrypting all your data to our gateway, we exchange your IP address for one of ours. To everyone on the Internet you are an anonymous user whose traffic originates in our data center....
So far I'm sticking with the PPTP solution. It took only a minute to setup on OS X, though I had to run Help to figure out how to do it. I haven't tried the SSL VPN because I don't like installing this type of software if I can help it. It runs too close to the hardware and is often flaky.

2 comments:

Unknown said...

Hi. Having been hacked scores of times by a . . . disgruntled "ex" who is also a computer jockey--he sailed through two cascaded Linksys routers, both of which were configured manually--I've been interested in some kind of VPN solution.

I have questions about what you say. Why is SSL the main deal whereas PPTP is a "freebie"? Does one's router need to be able to handle VPN connections? How much does it slow your system down. What do you mean about having software "so close" to your OS, and that it's flaky?

Nathaniel

us vpn said...

I would prefer SSL since its more secured and it can safely handle business needs.