Safe WiFi Access

imageIn the last few weeks there has been a huge brouhaha in the cruising community about the dangers of using open WiFi hotspots, and rightly so. This has never been a particularly safe practice, but the release of Firesheep—a plug in for the Firefox browser that allows literally any idiot, no matter how technically inept, to hijack other people’s internet sessions—has upped the risk of using unsecured WiFi dramatically.

The release of FireSheep also jarred me out of my complacency—with my technical background I have long known that we were taking a risk but, like most people, I had not got around to doing anything about it—and sent me on a search for a secure solution that would allow us to foil internet eavesdroppers while continue to use open access WiFi hotspots. Turns out that there is a reasonably simple solution.

The Solution

It’s called virtual private network (VPN), which consists of two parts: A piece of software on your computer that encodes all of your internet data as it leaves your computer as well as decoding incoming data; and a server that receives your encoded data, decodes it, and sends it on to the intended recipient as well as encoding data intended for you.

The result is that the nasty little 14 year old electronic vandal using Firesheep, or even the sophisticated hacker, sees nothing but unintelligible gobbeldygook when he or she listens in on your WiFi data. I’m no computer security expert, but this is industrial strength proven technology that is, as I understand it, pretty bomb proof.

Which VPN Is Best?

My answer to which VPN is best? Beats the heck out of me. Jeff Siegel over at Active Captain (a far more tech savvy guy than I am) has identified nearly one hundred different VPN vendors and is in the process of performing an exhaustive evaluation of them. If you join Active Captain (it’s free) you can keep up with Jeff’s efforts.

However, we could not wait. So I did what I usually do when picking software: Did a Google search, looked at the web sites of the top listed half dozen vendors, and selected the vendor who had a site with a tone I liked. Total time, one hour.

Sounds pretty hit or miss I know, but on the other hand I ran a company for many years where our success depended to a large extent on the software companies that I picked to partner with, so based on that experience I don’t pick really bad software often.

And The Winner Is

imageWe ended up with WiTopia and are using their Personal VPN—SSL (Open VPN) service for $59.99/year. I don’t recommend their Personal VPN—PPTP service, even though it is $20.00/year cheaper.

Takes Some Work

Setting up was relatively straight forward once I figured out how to get the VPN and our firewall software to play nice together. Having said that, getting our relatively complex system, comprising three computers behind a Wifi enabled hub plus an iPad, all secure took me a couple of hours and three sessions with WiTopia support. A single computer connecting to WiFi should be simpler, but be prepared for some messing around.

Summary

[Updates September 2013] We have now been using the WiTopia VPN for two years and are happy with it. It is a great relief to know that our internet traffic is secure, no matter where we are or how we are transmitting it.

By the way, a VPN is a good idea for anyone who uses unsecured WiFi hot spots, not just cruisers. Also, you are not safe without a VPN just because the hot spot asks for a password.

Disclosure

We paid the same price as anyone else for our three copies of WiTopia’s VPN and we will not receive any compensation if you buy their products.

{ 28 comments… add one }

  • Jeffrey Siegel December 4, 2010, 5:05 pm

    WiTopia is one of three that I currently like although they’re not my favorite. There’s another that provides some additional features, has a little better tech support (I had some issues that I didn’t like in an interaction with WiTopia support), and is able to offer discounts to ActiveCaptain users making it less expensive. I’m doing testing on them and one other VPN before releasing the results.

    Reply
    • John December 5, 2010, 10:48 am

      Hi Jeff,

      Thanks for the comment. I will be really interested to hear which VPN you pick.

      We will probably stick with WiTopia since it is working well for us. Better the devil you know… And their support has really been very good indeed. Also, so far, many of the problems you hear about with VPNs like slow speed and no Skype use, don’t seem to apply to WiTopia.

      When you make a choice, we and our readers would be interested to hear, via a comment here, who the winner is.

      Reply
  • Matt Marsh December 5, 2010, 12:40 am

    A VPN, or a similar encrypted connection to a known safe point, is a Very Good Idea for anyone who uses WiFi. An open connection is about as private as yelling across a crowded bar; with a good VPN, you’re still yelling across the bar but at least you’re yelling in a language only one other person speaks.

    I might also add: Force end-to-end encryption for all sites that support it (eg. use HTTPS-Everywhere, https://www.eff.org/https-everywhere ). Make a point of asking the access point owner why it’s not using WPA2 encryption (virtually all WiFi hardware built in the last five years supports it)- even if everyone knows the point’s WPA2 password, they can’t decrypt each other’s data.

    Your answer to this issue, John, is exactly what I had hoped would happen when Firesheep came out: people are getting enough of a jolt that they’re putting more thought into online security. (If nothing else, at least people don’t give me quizzical looks anymore regarding the “jumble of junk”- the PGP signature- on my emails.)

    Reply
    • John December 5, 2010, 10:55 am

      Hi Matt,

      Great comment, as always. I love the yelling across the crowded bar analogy.

      While I like the idea of getting hot spot owners to use WPA2, I think that it is very unlikely that they will since many non-tech users have problems setting up a WPA client and this in turn puts a big support burden on the hot spot owners staff. No marina operator want to spend large chunks of time playing software support tech, particularly without getting paid for it.

      Like you, I now see the release of Firesheep as a good thing since it jolted me out of my laziness to do the right thing.

      Reply
      • Robert December 5, 2010, 12:59 pm

        Nice post, John…and also Matt (I also love the “yelling across the bar” analogy). I would personally like to see more HTTPS everywhere, but using a VPN is a great start….and probably is the quick 99% solution until more web hosting organizations get with it. I agree with John about the WPA(2) at hot spots not likely to take hold even though it’s a good idea…though my reasons are different – it’s just too darned easy to crack. I think better to not count on the marina and stay self-reliant. Which is a very cruising/venturing like mentality, don’t you think? :)

        As I have been watching this Firesheep thing unfold, while at first rolling my eyes, I have come to agree with you that maybe it is a good thing. Although I personally disagree that Firesheep represents any threat that wasn’t pre-existing**, I see value that it has brought to the surface the discussion of securing one’s traffic through a WiFi system. I really like that boaters/cruisers are now asking some more questions and are seemingly ready to take action.

        Go HTTPS :)

        Cheers,
        Robert

        ** Yes, I do understand that some people strongly believe that it is somehow now much easier for a 14 yr old to hijack your Facebook session (or others) because it is now a Firefox plug-in. I just happen to disagree that it is any more trivial now than it was a few months ago…or years really. I could wax philosophical and give examples and my reasons, but it isn’t really relevant to the “what to do now” topic and is likely to bore everyone on my favorite blog silly :)

        Reply
        • John December 6, 2010, 9:47 am

          Hi Robert and Matt,

          I agree, universal HTTPS is something we should all be pushing for. But my guess is that it is going to be a while before we see that. Also, the average user has a hard time determining whether or not a site is using HTTPS properly to secure the entire interaction from end to end.

          Like Robert says, I like the VPN because once I have it running and have made a simple IP address test I know that all my traffic is secure from that point on: web surfing, eMail, Skype, etc. I don’t have to worry that someone else has done something dumb and left a loop hole.

          Reply
  • Ann Bainbridge December 6, 2010, 9:21 am

    This is really great info. Like you I have been really uncomfortable using unsecured wifi, but, chose to just run the risk and not think about it. I haven’t looked into these commercial VPN services yet, but, am wondering about any negative performance impact involved with routing all my traffic through their server(s). Wondering whether user and/or server physical location would/could be a problem and whether this should be looked at when determining which VPN service to purchase?

    Thanks
    Ann B.

    Reply
    • John December 6, 2010, 9:39 am

      Hi Ann,

      So far we have not seen any noticeable degradation of speed from using WiTopia. My guess is that if you were using a really fast cable modem at home, you might notice a slight slow down when using the WiTopia VPN. However, on a public hot spot, which tends to be slow anyway, it does not seem to be a problem, at least with WiTopia.

      Yes, the server location is important. WiTopia has a bunch of them all over the world. The other advantage of this is that you can use their VPN to appear to be somewhere you are not to access content that is geographically restricted, like some sports events.

      Reply
  • Jeffrey Siegel December 6, 2010, 10:33 am

    I’m testing a variety of VPN’s. The quality ones show no decrease in speed for WiFi connections that we use on a boat. John’s right – a fast cable modem connection at home might show a loss.

    If you think about it, your WiFi connection onboard is pretty slow (maybe 1 mbps – 1.5 mbps on a great connection). A good VPN is right on a high-speed backbone connection. What I’m finding is that with particular types of traffic, some VPN’s actually increase the speed, especially video. Some VPN’s grab a buffer of video faster than they can transmit it to you. In that extra time, they compress it further and ship it over the network to your computer. The result is that you can watch some videos with lower bandwidth. It’s difficult to test it precisely but I’ve seen as much as a 20% increase in YouTube speed with a VPN. Not all VPN’s have this.

    Some VPN’s have ad blockers that block the data on the VPN’s site providing even more bandwidth savings.

    That said, there are some VPN’s who inject advertising and throttle your speed in an attempt to keep their service free and/or inexpensive. It all comes down to making sure you know what you’re getting and it’s difficult because a lot of VPN’s hide this info (immediately rejecting them in my mind as a quality VPN).

    For what it’s worth, ActiveCaptain.com cut over to https for every page on our site (hundreds plus some complex code-based ones). It took about 4 days and cost $100 for extra IP’s and multiple certificates. Even without a VPN, traffic and especially login info is now well hidden. If there are sites where you log onto, write to them and ask them to convert. I’ve been doing that on forums that I use – the more requests they get, the quicker they’ll implement it.

    Reply
  • Patrick December 6, 2010, 1:14 pm

    Glad to hear the cruising community is finally getting the picture. As a retired techie who specialized in mobile access to corporate systems, I have often tried to convince people they were at risk and needed VPN protection, frequently to no avail. By the way, it should be noted that the risk is not just access via wireless, but also on “public” wired systems, hotels etc., as well.

    I have used HotSpotVPN‘s – VPN-2 service since 2004 with great results. It is a bit more expensive than some of the others but offers three encryption levels and supports nearly every type of device. Their AES VPN-2 service includes both openVPN VPN and PPTP VPN for iPhone etc. In other words two accounts in one.

    I have no affiliation with HotSpotVPN . I’m just a satisfied customer who’s always been serious about online security. As always YMMV.

    Patrick
    S/V Silhouette, Cabo Rico 38, #43,

    Reply
    • John December 6, 2010, 6:16 pm

      Hi Patrick,

      Thanks for the pointer. There is nothing more useful than information from a long term satisfied customer.

      Reply
  • Chris December 7, 2010, 11:46 am

    REDUCING RISK WHILE USING THE INTERNET

    A VPN, necessary, but not sufficient.

    For us, good security comes from layers and discipline. That said, there is no such thing as perfect security, we simply lower the risk to acceptable levels. We want to thwart the nosy and the lazy petty thief — if a pro or a government is after us, we need to hire a consultant. The mantra is basically: Protect the port, protect the channel, protect the handshake, protect the content, protect the protections and don’t be lazy. I have avoided jargon as much as possible.

    PROTECT THE PORT
    – We don’t use public machines for anything identifiable to us. We expect them to have been compromised. When using our own machine, we sit with our back to a wall; we stay aware of who is around us. We don’t leave our machine unattended, ever–ever. We have a good firewall and malware suite loaded and in use — ours stops traffic when it encounters a dubious security situation and requires us to explicitly allow the traffic to continue. We password protect the computer and set the sleep/lockdown time to as short as we can stand. We have a screen privacy cover that narrows the in-focus field of view for crowded hotspots.

    PROTECT THE CHANNEL
    – We use WPA security where available and pick our spots for that availability — but we realize a poorly managed WPA environment may provide false comfort, WPA keys/passwords can be compromised by rank amateurs in less than 100 hours. Fake WIFI free hotspots will use WPA to add legitimacy. We pick a spot that changes WPA keys/passwords daily if possible (very rare). If they don’t, we assume we are running wide open. For this reason, we use a Virtual Private Network (VPN). While VPN services’ credentials are hard to find, so is evidence any cruiser has been compromised by a well-known, well advertised service. [We are aware that some countries, even democracies, block VPN usage.] We use tethering from a cell phone for the small slice of content we really need to protect if a VPN is too troublesome. We use smartphone banking/etc. apps if they work where we are — they usually come with loss protections.

    PROTECT THE HANDSHAKE
    – We use “https://” for anything we can’t afford to lose. The encryption used by https will foil the intrusive amateur. We make sure the address bar of our browser highlights the connection type with color or a pop up. Many services will shift you seamlessly to http if https traffic bogs down. At least one blogging service we have seen does this. If we lose https when we need it, we shut off the connection immediately. We set our firewall to “block traffic when https connection is lost.” When we use a laptop with a built-in WIFI capability, we keep the link manager on the desktop so we can hit disconnect immediately. We prefer to use WIFI cards or USB cables where we can yank the connection, because the software switches are often slower.

    PROTECT THE CONTENT
    – Obviously, for transactions with banks etc, we are stuck with their security framework — we use every protection they offer/recommend, our ability to recover lost assets may depend on proving we did. For emails and such, if we don’t want people to see it, we encrypt it. We use 256AES and put the content that matters in an encrypted attachment. The best encryption app is the one our correspondents will use. When sending encrypted content to an infrequent correspondent, we use a self-extracting encryption app (it will create an encrypted file “yourcontent.exe”) and send the password via SMS or SMS to email, or better yet we make that arrangement ahead of time. An “end-around” we have used for friends and family with limited computer tolerance is to post what would be email content to a (different) blog via a service using https, we password protect the post, and send them the changeable portion of the permalink to the post (they already have the fixed portion and the password). Also, an aside, there are email services with very sophisticated compression schemes that offer some encryption-like protection against casual snooping. But a criminal who has signed up for that service, has the de-compression key…

    PROTECT THE PROTECTIONS
    – We lock up our computer when it’s not being used. With physical access, I can crack a laptop with a well crafted eight character password in about as many minutes (The software to do this can be downloaded from multiple sources.) We password protect our computer. We password protect our passwords. We put them in password “vault” protected by a master password and a digital key. We keep the key on several thumb drives. We require both the master password and the key to access the other passwords. We create serious passwords of 24-32 or more characters of near random content. We put a serious master password on the browser. So far, I don’t know of any browser that effectively integrates security keys without a browser “extension” from essentially uncredentialed providers. We do not trust browser extensions that provide “improved security.”

    “It’s a jungle out there kiddies,” but you aren’t up against the fastest lions, you just have to make sure you aren’t the slowest gazelle.

    Reply
    • Robert December 7, 2010, 12:29 pm

      Another very simple precaution…don’t access the network using an account that has administrative privileges. That’s the default setting for most operating systems. Good practice is, for your normal every day operations, create and use another user account without those privileges. I see a surprisingly high number of people using the original user account that they used to set up their computer.

      Robert

      Reply
      • John December 7, 2010, 1:08 pm

        Hi Robert and Chris,

        Thanks for sharing some interesting points. However, much of this is way too complicated for the average cruiser. For an example, I would estimate that less than 20% of Windows users even understand user accounts and how to configure them. Further, I would guess that less than 5% of cruisers could even understand your recommendations, never mind implement them. (I spent many years in software support, so these estimates are informed ones.)

        A key point to keep in mind in all of this is that, even people like me who have been truly lax about security for many years, even though I know better, have not been hacked.

        And in most cases, I think, you are taking far more risk of fraud when you hand your credit card to a clerk in a store than you would be taking with unsafe internet practices. (In fact in 20 years of cruising the only financial fraud I have experienced was from the example above.)

        I’m not saying that we should not get more careful, of course we should. But if we tech types set the bar too high for safety, most cruisers will simply throw up their hands and do nothing.

        I think a VPN like WiTopia is a good and practical step that most any cruiser can take that will make them pretty safe. Perfect, no, but probably good enough.

        Reply
        • Robert December 7, 2010, 2:10 pm

          Hi John,

          More complicated than my Furuno manual? I guess you could say that not many really understand how to use their radar properly either, which is probably true :)

          I really don’t disagree with you about the chances of getting hacked. Unless you are incredibly unlucky or someone is targeting you specifically, the chances are close to nil. And although I am in the security and software development field (i.e. paid to be paranoid), I have never worked in the software user support area so I fully respect your estimates.

          Robert

          Reply
          • John December 7, 2010, 2:46 pm

            Looks like we techies are all on the same page, great stuff.

            Are you kidding? Anyone who can understand a Furuno manual could probably re-write Windows and make it better and 100% secure! :-)

  • Jeffrey Siegel December 7, 2010, 12:12 pm

    Chris brings up a lot of valid points. It’s important to balance the practical threats against the theoretical ones though. If we all truly evaluated the theoretical threats facing us in our boating adventures, no one would ever untie their lines – we’d scare ourselves to death. There is a risk to just breathing the air and each of us needs to evaluate what risks we’re willing to live with, electronic or otherwise.

    Reply
    • John December 7, 2010, 1:13 pm

      Hi Jeff,

      I agree entirely, nicely said.

      Reply
  • Chris December 7, 2010, 12:37 pm

    Jeff, thanks, while the text of my comments might sound complicated, as a matter of practice they become second nature (and to a significant degree automated) pretty quickly. I come from the security community and the first word in security is “Awareness.” Most folks aware unaware of the risks they face in the internet domain. As the capabilities it offers expand, so do the threats to privacy and security. Social networking is a good example. Eye-ball nav through the tropics is much riskier/harder than staying safe on the internet–once one is aware.

    Reply
  • Mike January 10, 2011, 4:42 pm

    Isn’t it possible to run a VPN system on your home based computer using public domain software, and log into that via the internet from abroad using VPN, with the home computer acting as a server and accessing the Internet? Seem to remember reading something about it somewhere. Of course, it does mean leaving a computer on at home.

    Reply
    • Robert January 10, 2011, 10:12 pm

      Absolutely! :)

      I know I need to duck if I say this…things will get thrown at me…but it isn’t that hard. Plenty of How-Tos around to build your own dedicated VPN system and you will learn a lot by doing it yourself…just like anything else on a boat (or life, for that matter), you learn by doing. I don’t believe 24/7 hardware/software is as much a concern as a reliable internet connection, unless you have a business class connection – which in most areas, tends to be pricey.

      So yes, you can. How much work it takes will be dependent on your background. Whether you should depends on why you are doing this versus a VPN service. Depending on your purpose for having a VPN system, it may not be cost effective. On the other hand, you might be like me and do it just because you can :)

      But for a practical note: I believe Jeff set something up with some providers…but I’ll let him chime in on details.

      Robert

      Reply
  • Jeffrey Siegel January 10, 2011, 5:04 pm

    Absolutely – setting up your own VPN is an excellent way to provide WiFi protection – certainly better than anything else you can get anywhere else.

    Except…

    The server has to be up and running 24/7. That doesn’t really work well if you’re on an extended cruise. There is always server maintenance and computer malfunctions that occur and someone needs to be around to keep it all going. If you have that, it’s a great way to obtain the capabilities.

    That’s exactly what corporations do for their employees – their IT departments will create their own VPN to securely encrypt traffic when their employees are mobile.

    Cruising, generally, forces you to give up those corporate benefits.

    Thankfully!

    Reply
  • Chris January 10, 2011, 5:05 pm

    This is why it’s good to have a geek niece or nephew! :)

    Reply
  • karen February 27, 2012, 10:53 am

    This may be a stupid question but if using an aircard or tethered phone should you/can you still use a VPN? I had loaded WiTopia on my computer after reading Jeff’s post on Active Captain but it didn’t load correctly which I didn’t realize. I then had some other computer problems so I removed the WiTopia to see if that was the problem. Problems now solved and I am using a Verizon aircard. Should I reload WiTopia and use that along with Aircard?

    thanks for the help to a newbie.

    Reply
    • John February 27, 2012, 11:15 am

      Hi Karen,

      As I understand it, it is very difficult for the average hacker to listen in on your data stream when you are using a mobile (cell) phone or Aircard. I can’t be certain of this, but I can tell you that we don’t bother with the VPN when using a tethered phone.

      Reply
  • Jeffrey Siegel February 27, 2012, 12:00 pm

    Karen, you can use a VPN across a cellular connection but you really don’t need to. A VPN shines with open WiFi. You really don’t need to connect across a VPN when you enter a password for WiFi especially if it’s WPA encrypted (which is the standard today). Open WiFi that needs no passwords are the times when you should be careful.

    VPN’s protect the data stream that gets to the internet. Cellular signals are pretty protected by themselves otherwise we’d be easily able to listen in on other people’s calls. Notice how that went away the moment analog cellular technology went away. When you connect to an open, non-password WiFi site however, your data stream is in the open on all non-https connections. It is a very simple thing to listen in on the traffic from the next boat in your vicinity unless you protect the stream with a VPN.

    Reply
    • John February 27, 2012, 12:05 pm

      Hi Jeff,

      Thanks for the confirmation.

      Reply
      • karen February 27, 2012, 1:27 pm

        Thanks for the clarification. Now I just need to get VPN working correctly for when I have to use a Hot Spot.

        karen

        Reply

Leave a Comment

Please read our Comment Guidelines before you comment.
If your comment does not display immediately, please contact us
.
Your e-mail address will not be displayed and we will not send you junk mail.


Get your own avatar like ours.
Avatars

Previous Post (by date):

Next Post (by date):