X

Defending against insecure hotel networks with a VPN

Use a virtual private network to protect yourself when connecting to the Internet from your hotel room.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio
Michael Horowitz
4 min read

My point last month, when I wrote that Ethernet connections in a hotel room are not secure, was that wired Internet connections in a hotel are no more secure than wireless connections. The issue I described involved a technically savvy guest, reconfiguring the network to place their computer logically between you and the outside world. Thus positioned, they might as well be watching over your shoulder.

A few days agoLeo Notenboom cited two additional reasons why wired hotel connections can't be trusted: hotel employees can snoop and, if the rooms are connected with a hub, even a nontechie person in another room can easily snoop on your Internet connection (see "Can hotels sniff my internet traffic?").

There are two approaches for dealing with this, a good one and a bad one.

The bad one involves dealing separately with each Internet application. For Web browsing, this means only viewing sensitive pages through an encrypted HTTPS connection. For e-mail using client software such as Thunderbird (as opposed to Web mail), it means a nontrivial reconfiguration of the e-mail environment, which may not even be possible, since not all e-mail providers offer encryption. Then still, instant-messaging, FTP, and other applications have to be dealt with individually. What a mess.

The good approach is to use a VPN, or virtual private network, to encrypt everything.

Virtual private networks

Often VPNs are spoken of in terms of corporate employees connecting back to their corporate LAN. But there are also VPNs for the rest of us. A handful of companies rent out VPNs to anyone, and they're not very expensive.

These rented VPNs provide a secure, encrypted pathway (techies use the term "tunnel") between you and the company renting the VPN. For example, if the VPN company is in Cleveland, your computer makes a secure connection to Cleveland. Everything traveling between you and Cleveland is encrypted. No matter who does what in a hotel, all they can get from you is a useless encrypted bunch of bits.

When your Web pages, e-mail messages, instant messages and whatnot get to Cleveland, they are decrypted and dumped onto the Internet just like everything else. The encryption is only between you and Cleveland, not end to end.

Put another way, someone staying at a hotel in California looking at my personal Web site, michaelhorowitz.com, in Texas would send an encrypted request for a Web page to the VPN company in Cleveland, where the request is decrypted and forwarded to Texas. My Web site responds and sends a Web page back to Cleveland (as far as my Web site knows, the request came from Cleveland) where the VPN company encrypts it and sends it to the hotel in California.

This does slow things down a bit, but with a broadband connection the trade-off is certainly worth it and probably not noticeable.

To use the VPN service, you first connect to the Internet, then start up the VPN software. At this point you are safe, secure and happy. When you are done, first shut down the VPN software, then disconnect from the Internet.

Where to rent

Two companies that rent VPNs are Witopia and HotSpotVPN. Both offer two types of VPNs, PPTP and SSL. The pros and cons of each type of VPN are not something I'm ready to get into. Suffice it to say that a PPTP VPN is usually cheaper, probably won't require software to be installed, and is not as secure when compared to an SSL-based VPN.

The HotSpotVPN-1 service is based on PPTP, while the HotSpotVPN-2 is based on SSL. HotSpotVPN-1 is roughly $9 per month, and HotSpotVPN2 ranges from roughly $11 to $14 per month depending on the strength of the encryption. According to Steve Gibson, the cheapest encryption strength is sufficient. In both cases, yearly charges are 10 times the monthly charge. HotSpotVPN-1 is also available by the day or week.

WiTopia calls their rented VPN service PersonalVPN. The SSL-based version of PersonalVPN is only $40 a year (the equivalent service from HotSpot is $110 to $140 per year). Witopia does not offer the PPTP version by itself, instead they currently throw it in for free when you purchase/rent the SSL-based product.

HotSpot also throws in a PPTP-based VPN when you order their SSL-based product. Both companies point out that Apple's iPhone supports PPTP-based VPNs.

Using a VPN is a small annoyance, but security and convenience will forever be at odds.


For more on this see More about VPNs: Price and Trust from March 14, 2008.
See a summary of all my Defensive Computing postings.