Do I need a VPN for added security?
 

When I use my laptop on the road I click on “Public Network” when I log onto the internet at hotels and at the airport. I’ve been subscribing to Witopia VPN service for added security. Is having a personal VPN necessary? Do I need additional security if I have a firewall and set up the network as “Public”? I notice that using a VPN slows down my internet connection a bit.

The firewall does nothing other than protect your computer from intrusion. For public networks, people can install "sniffers" and snatch your information if it isn't encrypted. A VPN does exactly that - encrypt the traffic so they don't know what it is.

Is it absolutely necessary? No, as long as you don't log in to anything while on a public network. If you check gmail, banks, etc - yes, I'd say it's necessary. Will your ID get compromised the 1st time you don't use VPN? Probably not, but you'll be kicking yourself if it does.

I'm absolutely paranoid on public wifi networks. For a wired network at a hotel, it's a little better but I still make a point of taking precautions.

Great info. Thanks!

Nonsense. Logins (and generally the entire session) for most "secure" applications is encrypted by default. There's a setting in Gmail to encrypt everything (settings -> browser connection -> always use https), as well as on Facebook. Every bank worthy of the name encrypts the entire session by default. I've never seen one that didn't.

Nobody can get any useful information from an SSL/TLS encrypted connection, which is what your browser gives you.

Where a VPN for public networks comes in handy is sites like Flyertalk that aren't encrypted: someone could sniff your session cookies and log in as you on their computer without knowing your password. Or they could just sniff your password. VPN would also come in handy in hiding your browsing habits. Surfing in the clear will let any network administrator see which sites you're visiting.

Furthermore, even with a VPN, you're just shifting the "insecure" bit to your VPN provider. They decrypt all your non-https sessions and could do all the nasty things that I outlined above. So choose one wisely.

Thanks for the additional info.

This is true if the entire session is encrypted. As you mentioned, you've got to enable this in gmail or whatever other site. Unless people know about it, only the login is encrypted but people can steal the cookies and login as you.

No you don't, it's the default for gmail. It's also the default for every banking web site, and most any other web site where security is an issue. Heck, even twitter is https.

VPN is also good for sites like Hulu where the videos are only available CONUS.

Overkill or not, for the $5/month or so that I pay it's worth the additional peace of mind.

The use of SSL is much, much more widespread than that. And to look at this from a different angle - if it was as easy to capture cookies and login details like this from mainstream websites they just wouldn't be useable. Look at the vast numbers of people that log in every day from Starbucks, McDonalds, airports around the world, etc. all without encryption on the wireless link. How many of these people regularly use VPNs?

Best practices for the last 5-10 years have involved putting the security into the web application, primarily using SSL for anything even remotely sensitive, precisely because you can't depend on the security of the network link.

From a personal perspective, I have no hesitation about logging into my online banking, credit card accounts, webmail, etc. and using business applications such as Outlook and Salesforce from any public WiFi hotspot. The only thing I use a VPN for is to get around geographical restrictions for certain sites, as mentioned above.

Where is "on the road" for you? If traveling to countries that actively monitor and/or restrict traffic it can be very worthwhile.

Sure, SSL is widespread. I was talking about unencrypted sites like FlyerTalk.

SSL is not the same thing as encryption on the wireless link. SSL (actually most modern browsers use TLS now) encrypts traffic from the web browser to the web server. Wireless encryption just encrypts the wireless network itself.

I've been using witopia for several years now. Whenever I shop or do on-line banking, turn on VPN. From home, office and particularly when on the road....better safe than sorry.

And of course when overseas, it's great when watching home websites that block non-domestic ISPs'.

The one place it does slow things down is torrents or usenet downloads. :p

But remember that your VPN provider can see all non-SSL/TLS traffic you send. So, you'd better ensure that they are trustworthy.

Agreed. However, Witopia has been around for years, and I've always had prompt, knowledgeable customer service from them. Given that ANY interaction between ANY two entities is theoretically subject to some form of evesdropping, I think Witopia is as reliable a VPN as there is. And at least when I'm using Witopia, I'm only allowing them to evesdrop on me.

Plus...it let's me get around the sites that are blocked at work by the IT dept.
:eek::eek::eek:

I'm sure they're fine; I'm just raising the point.

Heh, I almost got fired from my summer internship at Dell many moons ago for circumventing the firewall. :)