Best Internet-based VPN for security
 

I'd like to make use of a VPN to provide security when using a PDA or laptop over unencrypted WiFi, or when using any Internet connection abroad.

I'm looking for something that will support the whole deal - Web browsing, streaming media, VoIP.

Encryption sufficiently strong to foil government security services preferred. ;)

I don't have a dedicated computer at home (or a dedicated home, for that matter), so running my own VPN and connecting through that is not an option.

What services are you looking to connect? A VPN typically ties you into a corporate network. Are you looking to connect back to your network at home? Or just encrypt your connections across the WiFi/Hotel network? Not sure if I've heard of an offering just to encrypt traffic across a WiFi/Hotel network and then send it over the Internet to its final solution.

Just looking for something to encrypt the connection between my device and some spot in the US.

Primarily concerned about the security of WiFi/public hotspots. Encrypting those from my device to the terminus somewhere in the US would secure the traffic against attackers eavesdropping over the air, or who may have set up the hotspot for malicious purposes.

Although they aren't designed for the purpose you have in mind, anonymizing proxies should work fairly well. I haven't looked into them in years, but anonymizer.com used to be one, and if you just google for anonymous proxy services you should find an assortment.

Keep in mind that you need to trust whoever's at the other end of the connection, or you're wasting your time. Frankly, you're probably better off just focusing on using secure services (i.e. SSL/HTTPS instead of plain text logins, SSH instead of telnet, etc).

Bob

It sounds like what you want to do is tunneling. All traffic between you and the other end of the tunnel is encrypted. From that point, it then goes out the tunnel server as if the request were coming from that server. Responses are encrypted and forwarded across the tunnel back to you. The advantages include being able to do more than web browse (Skype, FTP Telnet, etc). Disadvantages can include a complex setup and usually, you expect these tunnels to end at a corporation.

But not always. There ARE private companies that will allow you to tunnel through them (sually for a monthly fee), and there are also groups of privacy advocates who run public tunneling servers. In fact, these groups run a master tunnel server which assigns your tunnel (on a per session basis) to a "volunteer" tunnel server someone is running on a home or university network. The master server assists in directing your client to the volunteer server, the tunnel is built between your client and the volunteer server, and then it as if all your connections were coming from that server. The next time you initiate a session, it will likely be some other volunteer server at another location.

First, you can read a primer on it here:

http://www.rsf.org/article.php3?id_article=15037#6

Here's a commercial service based in VA USA:
http://www.http-tunnel.com/html/

Here's a lower cost (Donations) one:
http://www.htthost.com/

This is another interesting one that seems to have features for both:
http://www.primedius.com/index.htm

And for reference all skype calls are encrypted already.

Regards,
-Bouncer-

This is the kind of thing I'm looking for:

http://www.hotspotvpn.com/

but it only provides good encryption for laptops. For Windows Mobile handhelds it looks like it only does PPTP with 128 bit MPPE encryption. This is no good, because PPTP/MPPE is known to be flawed, so it defeats the whole purpose of encryption (and actually may make things worse):

http://www.schneier.com/pptp-faq.html

I'd like to find something that will do AES 256 on Windows Mobile using IPSec.

The problem with HTTPS is that it typically only encrypts login pages, not the content behind them. And what's more, it's very popular these days for banks and e-mail services to use the known-flawed model of security (theater) where the log-in page itself isn't actually HTTPS:

http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx

When Microsoft of all companies is complaining of something having bad security, you know you can't trust it.

I realize that I'll have to trust the endpoint, but that's still infinitely better than having to trust anyone who is within sniffing range of WiFi or who has access to the hotel's network, for example. If I'm abroad and the endpoint is in the US, that cuts out a lot of potential attackers between me and my data.

I typically don't use anything thats not fully encrypted. and if you must..
convince a friend within US with a broadband to run a VPN or SSL based
proxy for you.

Thanks for the information and links.

I've heard that Skype's encryption regime has been at least partially broken. Skype is very secretive about it, which in the security world usually means it has bad security or back doors.

You want to encrypt the network traffic but don't require a trusted endpoint? That group that released Back Orifice couple years back were working on SSL P2P application to get around censorship, corporate proxies, etc. but I never read about it again since.

There are products that deliver strong crypto for windows mobile devices as well (Goodlink, etc), but they are again aimed at corporate customers where the customer runs the "server" end of the connection.

Keep in mind that PPTP is flawed, but its better than cleartext, and in the scenario you're worrying about you don't necessarily need to have great crypto, just good enough to get the WiFi sniffer user to focus on someone else instead of you. Just like walking in the forest with a friend, when you come across a bear you don't need to outrun the bear, just your friend :-)

Bob

PS: yes, I do know that many, many sites implement HTTPS in a variety of flawed ways. Nonetheless, HTTPS does offer a good level of protection if implemented properly.

It's better than cleartext against amateurs, but using encryption draws extra attention to you, so in terms of privacy and security it might end up making things worse by singling you out for targetting, but not actually providing good security against attack.

If you're looking for protection against the sort of folks who are looking for passwords and/or credit card numbers from anyone they can find, they'll almost certainly move on to an easier target rather than waste time cracking even mediocre crypto to get your credit info.

If you're worried about professionals targeting you in particular, then using a PC with any active wireless connection, or for that matter just using a PC in a public space is a bad idea. Between wireless sniffing, active attacks against wireless devices, "shoulder surfing" either directly or with binoculars, cameras with zoom, etc, if you are a specific target its not a good idea.

For that matter, just a smash and grab of your PC should be a bigger worry than the strength of your network link crypto. There were a number of incidents this spring of notebook PC theft from Starbucks users in San Francisco, and they were all basically just quick "bash and grab" direct attacks.

I'm not saying don't worry about crypto strength, I take that seriously too, but focus on the weakest links in the chain before getting too freaked out about the strength of your crypto.

Bob

Don't know if it will work for your specific handheld applications, but I use this with my laptop and it works great:

http://www.personalvpn.com/

Perhaps their service will support the services you need? $39.99 per year.

I understand your argument, and generally agree with it, but secretly sniffing/recording network traffic requires a lot lower level of commitment on the attacker's part than a smash-and-grab.

And it wouldn't necessarily yield the same benefits. It's probably not going to get you passwords, it won't get you the contents of communications that weren't saved on the computer, and the smart guy would have anything sensitive on his computer encrypted anyway (of course the key would have to have been kept separately).