VPNs and Public Hotspots

Posted on January 4, 2012

Written by guest blogger, Dennis Bland, Senior Field Engineer at Devicescape

You’re sipping your latte and surfing the web at your local coffee joint, just like millions of other people do every day.  You’ve probably wondered about the security of your Wi-Fi connection, and it’s safe to say many articles have been written about it.

First, a summary of the most common methods to make your hotspot internet connection secure:

1.  Visit websites with “https:” in the URL.  In this case, your browser automatically creates an encrypted data “tunnel” between your browser and the server of the website you are currently browsing.  This arrangement is required by law for on-line banking, and is almost always employed on any web page where you have to enter personal information such as a username/password or credit card information.  It is important to point out that for this type of connection it does not matter what type of Wi-Fi connection you have, as the data is already encrypted.  This method of security is very secure (assuming your web browser does not complain of a “certificate error”) because it encrypts the entire path from your web browser to the website server, including the wired connection over the internet backbone.

2.  Use a pre-shared key such as a “WEP Key” or “WPA Passphrase” for the Wi-Fi connection.  In this case, your internet data will be encrypted only between your device and the hotspot access point.  There are various encryption methods available, and unfortunately the older methods such as WEP and WPA-PSK with TKIP can be easily cracked.  The best Wi-Fi encryption available today is WPA-PSK with AES, but not all Wi-Fi hardware supports it.  Older encryption methods provide a false sense of security, and the different encryption methods result in customer confusion – which is why this method is rarely deployed in public hotspots today.

3.  Use a VPN (Virtual Private Network) service.  This is similar to the “https:” method above but always connects to a specific server location and encrypts all of your internet data used by all of your applications.  This method of data security is commonly used by companies where employees work remotely but need to connect to the internal company network.  Many VPN technologies are proprietary, so a specific VPN client needs to be paired with a specific VPN server.

In the summary above, the VPN service sounds like the killer app and the option of choice for secured browsing at public hotspots.  But it has potential issues:

– You need to sign up for a VPN service which costs money.  You aren’t going to use your employer’s VPN service for all of your personal web browsing, right?

– You need to install a VPN client on your device.  There is a limited selection of VPN clients for iOS and Android smartphones available, so you will need to do your homework to make sure they are compatible with the VPN service you select.

– You need to log on to the VPN service after you make the Wi-Fi connection but before you actually start browsing the internet.  It is another application to run and another set of credentials to type in just to use the internet.

– The extra encryption comes at a cost:  increased CPU activity means decreased battery life and slower data throughput on your device.

– With a VPN service, ALL of your internet data is routed through a VPN server before connecting to your desired website.  The VPN server could be on the other side of the continent, or on another continent.  Your internet connection WILL be slower than a regular internet connection.  If you are paranoid about security, keep in mind that the VPN service will have the ability to see all of your internet data, except when you visit “https:” websites.

It really boils down to how much security you really need.  Using an open Wi-Fi hotspot connection and automatically encrypting your internet connection (using “https :”) only when you really need it for transmitting personal information provides the fastest internet connection and best battery performance.  For the vast majority of people, this is perfectly fine.  If you are concerned that people are going to see (or care) about the websites you browse, then you can get a VPN client with the tradeoffs mentioned above.  But is it worth the extra time and effort?  Do other people really care about what YouTube videos you are watching?