The Idiot-Proof Way To Securely Use Public Wi-Fi

We talk a lot on this blog about personal data and privacy, but not so much about how to secure that data on your own computer. That’s because a.) we’re not Lifehacker and b.) the solutions frequently bloat into crazy, jargon-filled recipes that scare away the non-IT crowd. Not this time! For all you novices, here is a single idea you should consider that will help keep your personal data personal, and make your identity that much harder to steal.

Install a VPN program and run it every time you go online using a public Wi-Fi hotspot.

Using a public Wi-Fi spot without a VPN is like shouting everything across the room in plain English—anyone who wants to listen in, can. Using a VPN is more like shouting in a made-up language that only you and your twin sibling understand. A VPN will encrypt anything you send from your laptop to the Wi-Fi router, so that nobody else in the coffee shop, student center, or hotel can see what you’re doing.

If you work for a large company, odds are your IT department has already got you using a VPN when you’re traveling or working away from the office. If you’re everyone else—a freelancer, a student, a small business owner with one or two computers and no real “back-end” system—then many of those VPN solutions are out of your reach. Either they’re too complicated to set up without computer skillz or they’re too expensive.

Luckily, there are cheap VPN programs you can install on your laptop that are more or less self-contained: you install the app, then launch it when you log on to a Wi-Fi network, and everything you do online from that point forward will be encrypted. There’s also a hardware-based solution—a USB drive that you can plug into any computer for a quick VPN environment.

A couple of things to note:

  1. When the website you’re on uses https, your data is already encrypted. For some Google-based services (like Gmail and Google Docs), you’ll be using https automatically or you can add the “s” yourself to force the encryption. But not every site offers this extra security.
  2. These VPN programs are not the end-all in security solutions. If you’re really serious about security, don’t get your advice from this blog. Find a skilled computer security technician to help you set up an awesome home-based VPN solution (where you route all your laptop traffic through a home network remotely), or teach yourself how to do it with freeware and your router.

So with those caveats, here are some options you can consider. The first two programs listed below install the same as any other app, but I haven’t tested the other three. If you’ve tried any of these and can share an opinion, please join in the comments below.

AnchorFree’s Hotspot Shield
Free, but ad-supported. While browsing, you’ll see ads appear occasionally at the top of the browser window. It’s great if you infrequently need it, but annoying if you find yourself in a Starbucks once a week.

Witopia’s PersonalVPN
$40 per year

HotSpotVPN
$9 per month (listed as a temporary price reduction as of October 2008)

iPig
Free with a 10MB cap / $30 for 30GB of data transfer

PublicVPN
$70 per year, or $7 per month

About that hardware solution: IronKey is a USB flash drive that offers a few extra features you can’t get with the software above. It encrypts any files you store on it, and it comes with its own VPN software that runs automatically when you plug it into a Windows PC. It comes with the Firefox browser included, so you can surf the web through the IronKey no matter what PC you’re using. It costs $80 for a 1 GB drive with a 1-year VPN subscription.

And finally, Consumerist reader Ein2015, who provided an invaluable service by vetting this article before I posted it, pointed out that there’s an awesome open source VPN solution called OpenVPN. It’s cross-platform and free, so if you’re feeling techy and want to set up your own virtual private network using your home computers, you might check it out.

(Many, many thanks to Ein2015!)
(Photo: Getty Images and stevecadman)

Comments

Edit Your Comment

  1. steegness says:

    Would SSH tunnelling be a viable option? Or is that too tech-y for this overview?

    • mercnet says:

      @steegness: You just sent a lot people to wikipedia on that comment. It does amaze me how clueless people are when using public wifi, leaving shared folders open to anyone.

      • steegness says:

        @mercnet: The same people would’ve gone there for “VPN” without the explanation of the article; it doesn’t mean that it’s necessarily a difficult concept to grasp, convey, or implement (though it very well may be… hence my wondering about the level of SSH versus the level of the article).

      • howie_in_az says:

        @mercnet: These are the same people using unpatched MS-Windows ME installs, what do you expect?

    • @steegness: I think the rule-of-thumb should be: if the solution can be downloaded and installed like any other program, with few if any special skills needed—”install it, launch it, and it just runs”—then it’s a viable option.

      This post is geared toward people who don’t know what VPN or SSH means, who don’t want to know, and who won’t or can’t bother with anything more complicated than the sort of installation they’re already used to.

    • Ein2015 says:

      @steegness: SSH tunneling is fine, as long as you trust what’s on the other end.

      For example, I use SSH to connect to my linux box. All traffic between me and the linux box is encrypted. If you trust linux box’s connection (for example: it could be at your house or at a secured hosting environment), and you have a *nix laptop, you should be able to use X-forwarding… so you can run Firefox on that linux box and see the results on your screen… totally encrypted between the two.

      If you have windows, X-forwarding is a bit more difficult to do and may cost money… but anybody who is interested should send me a message and I’ll see what information I can provide. :)

      If I remember correctly, you should be able to remote desktop through SSH as well, regardless of operating systems. I can look for more information on this as well if necessary.

      Hope this helps!

      • corsec67 says:

        @Ein2015: I have actually done something similar, using SSH to get around a silly restrictive internet connection.

        However, instead of forwarding the whole Firefox window over a remote X session, I set up a proxy on the remote computer, and used that.

        If you trust the local computer, then it would be faster to only use a proxy and keep the browser running locally.

        • Ein2015 says:

          @corsec67: That is indeed another option. I usually just use a text-based browser over the terminal (such as elinks). :P

          Of course then you have to make sure it’s not a publicly-accessible proxy or then you might have more problems… :)

  2. mariospants says:

    well, if all you’re doing is surfing consumerist while at Starbucks – and not entering any sensitive information such as a username and password – the easiest advice is not to do anything in public you wouldn’t do if a stranger was looking over your shoulder.

    • TracyHamandEggs says:

      @mariospants: That was my exact thought, though I don’t live in an urban area/hang out in coffee shops. When I use my personal laptop in airports or any other free wi-fi area I dont access anything I wouldnt want tracked, and I don’t keep personal account info saved on a comp I carry around with me.

    • courtarro says:

      @mariospants: That may be true for many, but your computer does a lot of stuff on your behalf that you might not realize is passing your personal information unprotected. What about your IM client? They’re not necessarily encrypted. An email client could be sending your username and password in the clear. Simply visiting the homepage of a site with stored credentials is enough for someone to steal your unique cookies and reproduce your session data to access that site.

      • mariospants says:

        @courtarro: I disabled my IM client as soon as it installed itself without my permission and my advice still stands, right? I recommend NOT entering anything with a username and password and avoiding online shopping.

    • Ein2015 says:

      @mariospants: The average computer user doesn’t think about using different passwords for different websites, much less asks themselves if logging into IM will safely send across a username/password or not.

      The article is targeted to error on the side of caution.

    • XTC46 says:

      @mariospants: All you are doing right then is connecting to the internet. What if the guy next to you decides you look like a good mark and then drops a virus on your computer? now a week or a month down the road, you think you secure on your home network and type in your CC info, now he has it.

  3. blackmage439 says:

    What an awesome idea!

    Sadly, I turn off my router when I’m not home, so this isn’t a viable solution. I can’t shell out the funds for an Ironkey either. My solution is to not keep any personal information on my laptop, and to not sign-on to vital services (financial websites, email to a lesser extent) while surfing in the public view. As for files? One of my goals is to start experimenting with TrueCrypt.

    • @blackmage439: All the software suggestions listed above don’t require anything running back at home. They encrypt your data through a remote server elsewhere.

      This is why I wrote they weren’t really an end-all in privacy, because technically you’re letting another party deal with encrypting your traffic. But it’s better than nothing.

    • Ein2015 says:

      @blackmage439: TrueCrypt is pretty decent at protecting your laptop’s files… however, if you’re traveling overseas and don’t want US Customs taking a copy of everything on your laptop (including asking you for the key to unlock the TrueCrypt volume), you might want to invest in the IronKey. I have one and I can tell you that it is absolutely fantastic!

      Don’t forget that TrueCrypt will not encrypt your traffic, just your hard drive.

  4. SegamanXero says:

    doesnt macintosh come with VPN built in? i coulda sworn i seen it lurking in the network preferences….

    • Ein2015 says:

      @segamanxero: It does, but you still need somewhere to connect to. I VPN into work all the time.

      If you need help setting it up, reply here and I’ll be happy to walk you through it. :)

      • lannister80 says:

        @Ein2015:When I was running 10.3 or so (it’s been a few years), I had trouble with OS X’s built-in VPN connectivity when trying to connect to my university. I eventually talked to a tech who said their VPN concentrator “doesn’t support” the mac client. What the heck does that mean? L2TP is L2TP, but I digress…

        • Ein2015 says:

          @lannister80: My university barely understands that there’s more out there than Windows and Microsoft Office. It’s probably the same way at yours.

          I’m running OS X 10.5, though… so you might want to look at some tutorials for 10.3. The important part to remember is that you have checked the important protocols. I’m not at my laptop right now, but feel free to send me a site message and I’ll walk you through it later on.

        • snowburnt says:

          @lannister80:

          L2TP is pretty tricky to get working unless you have public IPs on both sides. the reality probably is that the helpdesk people didn’t want to deal with it.

  5. mariospants says:

    Just a question for you uber geeks: after a little researching, I could find no real way (outside of the potential vulnerability related to specific applications) for an intruder to enter into your system while you are hooked up to a shared wifi network. Is this true?

    • Applekid ┬──┬ ノ( ã‚œ-゜ノ) says:

      @mariospants: It is true, in the same way that you cannot be injured in any way (outside the potential vulnerability related to specific tissues and organs).

      A machine with no applications has no attack surface… it’s also about as useful as glowing stone tablet except with limited battery life. The point of hooking it up to a network is to use an application to reach out across it. In fact, the software used to implement network connectivity is, in fact, a kind of application in and of itself.

      Security is always a balance of usability and protection.

    • chrylis says:

      @mariospants: Being on a shared wireless network doesn’t introduce or remove any vulnerabilities that didn’t exist on “shared-segment” networks (like Ethernet back when hubs were common).

      However, any intruder who’s around can send packets to your computer, and if your OS (*ahem*Windows*ahem) or some program running on your computer handles them incorrectly, then there could be problems.

      Generally, turn off any servers that you don’t need for a particular reason; on Windows, the only server you’d need on most laptops is file sharing, and it’s a good idea to turn it off when you’re not using it. Also, Windows computers should use a software firewall to add one more level of protection against your OS’s doing something stupid when an unexpected packet comes in.

    • putch says:

      @mariospants: also, most of the web-traffic that you send can be captured by a 3rd party. so while running a firewall might prevent them from accessing the files on your laptop the data you send over the web (that’s not https) will be vulnerable.

      • putch says:

        @putch: that is, unless you use some kind of encrypted tunnel…VPN, SSH, etc.

      • mariospants says:

        @putch: Well and great advice, but I’m already running a firewall, not accessing sites that require personal information and Windows + dlls and apps that require access to the Internet are either updated to latest or disabled (i.e. no IM). So, can anybody access my system via Wifi or not?

        • Ein2015 says:

          @mariospants: You’re probably safe against WiFi intrusion attacks… however, the biggest issue is that ALL of your wireless traffic is sniffable, in plaintext (unless encrypted via SSH, VPN, https, etc), without you knowing. Hence the article… :)

          • mariospants says:

            @Ein2015: It’s just that I hear so much about wireless security “issues” and aside from the sniffing aspect the vulnerabilities exist equally if you’re on a wireless network or just surfing from home on a cable modem. In other words – if you keep it simple – nothing to freak out about.

            • Ein2015 says:

              @mariospants: The vulnerabilities are not the same. Sniffing is a HUGE aspect of the vulnerabilities. The rest are standard virus/trojan/worm/etc vulnerabilities in which good habits (don’t open attachments in emails, download from trusted sources, etc etc) apply.

              When you’re connected via ethernet to a cable modem, you really don’t have to worry about people spying on your traffic (disclaimer: FISA stuff not included). But even when you’re on your own home network, just using WEP makes you vulnerable to sniffing… as WEP is insanely easy to crack.

              Thus, when on a laptop, VPN is a very good idea… even when keeping it simple. It’s an added layer of protection that can easily be forgotten, so it should be left on (so if you forget, it’s still on). Having to ask yourself “is this security issue enough to warrant using a VPN?” will only make you more at risk.

  6. SultanaTrigeminus says:

    There really is no safe way to do this. Your system makes all sorts of asynchronous requests using unsafe protocols that can be spoofed.

    For example, 100% of apple macs with dashboard widgets make periodic or on-demand connections over http-on-plain-tcp (not https, not ssh tunnelable, …) requests to joe random server.

    The dashboard widgets are really safari, javascript and all, so a local host that chooses to spoof the response faster than the actual server is subject to a javascript payload attack (through no user action). Yahoo widgets for Windows and google desktop widgets have similar issues.

    The ___only___ easy to manage, safe way to access a public hotspot of any kind is to use a VPN client and immediately connect to the VPN. The downside is that almost no vpn client, including Cisco’s, does the right thing and installs a 100% drop policy for non-VPNed packets prior to establishing the tunnel. Part of this is that there is no good way to do it; most hotspots require some sort of host spoofing http-to-https redirect to get you to the hotspot authentication page. While this is happening, if you get unlucky, you are fucked.

    Pretty much all network communication at this point should use SSL with certificate validation (and proper enforcement for any autonomous agent, including things like th dashboard widgets, email, …). No one should ever use pop-on-plain-tcp again, no plain http, etc. Ever.

    But this isn’t practical, so “hurry up and get on the vpn” is about as close as you can get. Running vpnless or attempting to craft hyour own via ssh is hopelessly naive.

  7. SultanaTrigeminus says:

    >>for an intruder to enter into your system while you are hooked up to a shared wifi network. Is this trueNo, that makes no sense. You are on shared media, it is trivial to attach peer machines.

  8. courtarro says:

    “Professional” versions of Windows (Win XP Pro, etc) have VPN support built in as well: in XP it’s configured as an “Incoming” network connection. You will need to configure your firewall or router to forward the appropriate ports, but that’s a good solution for single users. Then your traffic goes through your home computer connection.

  9. post_break says:

    VPNs account for nothing if you have no idea who you are connected to. If you have you laptop to automatically connect to networks it has connected to before you can be herded like cattle.

    If you don’t look at your SSL certificate closely you can have your username and password stolen easily.

    Just because it says SSL or [] does not mean it is secure in any way.

    Remember that just because a network is open doesnt mean that its fair game. Who knows who is on the other end, it could be me.

  10. LisaRodeo says:

    The great podcast Security Now! discussed this topic way back in episode #19. The basic technology of how VPNs work was explained in episodes 14, 15, and 17. Get them all here:

    http://www.grc.com/securitynow.htm

    I personally use Hamachi to secure my VNC and RDP traffic and a VPN account with SwissVPN for when I’m in hostile territory.

  11. narq says:

    I was at the airport and found a dummy system phishing for information. There were at least a dozen people connected to it. It was posed as a fake airport router. I connected and did some “investigating” and the person shut down the connection. Not sure who it was or what information they got from users but this was at a major airport in the terminal.

    No connection is secure unless it offers a certificate authenticating who you are actually connecting to. Sad part is, anyone can spoof that and you are never actually secure. The only way to be safe is to check with the people who work there and find out which connection is legit. The danger on a public network is minimal, it’s a little harder to get your data. They like you to connect directly to them as though they are a router.

    • Ein2015 says:

      @narq: Even if somebody is sniffing or setting up fake connections, the first thing should be to test for internet access… (can you see Google? great!)… after that, before you do ANYTHING else, encrypt all your traffic (ex: through a VPN or SSH), then you’re fine and all they sniff off you is encrypted. :)

    • zoomZAP says:

      @narq: I spotted someone doing this in the Mexico City airport as well. He was connected to the free wireless for Prodigy customers there and was using another wifi card to offer free internet to anyone else. All of the traffic was passing through his laptop, and when he realized I was on to him he shut his laptop and left (and the connection disappeared).

  12. putch says:

    winxp pro (not sure about home) has vpn client and server built in. you’ll probably also need a router that supports a VPN pass through.

    • Ein2015 says:

      @putch: I believe you can just use port forwarding on your router for that. A google search for “port forwarding [router model]” should provide you with all you need for that.

      This should also be helpful for everybody… with pictures! :D [forums.bit-tech.net]

  13. mavrc says:

    If you’re at all network-savvy, it’s pretty easy to set up m0n0wall (or any other software firewall package, like IPCop, PFsense, etc) on an old computer at home, set it up as a VPN endpoint, and use it at will. You can run it on that old computer you stuck in the closet years ago (you know, the one you really intended to donate to a school but never got around to it) just by throwing in another $10 network card.

    This is my favorite solution to this particular problem, and I’ve been doing this for years at home. It’s obviously more difficult to set up than a paid service, and it is theoretically possible your ISP might get annoyed about it depending on how aggressively they interpret their TOS (this is largely just for fair warning in my experience, but it is possible.)

    • Ein2015 says:

      @mavrc: That’s probably more effort than most people want to go through. There are many guides online for setting up such a thing… on any operating system… in case anybody really wants to do that.

      With that said, there are a LOT of good uses for old computers… VPN, storage, web server, media center, etc! :)

  14. mbressman says:

    I used Witopia and so far have been very happy with it (just started using it about 2 months ago).

  15. Real Cheese Flavor says:

    One other catch is that often with VPN software from work only traffic that’s going to/from the range of IP addresses that are on your employer’s network goes through the VPN tunnel and everything else is just sent out nice and clear.

    • Ein2015 says:

      @Real Cheese Flavor: Depends on the setup. From my experience, depending on the client-side software… ALL traffic is encrypted and sent through the work server (and then off towards the rest of the world or to the internal work servers)… or only work traffic is even sent to the work VPN and the rest of the traffic is sent through whatever connection you’re on and never even makes it to the work network.

      Hope that makes sense. :)

    • GearheadGeek says:

      @Real Cheese Flavor: That’s typically a configurable policy. My employer, for example, configures vpn to force ALL traffic through the tunnel, (for example, I can’t print to my networked printer in my house while I’m on the VPN.) I would think that any company that didn’t enforce that kind of full-tunneling config would probably also leave the VPN config open to a local admin on the notebook, so you could set it to tunnel-all.

      • MexiFinn says:

        @GearheadGeek:

        Regarding VPN’s, what you are describing is called split tunneling. If it’s on, anything non-office related goes out through the internet UNENCRYPTED. If it’s enabled, all traffic goes through the VPN tunnel.

        In cases with the Cisco VPN, you can enable the option to Enable Local LAN access and you can then access your local printers.

        Anyhow, This whole VPN thing is silly because you NEED something to VPN to. And, chances are if you are using work VPN and split tunneling is disabled, they are probably keeping logs of everything you access. Read the fine print of their acceptable use policy…

  16. GertrudeBabboon says:

    I use VPN every day to access my work server. Note that many free/public wifi connections do not allow VPN clients. I’m unable to connect at many public libraries, cafes, public outdoor wifi areas, etc. I have gone through the situation with our systems administrator, since I’m not a techie, and there’s no way around most of them. It stick to the locations that do allow my VPN client.

  17. emilayohead says:

    Waving the white flag of idiot surrender, let me ask this pretty dumb question. So, am I safe-ish at a place where I have to log in in order to access the internet? For example, a hotel that gives me a code with my keys?

    • Ein2015 says:

      @emilayohead: Is it a WEP code? Probably is… but when in doubt, error on the side of caution. WEP keys are easy for sniffers to crack and listen to your traffic… so protect yourself.

      WPA and especially WPA2 better security… but hotels usually don’t use that because it’s easier to just have WEP.

    • snowburnt says:

      @emilayohead: Problem is that everyone knows what the key is. It’s encrypted for most people, but for anyone staying at the hotel they’ll know how to decrypt it.

  18. MattO says:

    you also could use RDP to a home computer…

  19. PeterCachanilla says:

    Guys, just relakks:

    https://www.relakks.com/?cid=gb

    Relakks is the only one I know of that contractually obligates themselves NOT to look at or store logs of your data as it moves through their network. Plus, they are based out of Sweden, and run by the pirate party. woot.

    Keep in mind, using any of these solutions (including Relakks), that your data is only secure up until the point where it leaves the internet from your VPN providers connection. It may protect your data from being sniffed from the people around you, but that doesn’t the VPN provider from snooping in on it. The only way to transfer data home or back to your office safely is by encrypting the connection end-to-end.

  20. kerpalguy says:

    I am an avid user of swissvpn.net – at home as well as abroad, that for over a year now. The more secure, the better.

  21. squishyalt says:

    Just use the FREE version of LogMein (www.logmein.com) and log into your home PC from any hotspot and surf from home.

    LogMeIn FREE is, well, FREE and enrypted so any remote surfing you do is much safer than the open air at your favorite hotspot.

    Did I mention that it was FREE?

  22. JoannaFlea says:

    Curious as to how this is done – checking up on the spoofer, that is. I see fake “FREEAirportWiFi” type computer ids in my wireless networks almost 1/3 of the time I’m at the airport (which is every week.) It makes me so mad but I’ve never known how to find out who it is.

  23. ShravastiBabararacucudada says:

    I’m on wifi WAP connection at home. Is my internet browsing readable (plaintext) to a MITM?

  24. Rob Phelps says:

    LogMeIn does, indeed effing rock.

  25. OrlenaBurhans says:

    The author of this post misunderstands the Ironkey solution. This is NOT a hardware solution — rather there just happens to be installed on the Ironkey drive a copy of firefox portable with a proprietary version of TOR installed. The one difference between this and any old firefox+tor installation is that instead of using the TOR network to rerout/encrypt/anonymize, the Ironkey version uses the TOR network in addition to special Ironkey TOR servers.

  26. robertk2 says:

    University students check with their Office of Information Technology. My college has free CISCO Professional VPN for all students, faculty and staff.

  27. MyerCarnabon says:

    or use Himachi. It’s made by logmein.com and is free.

    https://secure.logmein.com/products/hamachi/vpn.asp

    -249-

  28. ugly says:

    Anyone know a good VPN endpoint for Linux? Preferably something that both the WinXP Pro and Mac OS X 10.5 clients can connect to. Potentially a Linux laptop as well, but that’s less likely/important right now.

    • Ein2015 says:

      @ugly: Do you mean how to remote into a linux box? The program you’re looking for is VNC, and if you Google for it you’ll see TightVNC, RealVNC, and UltraVNC. Choose one. :)

  29. witeowl says:

    I wasn’t paying attention and read on the homepage of lifehacker. I read the second sentence and thought: wtf… yes, you are lifehacker!

  30. QasimPansa says:

    I’ve been using a VPN (Witopia) whenever on a network other than my home network. There are so many apps and mini-apps that connect to the Web now, I have to make sure ALL connections have a secure way to sneak past anyone on the LAN I’m on, therefore a VPN.

    It should be pointed out that everything discussed here is not limited to laptops, it also applies to any device you carry that connects to the Internet over WiFi. This means you, iPhone! When I get around to buying an iPhone, setting up a secure tunnel will be one of the first things I do, but I keep reading that Apple does not make it easy or seamless especially when switching between 3G and WiFi.

    If you don’t use a VPN, at least find out how your email provider supports SSL so that your emails can at least be encrypted. People treat email so lightly, but there are so very many personal details in your emails. So…down at the local coffee shop you got an email receipt from Amazon for a big-screen TV and then 5 minutes later you got an email receipt from Southwest about your vacation between December 15 and 30? If you are using email in plaintext, then great, you just told any hacker in the room that your new TV will be unprotected during that time…

  31. awdark says:

    This might sound really dumb but is there a VPN server we can run on our home networks? (non wrt router or vpn server/firewall devices)

    My router is not WRT compatible but I have pocket pcs I wouldn’t mind running. Or what about vpn or tunneling through a NAS? I have been looking at the buffalo linkstation or Mybook world edition

    My logic is I trust my home connection and somewhat “free”

  32. krom says:

    Just today Lifehacker AU covered GPass, a similar free (Windows) online-security tool. Simple program, put it on your disk or thumbdrive and start the app.

    [www.lifehacker.com.au]

  33. XTC46 says:

    VPN all you want. The fact is, if you are sitting on an open wireless network dozens of other computers are probabaly also connected and in turn connected to you unless you have your computer protected properly. When I was younger I used to sit at starbucks and pick out people whos computers I could practice “security auditing” on. VPN is a good solution, but it will only protect your data in transit. If somone decides to load a decent key logger on your system, then they have you data eitherway. My point is, no single solution will ever be enough.