31 August, 2008

Safe and Secure Internet Surfing

I started my research on this blog entry thinking I was going to give you an easy, free solution to make sure you are secure when surfing from an un-secure Internet connection. First let's discuss the problem we're trying to solve. Whenever you connect to the Internet over a network that others have access to, you open yourself up for others to track and intercept your habits and data. This is called a "man-in-the-middle" attack.

Take for example a free wireless hotspot. You and anyone else can get on this network (Is your home wireless network secure?). With an easy to find program, another user on the network can pose as the host, and all your data will pass right through their computer for easy intercept. Another very common place for this to occur is in hotels. Even though you may have a wired connection, again anyone else on the network can potentially fool your computer into being the host and intercept your data. Of course this is never known to the poor individual who's data is being intercepted, because the fake host is passing through to you the data you've requested (i.e. you still see and interact with the websites).

There is also a new privacy invasion technique going on that is being done by ISPs. For a few dollars, ISPs are allowing 3rd party companies to set up servers in their data rooms that monitor your Internet activity, and in turn sell this information to advertisers. The argument is that in return, users will get more targeted advertisements. In truth, you're being watched without your permission and in fact once captured, your data could end up in anyone's hands. [See the last paragraph for more information on this.]

So there's the issue. For most of us right now, it's the threat when accessing the Internet when in a public place. How can you protect yourself? Make sure your data is encrypted when leaving your computer and traveling across the Internet. If your company provides VPN access, that will give you an encrypted path between your machine and the office network -- this is the solution we need. Before I go on, let me talk a bit about VPN and the Internet.

At some point, for your computer and a server on the Internet to communicate, the data bits need to be unencrypted (with the exception of an SSL connect -- for another time). Using VPN, the bits are encrypted between your computer and the VPN server. The VPN server, on a secure network, stays in the middle and decrypts your data coming from you and encrypts them when going to you. For the Internet servers, it appears the traffic is coming from the location of the VPN server, instead of your computer. (Visit How Stuff Works to learn more about VPN.)

So back to solving our problems. If your office VPN will also encrypt your traffic to go on the Internet, then you could use that as a potential solution. Be sure to check with your IT department, as in some cases they only encrypt when you're talking to the office network. Also remember that the folks in the IT department have access to your data -- don't visit any sites that you don't want your company to know about.

If the office is out, and you don't want to create your own VPN (more on that later), then you can use a public VPN. I looked at two possible solutions, iPig (iOpus Private Internet Gateway) and HotSpot Shield. iPig will give you 10 Mb of free bandwidth, and then it's $30 for 30 Gb of bandwidth. Though I used the bandwidth in a manner of minutes view some pictures, I did have time to test the speed. My typical connection speed is 5 Mb/s down and 2 Mb/s up. Using iPig I was able to achieve 3.5 Mb/s down and 1 Mb/s up. It also introduced a lag of about 200 ms (21 ms to 227 ms). The lag will vary based on how close you are to the iPig servers in Texas.

Unfortunately I didn't have any luck using HotSpot Shield -- I could never get it to connect. HotSpot Shield is an ad supported solution and requires your web browser to work. I tried Firefox 3 and Internet Explore 8, Beta 2 several times without success. I even tried re-installing HotSpot Shield, but still had no luck. It does come recommended by LifeHacker and Chris Pirillo, so maybe you'll have better luck.

What other options do you have? In addition to searching for other Public VPN solutions, such as PublicVPN or Sonic.net, you can set up your own VPN solution. Of course this wont solve the problem of your ISP allowing your Internet traffic to be spied on, it will work to protect you when you're on the road. What you do is create a VPN to a computer on your home (or other trusted) network, and then surf from there. If you want to go down this path, I would recommend looking at OpenVPN.

If you don't want to go through the hassle of setting up and maintaining a VPN Server, try GoToMyPC or something similar. With GoToMyPC, you log into your home computer, and then use it to do all your Internet activity. Again, it doesn't solve the issue with an ISP who is tracking your Internet activity, but in addition to giving you a secure connection, you can work on a PC you are familiar with (yours). It has the added benefit in that you do not need to have important files on your laptop; just access them when required using GoToMyPC. GoToMyPC is $20 p/month.

As I mentioned throughout this article, some ISPs are now tracking users' behavior in exchange for money -- what else. Is your ISP in this group? Check out this article from the Silicon Alley Insider, published August 15, 2008.
...seven ISPs have quietly started testing a service from ad-targeting firm NebuAd, which tracks surfers' Web use, with little or no notice to subscribers.
Make sure you tell your ISP that you will find a new ISP if they end up on this list. The Washing Post published an article on this back in April, as did the New York Times. Find out about what had started earlier this year in the UK here and here. Finally, if you really want to understand the gory details, Steve Gibson of GRC and the Security Now podcast covers it all in a three-part series beginning with episode 149.

No comments: