Staying Secure in a Hot Spot Environment
As we mention earlier in the topic, most Wi-Fi hot spots, whether they be free or for pay, utilize no network security and encryption (this is simply because it’s easier for users to get online without trying to figure out WPA passphrases and the like). There are some exceptions (for example, T-Mobile uses WPA and 802.1x authentication on their hot spots), but the vast majority of hot spots are completely without encryption.
What this means to you, as a user of a hot spot, is that everything that you send and receive from your laptop is "in the clear." Anyone else in Wi-Fi range could intercept your transmissions and read them. If that doesn’t give you pause, it should!
The lack of hot spot encryption also could lead to a situation where you unwittingly log onto a "fake" hot spot with a similar SSID to the one you’re trying to log onto. In this evil twin attack, some bad person sets up an access point with an SSID such as Starbucks right near the Starbucks where you think you’re logging into a T-Mobile hot spot. You log on and they capture everything you do online (for example, online banking and Webmail passwords). Not a good situation.
You can do a few things to secure yourself in a hot spot environment. The first (and best) is to use a Virtual Private Network (or VPN). Using a VPN in a hot spot gives you three distinct benefits:
A VPN provides security even without airlink encryption (WPA or WEP) by encrypting all your inbound and outbound traffic. Even though someone could freely "read" and copy all your Wi-Fi signals, those signals would be protected by the VPN’s encryption and would be nothing but gibberish to the end user.
A VPN provides privacy and anonymity online (even beyond the bounds of the hot spot) by making your public "face" on the Internet an IP address in your VPN provider’s network rather than your own IP address. This means that any online tracking (both the benign and the malign kinds) that relies on your IP address would never be able to associate you with your actual IP address. This benefit could also apply at home or anywhere you go online.
A VPN provides you better access to the Internet in locations where certain Web sites or Internet applications,are imposed by the government or other organizations. For example, many western travelers in China find that they can’t access Web sites that they normally view (for example, some parts of Wikipedia are blocked). A VPN lets you "tunnel" through national firewalls and do what you want to do on the Internet without being blocked.
Securing your Wi-Fi with WiTopia
Our favorite hosted VPN service comes from the folks at WiTopia, with their Personal VPN service. For $39.99 a year, WiTopia will secure your Wi-Fi traffic by routing it through an encrypted VPN tunnel, which keeps your data from prying eyes all the way from your Mac or PC (or iPhone, more on this in a moment) to WiTopia’s secure server (from which it then makes its way onto the wild world of the Internet).
You can get two types of VPNs from WiTopia:
An SSL VPN, which uses the same technology (secure sockets layer) that secure Web pages use to encrypt all your data traffic.
A PPTP VPN, which uses the same technology used by many big corporations in their VPNs. (PPTP stands for point to point tunneling protocol.)
The SSL VPN has been WiTopia’s traditional product, built around an open source software effort called (appropriately) OpenVPN (www. openvpn.net). The WiTopia folks added PPTP VPN support in 2007 as a way of adding support for even more clients, including the famous Apple iPhone. Mac and Windows users can download the OpenVPN software from WiTopia’s Web site; for PPTP VPNs, users simply take advantage of the PPTP VPN client software built into most operating systems (including Windows XP and beyond, Mac OS X, and Apple’s version of OS X for the iPhone and iPod Touch).
As we write, WiTopia is offering users a choice of either VPN system for $39.99 a year, but eventually they plan to sell different versions of Personal VPN at different prices for the PPTP and SSL variants. Either way, it’s a good deal and a great way to secure your network.
Many corporations provide VPN services for their remote (work at home) and mobile workers. If yours does, make sure you use it in hot spots. If you don’t have access to a corporate VPN, consider subscribing to a VPN service such as WiTopia’s Personal VPN (www.witopia.net) or HotSpotVPN (www.hotspotvpn.com). These are hosted VPN services, which provide you with a secure and reliable VPN solution over the Internet for a monthly or annual fee. For more information about WiTopia, check out the sidebar titled "Securing your Wi-Fi with WiTopia."
If you can’t (or don’t want to) bother with a VPN service in unsecured hot spots, you should practice safe browsing. That means you should pay close attention to the SSID you are connecting to and make sure it is the one you mean to connect to. Don’t connect to a free public Wi-Fi network unless that’s actually the SSID advertised for the hot spot you’re in!
You should also use secured/encrypted connections whenever possible. That means, for example, connecting to secure Web pages and checking your browser to make sure you have actually done so whenever you’re doing something sensitive online (such as online banking or even e-mail). Make sure that you are connected to a Web site with an https rather than http prefix to the URL. When you’re on the secured site, click the lock icon in your browser (it’s typically up in the address bar of your browser, or in the bottom-right corner on the status bar, depending on which browser you’re using). Check the certificate that pops up and make sure the name of the business in the certificate is the one you think you’re connected to.
If you use Google’s Gmail service (http://mail.google.com), navigate to the site using https (in other words, go to https://mail.google.com) and you’ll be securely connected to it.
If your ISP supports it, you can also configure your e-mail client to use a secure login, so when you download e-mail you’ll be using an encrypted connection. How you set this up depends on both your e-mail client and your ISP’s configuration, so search your ISP’s Web site support section for "Secure IMAP" or "Secure POP."
No matter what you do for security in a hot spot, always be aware that you are in a public place using unsecured airwaves. People can eavesdrop on your Wi-Fi signal and they can probably also "shoulder surf" and just read your screen. Keep that in mind!
Dealing with Hot Spots on Mobile Devices
A number of mobile devices — by that we mean smartphones and PDAs — are now equipped with built-in Wi-Fi capabilities. You can also find Wi-Fi built into handheld gaming devices (such as the Nintendo DS), in music/video players such as Apple’s iPod Touch and Microsoft’s Zune, and in VoIP and Skype phones.
Due to the portable nature of these devices, you’ll find that you’re more likely to have them tucked away in your pocketbook (or "man purse" . . . oops, we mean trendy messenger bag) when hot spot access is available.
Getting online with one of these devices is easy when there’s an open hot spot available to you. In fact, most of them will automatically associate with the hot spot and get you online. (Note: How this works is a device-by-device process, so read the manual if you don’t know how to connect to a Wi-Fi network with your particular portable device.)
Where this process gets to be a bit difficult is when you’re in a location that requires you to register to get online (either as a way of making a payment or just to register with a free hot spot for access). Typically, hot spots that require registration do so in one of two ways:
Using a captive portal: A captive portal is a system that automatically directs you to a registration Web page before allowing you unfettered access to the Internet over a hot spot connection. This process works fine if your mobile device has a built-in Web browser but is stopped dead in its tracks if you’re using a device without a Web browser (such as a Wi-Fi Skype phone).
Not all mobile device Web browsers support captive portal systems, usually due to a lack of JavaScript functionality in the browser.
Using client software: A smaller number of hot spots require (or offer as an option) a software client that handles user authentication and authorization. With a client installed on your device, you can bypass the requirement to load a Web page and get yourself on the network without the hassle. For example, Boingo offers client software for Windows Mobile and Nokia Series 60 smartphones, as does Boingo’s partner Skype (this software allows you to make free or inexpensive calls using Wi-Fi rather than your cellular connection).
So the bottom line here is that you’ll need either a Web browser, a special bit of client software, or an open hot spot to get online with your mobile device. We wish we had a better answer here, but, in fact, this is a major issue in the hot spot industry today.
On the Go with EV-DO!
If you’re a wireless power user — and you tend to travel on the main thoroughfares and metro areas — you may be interested in another on-the-road option (heck, you can even use it while you’re at home!) for wireless connectivity: wireless WAN services. These wireless wide area network services are offered by cellular carriers in more and more places around the United States as they build out their networks for the next generation of audio and video (yes, TV on your phone) services.
Wireless WAN services come in different flavors depending on the technology each carrier is deploying and where each flavor is available. Some of the most common of these connections are lxRTT: Stands for single carrier (1x) radio transmission technology, a 3G (third-generation) wireless technology based on the CDMA (code division multiple access, if you must know) platform. (1xRTT is also referred to as CDMA2000.) 1xRTT has the capability to provide speeds of as much as 144 Kbps (but usually in the 60 Kbps-90 Kbps range). Carriers such as Sprint and Verizon offer this service.
EV-DO: Stands for Evolution Data Only. This CDMA-based wireless data platform, the fastest wireless WAN technology available on the mass market, is capable of transmitting more than 2 Mbps, but typically is in the 400 Kbps-700 Kbps range. It’s offered by Sprint and Verizon.
GPRS/EDGE: The competitor to CDMA is a European standard named Group System for Mobile Communications, or GSM for short. The high speed WAN version of GSM is called GPRS (General Packet Radio Service) and is offered by AT&T and T-Mobile in the United States. GPRS is often described as 2.5G — that is, a technology between the second (2G) and third (3G) generations of mobile telephony. Although speeds can theoretically top 170 Kbps, a more likely range is 30 Kbps-70 Kbps — not that fast. A slightly faster version, called EDGE, is widely available across the United States as well.
HSDPA: The 3G variant of CDMA, as we mention earlier, is EV-DO; GSM has its own 3G variant called HSDPA (High Speed Downlink Packet Access). HSDPA offers download speeds as fast as 3.6 Mbps and is widely available in Europe but less so (to date) in the U.S. AT&T has launched the service in several cities and should eventually reach all its major markets with the service (we’d guess by the end of 2008).
WiMAX: The up-and-coming wireless WAN technology is called WiMAX (Worldwide Interoperability for Microwave Access), which some people believe could act as your home’s broadband connection, too, because it can hit speeds of up to 70 Mbps! Wow, we can’t wait. Look for actual services you can purchase based on WiMAX starting in 2008.
Using these data services on your laptop is easy. You just plug your PC Card or Express card into your laptop (just like an 802.11 PC Card or Express card) and launch your carrier’s cellular access program. You’re online, surfing away.
Wireless WAN chips are starting to ship in laptops now, in the same way that Intel seeded the growth of the Wi-Fi space with 802.11 capabilities embedded on the motherboard (with its Centrino products). So you can, if you want to, order a Dell or Sony laptop with Verizon EV-DO on board (Wi-Fi too!) — no hassling with PC Cards any more!
Of course it’s not just laptops that can utilize these services. Most new phones (and all new smartphones) have at least a built-in 2.5G data capability. Smartphones include e-mail client software, Web browsers, instant messaging client software, and more. Plus, in many cases, you can connect your phone to your laptop using a USB cable or a Bluetooth connection and use the phone as a broadband wireless modem for your laptop computer.
The biggest issues for these services are now cost (an unlimited plan sets you back $60-$80 per month, and that’s on top of whatever you pay for your mobile voice services) and availability (mostly in the major metro areas and on interstate highways). Still, if you can get it, it’s great. We love our Sprint EV-DO service!
