Virtual Private Networks
One useful method of increasing the security of your connections over the internet is to use a Virtual Private Network (VPN).
Many large companies and Government Departments use this technique, to tunnel an encrypted session from a home or mobile laptop computer operating in an insecure public places (such as an public WiFi hotspot or cyber café), back to a corporate network, and then via a corporate gateway, back out on to the internet.
Sometimes special client software is required e.g. from Cisco, or vendor neutral standards like an SSL/TLS web page infrastructure or IPSec can be used.
SSL/TLS web page based systems do no usually require any extra software to be installed, only a standard web browser. They might need a Client Side Digital Certificate to be installed in the browser, but this is straightforward
- There are lots of Authentication and Encryption standards and algorithms associated with VPNs. Make sure that you disallow any configurable options which can negotiate weak or non-existent encryption between your client PC and the VPN server. e.g. "No encryption allowed..." or "Optional encryption..." etc. to ensure that your username and password or other credentials, are never sent across the wire or by radio transmission, unencrypted in the clear.
- Use strong encryption (at least 128bit key length) , and / or a protocol which changes the encryption keys frequently. e.g. modern industry standard 802.1x authentication and AES encryption
- For extra security, do not store or write down your password in your Network Connection / VPN client software configurations, but memorise it.
Choose a Strong Password or passphrase. As with any other web based service, like web email, if your Commercial VPN supplier offers a "Forgotten Password" or Password Recovery or Reset option, then make sure that Answers to the Challenge / Response Questions are at least as strong as your actual password e.g. if the Question is "What is your mother's maiden name ?", you usually do not actually have to reply truthfully, or with a very short , easily guessed or easily password cracked answer. US Vice-Presidential candidate Sarah Palin's Yahoo email accounts were illegally accessed in this way.
- Remember to make sure that the Firewall software on your PC is aware of the new VPN IP address range, as you will be sidestepping your usual broadband Private Internet Address e.g. 192.168.0.xxx or 192.168.1.xxx, and the built in firewall on your ADSL broadband / WiFi router (or other corporate firewall) will no longer be protecting you from various internet probes, port scans and attempts to connect to your local PC's shared disk drives and peripherals etc.
There are third party commercial companies which offer such VPN services, for a fee.
From a whistleblower source protection point of view, any of these corporate or commercial VPN services can improve the security of your internet connections, but they rarely provide much extra anonymity, as there are usually extensive log files of time and date and IP address connections to the encrypted VPN service. There will also be IP address logging and restriction policies applicable to the corporate or government system's internet gateway.
Even the commercial VPN service providers in foreign countries, some of which claim to "delete log files", etc. are not necessarily to be trusted in this regard, especially if faced with heavy legal pressure from their local law enforcement or government authorities.
Connecting via a VPN , over the public internet, through a high speed broadband connection, is often much faster than the use of dedicated dial in systems which have been used by corporate and government users for many years.
Commercial VPN services need to be paid for, and a Credit Card (or even PayPal) obviously leaves a financial audit trail back to the whistleblower or investigative journalist or blogger or political activist etc.
However, such VPN services do have their place in the arsenal of tools need to frustrate today's snoopers, especially if the company and their VPN host servers are based overseas, a technique which has been useful to, say, Chinese activists trying to evade the Great Firewall of China state censorship.
Remember that VPNs can be used in combination with other techniques, e.g.the use of Tor onion routing or open proxy servers.
We welcome reviews of such VPN services, and will update this blog post with reasonable, offshore VPN service suggestions.
- SwissVPN.net, which is based in Switzerland i.e. neither in the UK, nor the EU nor the USA, so snooping by the UK authorities might be possible, but is unlikely to be automatic, and will leave an audit trail.
They offer a Microsoft PPTP VPN (Point to Point Tunneling Protocol) VPN service for which they charge about $5 a month, (credit card or PayPal payment options).
This has the advantage that the VPN client software is already built into most Microsoft Windows operating systems (and is also available for Apple and Linux), using Microsoft's MS-CHAP2 (Challenge Handshake Authentication Protocol) authentication.
Sometimes your internet connection's firewall may not allow the port 1723 and type 47 IP packets needed for GRE (Generic Routing Encapsulation), but most recent home broadband or public WiFi hotspots etc. which have PPTP pass through, will usually allow this.
Some broadband routers / firewalls / WiFi access points etc. allow this ok, without displaying any user configurable options, so it is worth checking this initially with a test account first, so as not to put your real username and password credentials at risk.
SwissVPN.net also offer, through their own free downloadable client software (not yet available for Windows Vista), the more modern EAP-TLS (Extensible Authentication Protocol) authentication, which overcomes some of the potential authentication weaknesses of MS-CHAP2, and is popular with many public and commercial WiFi hotspots.
N.B. with either type of authentication the actual encryption of the SwissVPN.net tunnel will use 128-bit MPPE encryption (Microsoft Point-to-Point Encryption). "It uses the RSA RC4 encryption algorithm. MPPE supports 40-bit, 56-bit and 128-bit session keys, which are changed frequently to improve security. The exact frequency that the keys are changed is negotiated, but may be as frequent as every packet."
The SwissVPN.net website includes screenshots of all of the required configuration settings, and even offers a free test account,to check if you can connect ok to their system, before purchasing any online credit.
- More VPN service suggestions or reviews are welcome