A VPN debate: WiTopia and HotSpotVPN

Defensively speaking, anyone using a public WiFi hotspot should employ Virtual Private Network (VPN) software to encrypt all traffic/data traveling over the airwaves. Less obviously dangerous, but equally snoopable, are wired Ethernet connections to the Internet in hotel rooms. I wrote about the dangers in hotels last month, see Defending against insecure hotel networks with a VPN.

If you work for a large company, you may already be using VPN software to make an encrypted connection to the home office. Many of you however, need it and don't use it.

Yesterday I briefly described the VPN services, and related costs, from two companies, WiTopia and HotSpotVPN (see More about VPNs: Price and Trust). The head of each company made long comments on yesterdays posting. Since they raise important points, I'm re-publishing them here.

Glynn Taylor of HotSpotVPN

Below is Glynn's comment, unedited.

My name is Glynn Taylor and I'm the founder of HotSpotVPN and WiFiConsulting, inc. I'd like to expand upon my rather terse reply above.

Trust is one of the most important things in the security business. Our privacy policy consists of some strong simple statements that we have stood by for five years. We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN user's Internet traffic. Beware any VPN vendor that will use your information for other purposes.

Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.

TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the client's computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer. Ad blocking prevents this attack vector from being used against our users.

Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.

Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.

Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).

Thank you.
GT

Bill Bullock of WiTopia

Below is the un-edited reply from Bill Bullock, President of WiTopia.

Hi. This is Bill Bullock from WiTopia. Glynn raises some additional points in his amendment that I feel should be addressed just so they are not misleading. Not that Glynn meant to mislead in promoting his service. I would like to give credit where credit is due, but clarify that we do not charge less because we "skimp" in the areas mentioned.

Glynn said: We pledge that we will not sell, share, trade, disclose or rent any of your information to others. We also state that we will not record, sniff, scan or view any HotSpotVPN user's Internet traffic. Beware any VPN vendor that will use your information for other purposes.

Reply:

Same with WiTopia as governed by our privacy policy. We absolutely do not record or monitor customers' data, sites visited, etc. and also certainly do not share customer information with any third party. Again, we take the privacy aspect of the service deadly serious.

Glynn said: Price: We have many more features than any of our competitors and this leads to higher costs in our infrastructure. It also leads to the most safe flexible and usable VPN service available. We use the service ourselves so we built it with everything we wanted it to have.

Reply:

Yes. We use our own service too. :) I think words like "most" may be misunderstood. I don't believe any VPN provider (or any network service) can accurately claim "most usable," "most safe," "most flexible." We have comprehensive security and usability features in place. Some simply keep "bad guys" off the service, thwart attacks, and enforce solid security policy, and some are convenience such as providing zero-config SMTP relays, certificate regenerators, etc. This gets into network design elements and "secret sauce" that would likely be quite boring to most people. Again, I would sincerely hope both services have serious networking expertise behind them.

Glynn said: TunnelGuardian: HotSpotVPN is more than just a VPN. We have software running in our infrastructure that will proactively block malware and optionally block all on-line advertisements from getting to the client's computer. In low bandwidth situations the ad-blocking speeds up the surfing experience. Most importantly on-line ads served through reputable ad agencies can be used to load Trojans and viruses onto a computer. Ad blocking prevents this attack vector from being used against our users.

Reply:

I have a legitimate question on TunnelGuardian, but HSVPN may have a great answer. Don't know. It sounds like a neat feature if you think ads are slowing your connection.

Here's the question: To deliver the TunnelGuardian service, wouldn't HotspotVPN have to inspect the html code before encrypting it to block malware, on-line ads, etc.? Wouldn't the traffic have to be scanned?

Glynn said: Most Flexible: With HotSpotVPN2 you have a choice of ports to use and you can switch from tcp to udp protocols. We default to tcp on port 443 so if a browser on a https session works, the vpn will work. You can also change to the udp protocol which provides much better voip streaming video and audio than tcp.

Reply:

OK. again with the "most" stuff. :) We will soon allow customers to "customize" on the client side and choose different ports, etc. We optimized a standard configuration/bundle which would suit the needs of most everyone before we allowed customization. This ensures easier support, scaling, and allows us to offer a lower price to more people.

WiTopia's openVPN SSL service is optimized for video and VoIP (using udp) and we designed the PPTP to be more "scrappy" using tcp as its error-correcting ability is superior if there are network irregularities.

Glynn said: Our servers are spread out across the country so you can choose the servers closest to you to minimize latency. If you are in Europe you would use our east coast servers, in Asia, our west coast servers. It makes a big difference. I have used the service from China, New Zealand and Europe over the last year and this is very important.

Reply:

We do agree moving gateways closer to customers is a factor of performance so we have several spec'ed out to be deployed over the next quarter. Although, there are other factors... and from personal and customer experiences from all over the world, I'm not sure this matters as much as even we once thought. Improvements in routing, capacity, peering points etc. on the Internet have lessened the need for geographical proximity. Still, we'll be doing our rollout too. Purchasing shiny new gear.

Glynn said: Bandwidth: Our goal is to provide quality service to our users without having to throttle their bandwidth down to annoying levels. We have succeeded in this and are actually adding another 1.2 Gigabits during the next change control window (about a week from now).

Reply:

So I don't crash CNET's servers with my response, I'll just conclude with, we don't throttle any bandwidth whatsoever. Our only policy is if usage falls completely outside reasonable customer norms, e.g., you try to run a phone company over it, we have the right to be "unpleasant." Haven't had to do it yet!

A note about finding each company. HotSpotVPN is at hotspotvpn.com. The website hotspotvpn.org is from a competing company, one that I know nothing about. This competitor doesn't say anything about who they are, and doesn't even offer a physical address on the Contact Us page. Trust is part of the equation with VPN companies, so I would not consider using this competitor. WiTopia is at witopia.net. There is no website at witopia.com and if one shows up tomorrow it will not be from the VPN company, which does not, at the moment, own the .com domain name.

See a summary of all my Defensive Computing postings.