Public Wi-Fi and VPNs

Looking for facts as well as opinions, so not sure whether to put this in IMHO or GQ. (Mods, move as you see fit.)

I’ll be buying a netbook in the next few weeks, and once again my thoughts are turning to public Wi-Fi security. I’ll be traveling at some point in the next month or so and would like to go online while I’m on the train. One option is to rent a wireless USB card (or whatever the hell they’re called), which I’m told has its own security, so no problem there. But the price might be a bit more than I’d like to pay, and with the netbook I’d like to be able to go online periodically throughout the year whenever I’m out and about.

Another idea is to use a VPN. A few years ago, I understood this to work through the network on your home computer, meaning it had to be on and connected while you weren’t home. This isn’t always the case for me; in fact, I take my computer offline when I leave the house and completely off the grid when I expect to be gone for for than a day. So no worky.

But recently I looked into it again, and it appears that there are services, both paid and unpaid, that will allow you to use their VPN through an online portal. Groovy.

Question 1:

I’m still not quite clear on how security is obtained. OK, so you use public Wi-Fi to log in to your VPN, and then after that everything is golden. But isn’t that initial login still unsecure? Or it is done through an https:// page, and thus suitably encrypted? (Feel free to educate me if I’ve got any of my facts wrong, which is a keen possibility.)

Question 2:

OK, so suppose I want to go with a VPN. I’ve read some reviews of both the paid and unpaid ones. Obviously I’d prefer free if it’s decent, but I also understand that you get what you pay for. Have you used one of these services, and/or can you recommend one (or warn me away)?

Thanks mucho. I have a sincere respect for anyone who really understands all this stuff. It’s voodoo to me.

Here’s my layman’s understanding of question #1:

I think most VPNs and HTTPS work on the same fancy mathematical principle, public-key cryptography. It’s black magic to me and I couldn’t begin to understand how it works internally, but the practical application is that it allows two computers to talk to each other securely as long as they have some shared “public key” beforehand, kinda like a code word that only the two of them know.

When you sign up for a VPN service, you’re usually provided with this key in the form of a downloadable cryptographic “certificate”. From that point on, your computer and the VPN will use this certificate to mutually authenticate (mathemagically prove to each other who they are) whenever they speak, and this works even over insecure networks like your public hotspot.

Once that secure channel between your computer and the VPN is established, all internet traffic to and from your computer is routed through that VPN instead of going directly through the insecure hotspot.

So as long as you sign up for the VPN before you venture into the wild and get the requisite download (or password, or special software, or whatever that particular VPN uses), you should be good to go.

For #1 **Reply **is correct, no login information is sent unencrypted.

For #2, I use Witopia’s PPTP service and can recommend it. It’s reliable, fast, and practically transparent.