How safe are subscription VPNs?
July 9, 2009 11:30 AM   Subscribe

How safe exactly is a subscription VPN like Witopia?

I'm considering getting witopia for hulu, bbc, and pandora access. I've read questions about subscription based VPNs here before, but none of them ask what seems to me like an obvious question: how can you be sure that Witopia isn't doing some sort of snooping of the traffic themselves? Obviously, I'm just being paranoid, but let's say I'm using its VPN, in theory I don't have to worry about them getting CC and password info from SSL pages, right? Perhaps they can snoop for cookies and hijack a session, but other than that can I be fairly confident in its security?
posted by reformedjerk to Technology (7 answers total) 1 user marked this as a favorite
With all things in life there are essentially no guarantees, but encrypted traffic is encrypted traffic no matter how you send it. All VPN is providing you is an alternative endpoint to your personal IP address which confuses services that rely on IPs to block or hinder service (i.e. BBC, hulu, etc.). This also gives you benefit of anonymity (barring any logging the VPN provider does that could be subpeona'ed) since all traffic through the VPN service will appear to come from one (or many IP addresses) that aren't yours. Since you are 'tunneling' your traffic this also gets around traffic shaping and such since the traffic from your PC to the VPN service will be encrypted as well.
posted by zennoshinjou at 11:42 AM on July 9, 2009

Short answer is no, you can't know for sure if they aren't snooping. This is from their FAQs:
Once your data reaches our Secure Internet Gateway, we decrypt the data (we must so that your intended party can make sense of it), and send it to its destination. This last part is safe because it would be virtually impossible to “sniff” data between a secure data center over an actual Internet backbone link. It just doesn’t happen. “Sniffing” and “spying” occur over local networks because it is so very easy to do –much easier than trying to break into a guarded bunker-type data center with biometric scanners and such.

When we receive the data from your destination server, we re-encrypt it and send it to you through the encrypted tunnel so no one can intercept it.
So once they decrypt your data they can do anything with it. Now granted, if the original traffic you sent them was SSL then when they decrypt the VPN traffic they get the SSL traffic so that is secure insomuch as the SSL is secure. That's the only way to be sure that your network provider isn't snooping on you.

Also their glib dismissing of sniffing and spying is true in the sense that the weirdo sipping a latte next to you isn't reading what you are sending but there are still governments and other people who have access to those backbones. Granted most people have more to fear from the guy listening to your WiFi signals who wants to play pranks and a properly configured VPN used religiously will protect you against that type of attacker.
posted by mmascolino at 12:56 PM on July 9, 2009

: how can you be sure that Witopia isn't doing some sort of snooping of the traffic themselves?

You cant. You cant be sure this isnt happening through every router between you and the server.

As far as SSL goes, you are resonably safe, but they can perform a man in the middle attack and substitute their own SSL cert without you knowing and their VPN client could be installing new root certificates so you dont even get a warning.

I dont know how common this is, but its a possibility.
posted by damn dirty ape at 1:18 PM on July 9, 2009

Call me completely paranoid ... but I think I'd rather get my VPN service from somebody in Germany or Sweden or a small Caribbean island - instead of the same city where the CIA is headquartered.
posted by bhance at 5:12 PM on July 9, 2009

Actually, the CIA is down the road in Langeley, VA. However in this case if your paranoia is such you should be more afraid of the NSA which is somewhat further down the road at For Meade in Maryland.

And damn dirty ape is right...unless you religiously check server certs and verify that the VPN seoftware hasn't messed with your root certificates then you could be susceptible to a man-in-the-middle attack. Most people aren't that paranoid and you are reasonable safe assuming you trust the people you are dealing with. The VPN is added protection but it is not a panacea.
posted by mmascolino at 8:26 PM on July 9, 2009

D'oh. You're right - Langley. And that should be a link to xerobank, not 'zerobank'. (now slinking off to better preproof my @#$% comments. But, still, if you're picking a VPN - aim for a non-US provider.)
posted by bhance at 10:38 PM on July 9, 2009

Damn and I can't spell Fort right.
posted by mmascolino at 6:48 AM on July 10, 2009

« Older Your cranium called, it's got some space to rent.   |   Just stuff all those woodchips right in the wall... Newer »
This thread is closed to new comments.