Virtual Private Network (VPN) - Free if possible

Wow I can only say that the comments given as advice on this thread are nothing short of terrifying. I guess this is why it comes up again and again, that advice off public forums is suspect at best. OP, please note that none of these comments are expert advice. If you have any concerns at all, ask an expert and do not rely on a public forum for something this important.

As for the specific points brought up by the previous posters my answers are:
1) Paid VPN services are based on a model of trust, just like Certificate Authorities who issue the SSL certificates to the banks, or even the Banks themselves. They would go out of business if they are not trustworthy.
2) Most VPN services allow PayPal as a payment method and it is easy to create a throw away email address. Why should you give them or anyone else you do not need to personal or private information??? In the case of the service I recommended, Cyberghost, they intentionally do not ask for any identifying information.
3) re Willie Sutton, if you were to ask him which banks he would choose to rob, it would not be the big ones in the big cities where there are lots of cops around and bigger more expensive vaults, he would go for the smaller less protected ones with weaker security. This analogy applies to internet security. Target, Home Depot, Sony etc are all learning their lesson and spending money on security so it does not (hopefully) happen again. So where do the hackers go next? Easier targets, smaller companies, public WIFI etc. FYI you know public WIFI has become a big time target when Fox news starts covering it. Just Google WIFI Pineapple (the easiest tool for doing what we are talking about) in news.Google.com and see how many mainstream articles have been written about this topic and how the experts like Kevin Minnick and Darren Kitchen (nee Security Gods) have advised them how to protect themselves (hint hint... VPN)

OP although you cannot knowingly trust me, or anyone else that responds to this thread as being experts in this field. My expert advice is consult an expert in the field you can trust and trust me enough when I say, use a paid VPN service when using any public WIFI for sensitive transactions like banking every time and every place, period. And for the rest responding to the OP, I beg you educate yourself a little in IT security, and go to news.Google.com and search "WIFI Pineapple" and learn why your advise is so ill advised.

westernrvparkowner wrote:

aslakson wrote:
A VPN is a private connection between two or more computers you control. I'm not sure how it could be made to work unless it's between your traveling computer and your stationary one back home.

Any financial institution will use a secure website - https - for on-line transactions. The chances of having that compromised are almost nil.

Of course, if you're going to use a "community" computer like those at a public library while you're on the road, then all bets are off.

al

I agree. The security provided by a secure website is more than adequate to protect the common banking transaction from a public wifi system. Sure, there are many theoretical ways to defeat that security, but campgrounds, McDonalds, Starbucks and the like are hardly target rich environments. As Willie Sutton famously responded when asked why he robbed banks "That's where the money is". The same can be said for hackers. Public wifi connections are mostly a gaggle of photos, personal messages, facebook, videos, sports scores, news, Hollywood gossip and Porn. Just not the pond the professional data fisherman is going to be fishing in.

I agree I would feel safer on a campground network, although I still wouldn't do banking but that's my personal choice.

Starbucks, etc. is a different story, particularly in a busy area. It is a target rich environment because it's a volume game. Setting up a spoof network than can collect all traffic going through would collect more than you think and it's not labor intensive.

VE3ESN wrote:
We're looking for a recommendation for a free VPN that will allow us to safely and securely do some limited internet banking while on the road and using wifi hotspots. Are there any of you who use "Hotspot Shield" or similar services like "Free VPN", and what kind of results are you experiencing? Thanks in advance for any suggestions.

I have a few thoughts on this.
1. Free.. you get what you pay for.
2. Remember that you have to be able to trust your VPN service. The encryption is only to them. They decrypt the info and then pass it on. The VPN provider is "able" to see all of the raw non-https traffic that you are trying to protect by using a VPN.
3. They only thing you are protected from is others on the hotspot site being able to see your traffic with a sniffer. Remember that any sites you connect to using HTTPS are already encrypted traffic and yes using a public wifi and if it has been compromised you could become a victim of a man-in-the-middle attack where your encrypted https traffic is decrypted by the bad guy read and then forwarded on without you knowing it.
4. If you are truly concerned then I would use my phone's data plan and a wifi hotspot. You control who else is using that connection and I find that the speeds I get on the internet is faster than using the local campground wifi. I would trust that better than a 3rd party free vpn provider.
5. You are more likely to be compromised by an e-mail with an attachment. For example it is well known that the hackers craft e-mails that look official from banking, shipping and even co-workers at your company.. with an attachment or link that looks real. BUT once you click on it your system is compromised and your antivirus will not help you. Many many people have been victim to this and don't even know it. Every keystroke is sent to the bad guy and they may even have remote control of your computer and be able to turn on the camera without your knowledge.

Just my thoughts and I'm sure others have their opinions.

As I have pointed out before... using a VPN that entails trusting an intermediate service provider - whether free or paid - is still a trust thing. In both cases the VPN provider not only can collect every bit of information a bogus open wifi network can, but in the case of a paid-for service, they also know your name and probably your credit card information. It really is a matter of who you trust. Personally I would prefer to ask the library, Starbucks, McDonalds or wherever for the exact name of their free wifi service and then connect to that and trust SSL (https) to provide end-to-end protection.

Dave

aslakson wrote:
A VPN is a private connection between two or more computers you control. I'm not sure how it could be made to work unless it's between your traveling computer and your stationary one back home.

Any financial institution will use a secure website - https - for on-line transactions. The chances of having that compromised are almost nil.

Of course, if you're going to use a "community" computer like those at a public library while you're on the road, then all bets are off.

al

I agree. The security provided by a secure website is more than adequate to protect the common banking transaction from a public wifi system. Sure, there are many theoretical ways to defeat that security, but campgrounds, McDonalds, Starbucks and the like are hardly target rich environments. As Willie Sutton famously responded when asked why he robbed banks "That's where the money is". The same can be said for hackers. Public wifi connections are mostly a gaggle of photos, personal messages, facebook, videos, sports scores, news, Hollywood gossip and Porn. Just not the pond the professional data fisherman is going to be fishing in.

A VPN is an excellent idea and should be taken seriously whenever you travel and use public WIFI. If you are using a MIFI hotspot I would be less concerned. Using public WIFI is very dangerous even when using SSL. I use a number consistently when doing Penetration Testing at work, so many exploits that can be leveraged and they are so easy to do on public internet. You can do a Man in the middle attack by pretending to be the campground WIFI. This will gain large amounts of data secure and non secure that can be either used to break into your banking or to harvest enough info to other sites to be able to build a profile to be able to guess common passwords, common "forgot password" answers etc. As part of a man in the middle attack, you can do deep packet inspection by providing the end user with a legitimate certificate (just not the one for the bank and they likely won't notice) to decrypt their data inline. There are many SSL flaws floating around right now, SHA1 has been end of life'd by all the Certificate authorities due to its insecurity and there are still a large majority of sites that have not yet upgraded to SHA2 because they are waiting for their current Cert to expire before doing it. This is just a small number of the many exploits that can be leveraged against you today with minimal skill, as so many exploits are already in hacker toolkits like the Metasploit Framework.

I would not rely on SSL alone, there are too many ways to compromise it.

I user CyberGhost. It has a free option as well as some premium options that are pricy. I managed to get a deal several times for about $20/year for a "basic premium" package. Their service has been rock solid. No need to worry about stability or security of "free" services. Remember free always costs someone, weather it is advertising, selling your surfing habits to third parties etc. Identity privacy is far more important that saving a few bucks on a free service. I would go with a service at a minimum offers both a free and paid option, their free option is far more likely to be trustworthy.

A VPN is a private connection between two or more computers you control. I'm not sure how it could be made to work unless it's between your traveling computer and your stationary one back home.

Any financial institution will use a secure website - https - for on-line transactions. The chances of having that compromised are almost nil.

Of course, if you're going to use a "community" computer like those at a public library while you're on the road, then all bets are off.

al