VPNs, the real deal

I recently clicked on a Google ad for WiTopia’s VPN service. The purpose of a VPN, or virtual private network, is to encrypt communications between two end points. It is typically used by remote users to access corporate systems from home or on the road. However, a number of companies now offer public VPN services that permit subscribers to encrypt their communications when using their laptop in a hostile environment such as a public Wi-fi hotspot. Since their destination probably doesn’t support encryption, these VPN products re-route the communications (Instant Messanging, Web browsing, VOIP, etc.) to one of their data centers and then send it unencrypted to the destination. The purpose is to protect the data stream from being intercepted from the user’s immediate environment.

In any event, I took to reading WiTopia’s product description which included the following:

Nobody, including us, can see your data without the unique “key” that resides only on your computer. We also swap out your ISP’s IP address for a randomly assigned WiTopia address. To everyone you are an anonymous WiTopia user whose traffic originates in our data center. Heck, we can’t even access your password.

That’s clearly incorrect. While the tunnel between the subscriber’s computer and the data center is encrypted, the subscriber data coming out of the data center and traveling to the destination is not. So it is clearly visible to WiTopia after it has been decrypted, and so is any return data coming from the public Internet before it is encrypted for transmission to the subscriber.

We log only essential network information for troubleshooting purposes and it is our policy to never share even this minimal data. In any event, we purge all our logs during our regular monthly maintenance windows.

Wow. They keep the logs for an entire month?

However, not withstanding the shortcomings in WiTopia’s product description, these services do appear to provide a userful value. Also, according to the information posted on WiTopia’s site, if both users utilize the service then it suggests that the communication may be encrypted end-to-end:

If I am IM’ing with someone is it secured end to end? If you enable a “direct IM” session with your IM client, and you are both using personalVPN™ all data will be encrypted end to end.