Do you need a VPN for Secure Email in a Wireless Hotspot?

January 28th, 2014

LuxSci has been approached by many people asking for VPN (Virtual Private Network) services.  When we ask them why, they indicate that they use wireless hotspots (like at Starbucks and other public places) that are insecure and untrusted and they want to be sure that their email is secure and encrypted there.*

Note that even if the hotspot is password protected and “secure”, that does not mean that it is “trusted”.  The hot stop administrators or other users of that hotspot could still try to intercept your Internet traffic.  So, just because it is a “secure” hotspot with the little lock next to it and a password that you must enter, do not assume you are safe at all.

This is a very legitimate concern.  Wireless hotspots are serious danger zones; we have seen many cases of people who have carelessly used insecure connections to email or web sites and had their login usernames and passwords stolen in such places.  This can lead to identity theft, the leaking of sensitive company or personal information, and other serious problems.  Anyone using public wireless hotspots or other untrusted networks for email and other activities that involve personal information need to take care that the information sent to and from their computers is protected.  If the transmission of your sensitive information is protected, then you have nothing to worry about and hotspots can be great places to work.

So, why is a VPN a good solution?

A virtual private network creates a secure tunnel between your computer and the location of the network, which is typically your office or a VPN-service provider or LuxSci.  When the VPN is enabled, all Internet traffic travels through it first to get out to the Internet (though some VPNs only transport traffic that is destined for a specific provider or location).  This means that this secure tunnel secures your email, chat, web browsing, and anything else that you may be doing on the Internet (or between yourself and your provider), from malicious users of the local hotspot.

So, if you have a VPN, you can turn it on and know you are safe … from people in the hotspot anyway.

There are some downsides to VPN use

Typically, a VPN costs money.  Sometimes you have to have special software installed on your computer and the license to use that software will cost you or the VPN provider money (other solutions, like LuxSci’s VPN service, use the VPN software that is built into modern operating systems).  There are open source VPN solutions (like OpenVPN), but they can be complex to setup and get working correctly.

Additionally, a VPN only protects your communications between your computer and the VPN itself.  So, in the case where the VPN is in your office, your data travels from your computer to the office over the secure VPN.  Any information that then goes on and out to the Internet at large is no longer protected and could still be eavesdropped upon unless it is otherwise secured.

Use of SSL is a good alternative to the use of a Virtual Private Network

If your concern is in securing access to your email (POP, SMTP, IMAP, and/or WebMail), then use of a VPN is not the only solution.  An email service that provides “Secure Email” will give you the option of connecting to your email over SSL (How Does Secure Socket Later (SSL or TLS) Work?).

When you use SSL to connect to your email or WebMail server, then all communications from your computer all the way to your email server are encrypted and protected from eavesdropping.  In fact, once you setup your email program (i.e. Outlook or Thunderbird) to use an “SSL-enabled” connection, it will always be secure no matter from where you are connecting.

All modern email clients and web browsers support SSL very well and it is usually just the matter to “checking a box” to turn it on, if secure email services are an option for you.

The advantages of SSL over VPN are:

  1. You do not have to remember to enable SSL (like you do for the VPN).  Once configured, you are always using SSL and are thus secure even if you are in a hurry and would have forgotten to enable your VPN
  2. SSL protects your communications all the way to the email servers; a VPN only protects you for part of the trip.  Of course, if the VPN is next to the email server, this is a moot point.
  3. SSL is generally much cheaper than using a VPN
  4. Most web sites that you use that deal in sensitive information will allow you to login securely over SSL so that your web sessions are secured and cannot be eavesdropped upon.

Use of SSL can be less secure than a VPN:

  1. Man in the middle: If you are going through an unknown and untrusted network, there could be a system there that tries to interpose itself between you and your email / WebMail server, decrypting and altering/storing your traffic. Generally, if this is happening, you will get a warning about your sever’s SSL certificate not being trusted.  if you ignore that warning, or click it away without thinking, then your communications are secure … but readable by that third party system.  This is a serious consideration whenever using an untrusted network and a good reason to pay attention to warnings!  The possibility of this kind of man in the middle attack on a VPN connection is very much smaller.

Of course, if you need other types of communication which are not SSL-enabled to be secure, or if you need access to information behind a company firewall, then a VPN will be invaluable for you.  Otherwise, SSL-enabled connections provide as good security and protect against forgetfulness.

The best solution is to use a VPN plus SSL for maximal safety and privacy.

What does LuxSci provide?

LuxSci does provide VPN services to it servers, as well as SSL for its users’ POP, IMAP, SMTP, and WebMail connections.  The optional VPN service can be used to augment the security of SSL.

Furthermore, all new LuxSci accounts have SSL use enforced by default.  This means that, unless you take steps to change your account security settings, all connections by yourself or your users are required to use SSL — there is no option of connecting insecurely.  So, the possibility of setting up your services insecurely “by accident” or “by laziness” and then having your personal information stolen at a wireless hotspot or other untrusted network is greatly reduced right from the beginning.

Where can you get VPN services?

If you need a VPN and your office doesn’t offer it, you can check out

LUXSCI