Google's Secure WiFi Access Not So Secure?

from the whoops dept

There's been a lot of discussions going on around Google's release of a VPN solution. It seems like many of the stories have misinterpreted what it is. The press has turned this into a big thing about Google launching WiFi -- which it isn't (well, at least not yet). Google has been offering some free WiFi hotspots for a while already -- so that aspect wasn't new. The only thing that's new is this VPN offering. So, as a security offering, how secure is it? The folks over at Full Mesh/WiTopia took a look and sent us their analysis suggesting "not very" is the best answer. Full Mesh certainly is a biased party, considering that WiTopia offers a competing solution, but assuming the basic claims they're making are true (and it would be pretty easy for someone with the VPN client to check), then this solution really isn't particularly secure -- which is surprising, because it wouldn't have been hard to lock this down much tighter. The basic summary sent in by Feed Mesh is that the VPN uses PPTP instead of SSL. That's not entirely horrible if the PPTP offering is better locked down, but it doesn't appear to be (and SSL would have been a better overall solution no matter what). They're allowing both CHAP and MS-CHAP (v1) which have well known issues (as the Full Mesh guys point out, just check Google for lots of info on the problems with CHAP and MS-CHAP). Finally, they let pretty much everything pass through the VPN, rather than just TCP/IP. These are things that both WiTopia and HotSpotVPN do a much better job with. Obviously, the Google offering is quite beta, so it's possible they'll improve on this, but it's still worth noting that the "secure" part of the "secure" access might be a little misleading at this point.