If you're not concerned about mobile security you're not very bright. Carriers can triivally look at what you're doing online, if you care. Encrypted email transport secures your email -- but nothing else.
In addition, there's a little-known secret about mobile data access -- it's slow. No, you won't hear the carriers talk about this much if at all, instead lauding their "LTE" or "HSPA+" data transport speeds. But these are speeds once a connection has been made and for most mobile devices anything beyond 1 or 2Mbps for common uses are utterly immaterial -- even for video (due to the relatively low perceptible screen resolution on said devices.) In addition data quotas make trying to hammer a line with high-speed (e.g. LTE) data problematic for your wallet.
The problem with mobile data performance lies in what carriers do in the back room. They are all doing "deep packet inspection" now to try to detect tethering cheaters, among other things. This means that they have their computers doing both "NAT" (address translation) and also inspecting each packet robotically before passing it on. This takes time -- lots of it -- and in addition they are all doing screwball proxy server inspection and packet thrashing in an attempt to reduce traffic on their backbones (but you get none of the benefit of that, since you are metered by the byte to the phone!)
I'm sure there will be many screams about "privacy!" that echo around over this, but the real problem doesn't lie there. It lies in performance. In short, a web transaction is quite slow to start moving data as a direct consequence of what the carriers do with your packets. This has always sucked and as the networks have gotten more-congested it has sucked more and more.
For those who care about privacy using a VPN has been one traditional way around the security issue. VPNs encapsulate your traffic in an encrypted container, then strip that on the other end. Traditional VPN "user friendly" technology uses a protocol called PPTP and sometimes LT2P. But these protocols are somewhat insecure and more importantly they're historically slow imposing anywhere from a moderate to very severe performance penalty over non-VPNed connections.
Enter IKE. V1 was faster that LT2P and PPTP but still had security issues in many circumstances. IKEv2, on the other hand, is fast, uses IPSEC (a formal IP extension for encapsulating packets securely) and a wide variety of authentication options including shared secrets ("passwords"), secure certificates (public-key) or both. It also internally implements a tunneling mode that (with appropriate kernel support in the gateway host) can take advantage of hardware encryption acceleration and reduces overhead dramatically, leading to gross user experience improvement, and knows about potentially-changing user endpoint addresses (e.g. a phone moving around that gets handed difference IP numbers as it goes from one location to another.)
I have not bothered implementing the VPN connection capability on my Android devices, mostly because they're clunky and offer performance impairment rather than enhancement. Using the older protocols they suffer from performance issues exactly as do the same protocols on a Windows machine, and in addition must be manually turned on and off as they don't know about address-hopping. This is ok when you're sitting in a cafe and want to make sure your traffic doesn't get intercepted and I put up with it when I need to access something on my local network that I am unwilling to leave facing the Internet as a whole.
It's not so good with a phone in your pocket that is hopping from one cell -- and IP Address -- to another.
IKEv2 solves this with an extension known as "MOBIKE", making such transitions mostly seamless.
Ok, so why am I spilling all this ink?
Because I have managed to integrate the Blackberry Z-10 with FreeBSD's StrongSwan IKEv2/IPSEC VPN capability, and all of those objections have disappeared, making full-time No-BS VPN not only transparent it actually improves the user experience compared to a bare internet connection as opposed to impairing it!
Tickerforum displays, at the bottom of each page, a statistical piece of data on load times. This is not just the time required by the system to process your request internally; it also includes transmission time of all the elements of the page. In other words it's an "end-to-end" view of the transaction from the time the system starts processing your request until it finishes it. The only missing piece is that buffer drain time is not measured as the application cannot determine it.
Here's a fairly common view of that time for a "New Posts" command when running through a 4G cellular data connection that allows the carrier to "do it's thing" by using an unencrypted carrier-based packet channel:
Note the "Elapsed:" line -- 5.445 seconds. This is pretty typical, and most of it is round-trip waiting -- that is, it's not transmission time, it's the time for the gateway to do both its NAT and "deep packet inspection" in both directions. This is on a HSPA+ connection that is capable of and does reach 10Mbps+!
Now let's look at what happens when I enable IPSEC/IKEv2 on the same connection, adding two hops to the transaction as well.
The same command now takes 162 milliseconds to complete -- it's 33 times faster!
Now granted, the amount of data involved in this command is small (it's a "new posts" list request.) But the user perception of performance over the 4g link is now effectively identical to that over WiFi sitting on my local network, although I'm actually on a mobile data connection!
There is a price for this, in that the IPSEC server must have a fast connection to the Internet itself, and for bulk file transfers this will slow things down, because the data flows over that link twice in getting to you on the phone -- once in and once out. If you run a "Speedtest" over the VPN it'll be about half the speed of the raw connection but few actual uses, other than video streaming, are reasonable analogues of a speed test. Rather, most user experiences are more-akin to the web-page model where you ask for a piece of data and then get it, and the actual amount of data you receive is relatively small.
So how hard was this to set up? Quite a bit, but not due to really being hard, but rather due to the*****-poor set of documentation that comes with these protocols. IPSEC offers a framework of capabilities and unfortunately the existing projects are mostly concerned with the idea of linking a remote office or LAN rather than the "mobile warrior" sort of single host. In fact I banged my head on the wall over the StrongSwan configuration for a couple of days before I figured out what was going on (packets appeared to be literally disappearing for quite some time!) mostly because PPTP and LT2P are radically different in how they work internally (and that's where my previous VPN experience has come from.)
Nonetheless, BlackBerry's Z-10 offers a quite-easy to set up option with "Generic IKEv2" in its VPN screens and that option offers both the greatly enhanced security and performance of IKEv2 along with the performance improvements, while using either certificate authentication or pre-shared keys (passwords.) Not only do you get secure access to your home or office you also get security against prying eyes of the cell carrier and improved performance.
Finally, the Z-10 can be told to bring up a VPN connection automatically whenever on a cellular connection or on individual saved Wifi networks. This means that you can roam around and have the phone automatically secure and performance-enhance your connection without having to click the "enable" button all the time -- reducing your risk and making use both seamless and easy.
The only "gotcha" is that if you tether the tethered device does not go through the VPN. However, you can have the tethered device access the same VPN server if you wish as well.
I have one objection -- the Z-10 does not display an icon in the notification bar if VPN is enabled and in use. Blackberry needs to fix that so you can tell "at a glance" if the VPN connection is up or not.
As I've noted Android devices and IOS (iPhones/iPADs) support LT2P and other VPN options, but as far as I know IKEv2 is not supported, at least not out of the box. To those who think it is not a big deal, you're wrong -- IKEv1 using clear-text passwords is subject to offline attack and LT2P, which is the common transport, is quite-inefficient compared to bare IPSEC/IKEv2. For those who are in a corporate environment the use of certificates can (and does) overcome the security problem but you're still not going to see the performance levels you can achieve with native tunneling on an IPSEC/IKEv2 connection.
Blackberry wins big in this regard with the Z-10 -- they have both a security and performance advantage, and the latter, on mobile networks, is not small.
Disclaimer: You can pry my Z-10 out of my cold, dead fingers. (Oh yeah, I own BBRY stock too)
Where We Are, Where We're Heading (2013) - The annual 2013 Ticker
The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.
NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.
The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.
Looking for "The Best of Market Ticker"? Check out Ticker Classics.
Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.
The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.
Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.