Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Don’t drink Hotspot Shield’s Kool-Aid
#1
ree VPN services have a bad reputation, and in most cases it’s undeserved. That being said, there are always bad apples that ruin it for the rest. In this case the bad apple is Anchor Free, and their product Hotspot Shield.

[Image: 1*gbLd0xgtT0lELqP4-gLv1Q.jpeg]

When you install the Hotspot Shield browser extension, it gives you access to their free servers, with no bandwidth limit. Sounds great, now you have “Security and Privacy”, for free, with no limitations. What you probably don’t know is that it’s bullshit.



Essentially, every single click that you make in the Hotspot Shield browser extension triggers a request to Google Analytics (https://www.google-analytics.com/collect) which logs every event like connecting, disconnecting, changing locations, etc.

Additionally, it also makes periodic requests to https://event.shelljacket.us/api/report/chrome_ext which is an alias domain for Quantcast, a company that does the following:


Quote:Quantcast is an American technology company, founded in 2006, that specializes in AI-driven real-time advertising, audience insights & measurement. The company claims that it has accurate audience measurement to over 100 million web destinations.


The size of the payload is worrisome. Have a look here. The sheer amount of requests that the extension makes is also rather troubling. This is after 5 minutes of usage.

[Image: 1*GRdmNCQpXGfdiBYVUvGhGA.jpeg]

You may ask yourself, “why would that be built right into the extension that claims free and unlimited bandwidth?” Ahh, right.

You may think, “Well, I’m using a proxy, so they don’t see my IP, so all this data is useless”. Here is where it gets even better.

Browser extensions that proxy traffic usually implement a secure proxy via what’s known as a Pac file. You can extract the Pac file by going to a special URL in your Chrome browser while connected to a location.


Quote:chrome://net-internals/#proxy


The Pac file is base64 encoded, you can decode it via this online tool. Here is what the Hotspot Shield Pac file looks like, the bolded part is of extra interest:

Quote:let active = false,
created = 1538074968239,
started = Date.now();

if((started-100) < created) {
 active = true;
}

function FindProxyForURL(url, host) {
 if(!active && (Date.now() > (started + 2000))) active = true;
 if(!active) return ‘DIRECT’;

if(shExpMatch(host, ‘pixel.quantserve.com’) || shExpMatch(host, ‘event.shelljacket.us’) || shExpMatch(host, ‘api.hsselite.com’) || shExpMatch(host, ‘order.hotspotshield.com’) || shExpMatch(host, ‘www.google-analytics.com') || shExpMatch(host, ‘localhost’) || shExpMatch(host, ‘127.0.0.1’)) return ‘DIRECT’;

return ‘https mi-ex-de-fra-9.northghost.com:443;https mi-ex-de-fra-13.northghost.com:443;https mi-ex-de-fra-8.northghost.com:443;https mi-ex-de-fra-1.northghost.com:443;https mi-ex-de-fra-11.northghost.com:443;’;
return ‘DIRECT’;
}


Any request made to the following domains bypasses the proxy and is sent through your ISP assigned IP address:
  • pixel.quantserve.com
  • event.shelljacket.us
  • www.google-analytics.com
  • api.hsselite.com
  • order.hotspotshield.com
  • localhost
  • 127.0.0.1

The last 4 are harmless, but the first 3 are there only for a single purpose: collect user data and send it to the biggest privacy violators that exist, and to make sure the data is valuable, it’s sent from your IP address.

Additionally, since Google Analytics is “white listed” (bypasses the proxy), every single site that has Google Analytics, majority of sites do, will be able to track your IP address, regardless of you using the extension. This makes the use of Hotspot Shield extension entirely pointless.

Lastly, since Hotspot Shield servers have no authentication whatsoever, you can take the Pac file, make a couple of modifications to it, load it via TunnelSwitch and “enjoy” Hotspot Shield without any client side tracking. What they do server side is unknown… ohh wait, it is known, since they got caught injecting ads into your traffic just last year.


This begs a question, why did “The Fastest Most Secure Virtual Private Network” get a $300M investment when all they do is violate user privacy and show that they have no clue about basic security by allowing unauthenticated requests to be made against their servers? Let’s hear it from the partner at the firm that lead the VC round:

[Image: 1*NNigWM-hoGp1ig8zhPWFgQ.png]

So, the same “open sourced” VPN software (OpenVPN), that literally every single VPN provider uses, makes AnchorFree an attractive investment? Why not invest into OpenVPN Inc. instead?

Sujay’s firm is either highly uninformed and has way too much money to burn, or they know what AnchorFree is really up to, and they know that they will profit from it. Considering VC companies rarely throw $300M at things they don’t understand, my bet is on the latter.

Source: https://blog.windscribe.com/dont-drink-h...90798dd2c2
Reply
#2
windscribe has been trolling anchorfree's bot behaviour for a long time. Bloody funny responses over the past few months if you've followed both.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)