Beware: Hola VPN turns your PC into an exit node and sells your traffic
Hola is a popular virtual private network (VPN) provider that is available for various web browsers including Google Chrome, Mozilla Firefox and Internet Explorer, as well as desktop and mobile operating systems.
It is free to use and if you check ratings and users on Chrome's Web Store alone, you will notice that it is used by more than 7.1 million Chrome users currently.
Hola uses a sophisticated system to offer its services for free. Instead of routing users solely (or at all) through company servers and raking up huge bandwidth bills in the process, it is utilizing user devices as endpoints.
This means basically that any user device that Hola is running on acts as an endpoint. An endpoint is a node that is communicating directly with a target website or service that Hola users access when the service is enabled.
Hola users have no control over endpoints which is problematic for several reasons. First, it increases the bandwidth usage on the device and reveals your device's IP address to the target service or website which you may not always want.
What's even more problematic than that is the fact that Hola seems to have started selling access to these exit nodes on the Luminati website.
If you check Whois records for both sites, you will notice that they are both owned by Hola.
Luminati provides its customers with access to an API that they can use to utilize Hola end points for various activities, for instance denial of service attacks but also load tests. This makes Hola an effective botnet, especially since it cannot be blocked easily as it uses IP addresses from around the world and not a set of larger IP ranges.
The admin of 8chan noticed denial of service attacks recently against the site and found out that the attack was utilizing Hola endpoints through Luminati.
Hola charges per Gigabyte of traffic starting at $20 per Gigabyte and going down to $2 per Gigabyte and lower depending on volume that you purchase.
This means: if you are using Hola, your connection may be used as an endpoint not only by other Hola users who try to access sites in the country you are in, but may also be sold to individuals and companies who may use it for questionable or outright illegal activities.
Update: Hola has posted a response to recent events. You can read it on the official company blog.
Update 2: The blog post is no longer available.
Closing Words
If your computer is being used as an exit node, it is your IP address that webmasters, law enforcement or rights holders see when they check server logs. If it is used in attacks or malicious activity, it is you who will be contacted by the authorities or site owners.
My personal recommendation is to uninstall Hola if it is installed on a system and stay away from the service for now.
They are still claiming that the Chrome extension is not a p2p. I quote them
“This is NOT a peer to peer application. This extension does not link to nor encourages the download of any other products and is fully functional as is without requiring any additional download/component.”
So, anyone for a class action :)
Are there any information wether this is still true ? Has someone tested it ? I had it silently installed with a other package. I recognized the icon in the toolbar only after some hours. I didn’t use it and when I saw that it is a p2p plugin I remove it. Any experiences wether there is a risk that it also silently routed traffic over my connection ?
Is there way to make sure nothing from hola is now running or was running?
Not all free VPNs are bad though. Hotspot Shield owns their own servers and have been in the VPN business a LONG time, and thus know how to run a free VPN without taking advantage of consumers. They guarantee your safety and privacy completely. I can vouch for them since I work there. So if you’re looking for a trustworthy free VPN, be sure to check them out!
You are probably not aware who owns hotspotshield: It is the NSA and affiliates.
Go to “adios hola”, they show that your entire machine can easily be compromised by use of this vpn. Not good. Thank god ive never felt the urge to use anything like this.
Disclaimer: I work for a SmartDNS company called UnoTelly.
As someone that uses the Internet, I value companies that keep my information secure. As an employee of a DNS service, I am proud to say that UnoTelly charges customers to provide a quality, secure service. We value our users and would never sell their data.
What about Hola Premium do you have to worry about the same thing ?
Guessing so.
Exact same with premium
Try Hotspot Shield if you want a free, trustworthy VPN. They own their own VPN server infrastructure, so there’s no chance of them using their users as exit nodes, or taking advantage of them in any manner. They’re pretty reliable, and one of the VPNs that have been around the longest.
Thank you very much for the warning.
Come on guys. You have to give the dude credit for turning his one american IP address into what Hola is today.
And when you think about it, someone this ambitious we just had to know would be looking for ANYWAY to cash in.
I have always thought that Hola was a sham in the making (from reading the EUA and privacy statements that have been vague at best). It appears that my guess was not unfounded.
Excellent warning post, Martin!
Hola? no..Adios!
I lol’d at “no… Adios!”
Thank you for the warning. I’ll stay with ZenVPN… until further notice !?
This is no secret, although I guess only a few users are aware of it.
From the Hola FAQ “Hola built a peer to peer overlay network for HTTP, which securely routes the sites you choose through other Hola users’ devices and not through expensive servers. …. Hola generates revenue by selling a commercial version of the Hola VPN service to businesses (through our Luminati brand).”
https://hola.org/faq#in_how_is_free
They updated their FAQ less than a week ago to cover their asses.
They even change their description of service on Luminati from “A better and more anonymous vpn than Tor” something like that to “It’s simple and it’s fast” LOL.
prime directive #1: RTFM (or at least the FAQ ^_^)
cheers!
That’s why I don’t use free stuffs! ;)
chrome and firefox are free too you know .!
Dont only judge bcause of it
I stay away from free VPNs in general: they have to make their money somehow, so I assume it’s from the user’s data or resources.
It’s a good thing that this worrying fact receives some publicity. I knew about the basic exit node issue of Hola for a long while due to the technology being used, but that the operators are selling external traffic for these anonymous end-user connections is new to me. The disturbance liability a user leaves himself open for is nothing to sneeze at, you only need to look at open wireless connections in countries like Germany for example to get a picture of the problem. Since the service can and has apparently been used as a botnet already, active use of the Hola unblocker might be even more of a legal problem than I previously anticipated. With the burden of proof typically on your own shoulders once an accusation based on evidence supported by IP addresses has been made, how could you ever hope to conclusively prove your innocence? Granted, the limitation to HTTP-based connections relieves some of my biggest worries, but even so any exit node can be used to devastating effect, especially when the goal is the denial of service of dynamically created websites.
The 8chan admin said that HTTP POST was his problem; but with all the REST APIs in the world, even a GET isn’t safe.
Hola is a good site to gather info on blocked sites. But it’s VPN is way too laggy for me. I like Zenmate. It runs like a rabbit.
That doesn’t surprise me. As more often than not there is a “price tag” for free services.
I use ZenMate. Which still seems to have no strings attached so far, although a few days ago they dropped the UK as one of their IP locations. They used to offer Switzerland too. But that location has disappeared too. They used to offer 5 locations now only four.
This is disturbing. I hope it doesn’t become a trend, though…
Is this apply to the Android version as well?
@Night Fury Most of the so-called fastest VPN services are 100% paid.
The Luminati owner as much as admitted this in Nov 2014.
http://www.quora.com/I-need-to-do-some-massive-web-data-collection-does-anyone-know-how-Luminati-is-different-from-Tor-or-a-proxy-network
Why do I need to register to quora to see the answer? No thanks.
Sorry about that. Quora is stupid. Here’s a screenshot:
http://screencast.com/t/plLmsLEcy
Interesting Ross, thanks for the link!
I don’t recommend free service like that.. you need fastest vpn service fastestvpn.net