Beware: Hola VPN turns your PC into an exit node and sells your traffic

mikho

@bohdans said:
joepie91 the plugin was in Chrome, but I use firefox for day-to-day browsing, only use Chrome for Chromecast/hola so its never open on my machine usually.

It could also be that it starts its process when OS is started. That way it can still be used by others even if you are not using your browser.

joepie91

@bohdans said:
joepie91 the plugin was in Chrome, but I use firefox for day-to-day browsing, only use Chrome for Chromecast/hola so its never open on my machine usually.

If it's the Chrome extension (not the app!), you should be fine when Hola is disabled. Most people have the extension. It's possible that you might have the app, which comes with a separate Hola process (or you used the generic Windows installer, which also installs the Hola service).

elwebmaster said: So how much do they charge for the commercial service, does anybody know?

http://adios-hola.org/downloads/pricing.pdf, as was quite clearly listed on the site,

elwebmaster said: I think it is an interesting idea. We all have an IP and want to access stuff with residential IP from another location, why not just exchange our traffic?

Because you open yourself up to all kinds of legal risks. See also here. They do not restrict the target domains.

elwebmaster said: Sometimes we don't care as much about the strong encryption of Tor, but need high throughput instead.

Not even remotely related to the issues at hand here.

elwebmaster said: Yeah? How much does a VPN in the Philippines come out to?

$6.67/mo.

elwebmaster said: How about if you need 100s of IPs for research purpose (for example crawling pages, which block you after certain number of requests)?

Plenty of alternatives. Hell, you could use Amazon AWS for that kind of workload, at a fraction of the price. And frankly, rate-limiting sites are very rare outside a few specific niches.

elwebmaster said: Everybody is treating this startup and truly innovative technology as if they are somehow bigger than Lenovo or Microsoft and should have no bugs or no quirks in their software.

What part of...

This problem is not just an 'oversight'. It's not a thing where you say 'well, bugs can happen'. This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn't care about the security of their users. It's negligence, plain and simple, and there's no excuse for it.

... is unclear to you?

elwebmaster said: Well, guess what, Windows has had a ton of bugs that can be used for remote code execution.

And?

elwebmaster said: And the unique tracking id? That can already be done in javascript on ANY browser by exploiting the unique screen dimensions and configuration.

No, not reliably.

elwebmaster said: Letting other people use your connection? Isn't that what Tor relies on to function? Yet you recommend people use Tor instead? Granted, you can use Tor without being an exit node, but if everybody did that there would be no Tor.

Answered your own question there. I recommend Tor because functioning as an exit node is genuinely voluntary, and not the... 'flexible' interpretation of 'user consent' that Hola adheres to.

You can use Tor without being an exit node. You cannot use Hola without being an exit node. I'm not sure what's so hard to understand here.

EDIT: As for your Hola-to-Windows comparison... Microsoft patches bugs/vulnerabilities and transparently discloses them. Hola does not. In fact, they pushed a 'patch' today that doesn't actually patch the vulnerability, but just completely removes a command, most likely in an attempt to make the exploit look like a fake. There has been absolutely no statement from them.

Dylan

I say this based purely on anecdotal evidence, so I could be way off-base, but it seems that most people don't use Hola for privacy -- they use it to access geo-restricted content (Netflix, Hulu, BBC iPlayer, etc.). So I'm not sure TOR is a real alternative for most users.

Maounique

alexvolk said: It's important to be human! When you try to accuse other people/nations/countries you are simply showing how LOW your view of the life (simply don't be an animal).

What has this to do with anything? Accusing russia/US/Israel/China/North Korea for breaking international law, starting wars, provoking, occupying and annexing with clear proof everyone knows about, does that make you an animal?
Actually, I think those terrorists are closer to animals, especially when they call the kettle black.

Now back to the topic.

VPN and your residential IPs dont mix, especially when you dont know and cant control what flows through it.
I run exit nodes at home but carefully control what ports I allow to connect to. You CAN get your email (but not send), listen to various streams or watch video, things like that, but otherwise, exit nodes must be managed by certain organizations with power to fight police state attempts to shut them down and they should also be unable to intercept or locate you.
Giving Israel or any other government/corporation/cult, or all in one as it is mostly the case these days, access to your IP is simply asking for trouble, it really defeats the purpose giving them more power to manipulate, provoke and frame you and others.

joepie91

Dylan said: I say this based purely on anecdotal evidence, so I could be way off-base, but it seems that most people don't use Hola for privacy -- they use it to access geo-restricted content (Netflix, Hulu, BBC iPlayer, etc.). So I'm not sure TOR is a real alternative for most users.

That's why it states "for strong anonymity" explicitly. Unfortunately, there are people who consider Hola as a "faster Tor".

ztec

Thanks for http://adios-hola.org/

TarZZ92

website does not work for me. @ztec

probably some kind of script it runs. MWB anti exploit probably helps

joepie91

@TarZZ92 said:
website does not work for me. ztec

probably some kind of script it runs. MWB anti exploit probably helps

It's unlikely that Malwarebytes is blocking anything here. As described in the update right above the exploit button, Hola has pushed an update that makes it look like it's not vulnerable anymore.

fitvpn

Will works over existing VPN, real IP not seen. At least they has a amazing list of exotic locations

techhelper1

Reminds me a lot like TOR.

netomx

@techhelper1 said:
Reminds me a lot like TOR.

Please read how Hola works and try again

Maounique

Or rather how Tor works, some people have no idea of basics.

cyberhub

Found out about this two days ago, shambles

William

@techhelper1 said:
Reminds me a lot like TOR.

Why? Tor browser and the default Tor config do NOT relay traffic through you - Not even as internal relay. Both internal relay and exit have to be configured manually.

elwebmaster

@William said:

May be part of the reason why Tor is so slow. Imagine if torrents worked the same way: you can download from others, but you don't have to seed back to them. How long would it take to download that Ubuntu image then?

A design similar to what Hola is doing can very much solve the privacy issues we are facing today. A P2P network where every node can be an exit node. Tor, but with every node an internal relay AND an exit node.

ricardo

solve

No. This is piggybacking someone's connection, there's no comparison. The majority of hola users will neither be aware or fully understood of the implications of allowing strangers open access to their network. If you compared it to unsecured wifi they would probably uninstall hola.

William

elwebmaster said: Imagine if torrents worked the same way: you can download from others, but you don't have to seed back to them. How long would it take to download that Ubuntu image then?

Uh, you CAN do that (set upload to zero) - Download speed stays exactly the same as if you would seed.

elwebmaster

@William said:

May be not if all torrent clients came with upload set to 0 by default. Which is similar to how Tor is setup by not having every client be a relay/exit node by default.

fitvpn

Everything looks like competitors campaign against Hola, create special site where asking for uninstall, etc. Just funny..

perennate

Well, they added this dialog on the front page now, that at least addresses the concerns about not knowing you are passing exit traffic; of course there's still the remote code execution issues... even if they're fixed now, that's huge issue that most people probably still don't know existed.

Hola is a peer to peer network that provides everyone on the planet with freedom to access all of the Web! It works through the community of its users - Hola users help you to access the web, and you help them in return when your computer is not in use (see FAQ). That means that when you are not using your device, you are helping others. If you want to use the network but not be a part of it, sign up for Hola premium

Edit: but they do say they're starting bug bounty program

CRR

no need to uninstall.

signup for a new account via this link and you get free premium which means you are off the exit node list

(If anyone missed it, this is a refferal link)
http://hola.org/referral_signup?referrer_uid=basic/[email protected]&ref=my_account&medium=manual

re-signup each month for a new account and a new month of premium

Ole_Juul

Torrentfreak has some more information: Hola VPN Already Exploited By “Bad Guys”, Security Firm Says

HostNun

@Maounique and your thoughts on Hola?

dlaxotn2

Used it once, but I've unistalled it.
refer to :
https://torrentfreak.com/hola-vpn-already-exploited-by-bad-guys-security-firm-says-150602/

mikho

Cleaned up the politics posts

fitvpn

mikho said: Cleaned up the politics posts

Maounique going wild