Don’t drink Hotspot Shield’s Kool-Aid
Opinions Technical Must Reads

Don’t drink Hotspot Shield’s Kool-Aid

Yegor Sak
Yegor Sak

Free VPN services have a bad reputation, and in most cases it’s undeserved. That being said, there are always bad apples that ruin it for the rest. In this case the bad apple is Anchor Free, and their product Hotspot Shield.

When you install the Hotspot Shield browser extension, it gives you access to their free servers, with no bandwidth limit. Sounds great, now you have “Security and Privacy”, for free, with no limitations. What you probably don’t know is that it’s bullshit.

Essentially, every single click that you make in the Hotspot Shield browser extension triggers a request to Google Analytics (https://www.google-analytics.com/collect) which logs every event like connecting, disconnecting, changing locations, etc.

Additionally, it also makes periodic requests to https://event.shelljacket.us/api/report/chrome_ext which is an alias domain for Quantcast, a company that does the following:

Quantcast is an American technology company, founded in 2006, that specializes in AI-driven real-time advertising, audience insights & measurement. The company claims that it has accurate audience measurement to over 100 million web destinations.

The size of the payload is worrisome. Have a look here. The sheer amount of requests that the extension makes is also rather troubling. This is after 5 minutes of usage.

That’s a lot of tracking

You may ask yourself, “why would that be built right into the extension that claims free and unlimited bandwidth?” Ahh, right.

Selling your data.

You may think, “Well, I’m using a proxy, so they don’t see my IP, so all this data is useless”. Here is where it gets even better.

Browser extensions that proxy traffic usually implement a secure proxy via what’s known as a Pac file. You can extract the Pac file by going to a special URL in your Chrome browser while connected to a location.

chrome://net-internals/#proxy

The Pac file is base64 encoded, you can decode it via this online tool. Here is what the Hotspot Shield Pac file looks like, the bolded part is of extra interest:

let active = false,
 created = 1538074968239,
 started = Date.now();if((started-100) < created) {
 active = true;
}
function FindProxyForURL(url, host) {
 if(!active && (Date.now() > (started + 2000))) active = true;
 if(!active) return ‘DIRECT’;
if(shExpMatch(host, ‘pixel.quantserve.com’) || shExpMatch(host, ‘event.shelljacket.us’) || shExpMatch(host, ‘api.hsselite.com’) || shExpMatch(host, ‘order.hotspotshield.com’) || shExpMatch(host, ‘www.google-analytics.com') || shExpMatch(host, ‘localhost’) || shExpMatch(host, ‘127.0.0.1’)) return ‘DIRECT’;
return ‘https mi-ex-de-fra-9.northghost.com:443;https mi-ex-de-fra-13.northghost.com:443;https mi-ex-de-fra-8.northghost.com:443;https mi-ex-de-fra-1.northghost.com:443;https mi-ex-de-fra-11.northghost.com:443;’;
return ‘DIRECT’;
}

Any request made to the following domains bypasses the proxy and is sent through your ISP assigned IP address:

  • pixel.quantserve.com
  • event.shelljacket.us
  • www.google-analytics.com
  • api.hsselite.com
  • order.hotspotshield.com
  • localhost
  • 127.0.0.1

The last 4 are harmless, but the first 3 are there only for a single purpose: collect user data and send it to the biggest privacy violators that exist, and to make sure the data is valuable, it’s sent from your IP address.

Additionally, since Google Analytics is “white listed” (bypasses the proxy), every single site that has Google Analytics, majority of sites do, will be able to track your IP address, regardless of you using the extension. This makes the use of Hotspot Shield extension entirely pointless.

Lastly, since Hotspot Shield servers have no authentication whatsoever, you can take the Pac file, make a couple of modifications to it, load it via TunnelSwitch and “enjoy” Hotspot Shield without any client side tracking. What they do server side is unknown… ohh wait, it is known, since they got caught injecting ads into your traffic just last year.


This begs a question, why did “The Fastest Most Secure Virtual Private Network” get a $300M investment when all they do is violate user privacy and show that they have no clue about basic security by allowing unauthenticated requests to be made against their servers? Let’s hear it from the partner at the firm that lead the VC round:

https://www.nytimes.com/2018/09/05/technology/anchorfree-vpn-hotspot-shield.html

So, the same “open sourced” VPN software (OpenVPN), that literally every single VPN provider uses, makes AnchorFree an attractive investment? Why not invest into OpenVPN Inc. instead?

Sujay’s firm is either highly uninformed and has way too much money to burn, or they know what AnchorFree is really up to, and they know that they will profit from it. Considering VC companies rarely throw $300M at things they don’t understand, my bet is on the latter.


Appendix A

When you install HSS, a request is made to Google Analytics, and Quantcast, from your ISP assigned IP address and unique ID of the installation. When you visit any website that has Quantcast or Google Analytics tracking, the requests to tracking js scripts are made from your ISP assigned IP address, since those hostnames are “white-listed” in the Pac file. A profile is created on all your browsing activity which began the minute you installed Hostpost Shield.

Once you are identified as a “Hotspot Shield user #123”, and most sites that you visit contain the tracking pixel of the same company that knows you are a “Hotspot Shield user #123”, this effectively creates a detailed browsing history of some/most/all of your online activity, all the way down to the exact URL you visited.

Granted, you probably had an existing browsing profile to begin with, even before you installed Hotspot Shield, but given their promises of “Security and Privacy”, you have to ask yourself, if it doesn’t make any diffidence, what’s the point of this thing at all?


Yegor Sak
Yegor Sak