A couple of years back I said Hola.org was a pretty cool plugin for your web browser.
Seems I was wrong and today I learnt a few things about this free VPN.
SHORT VERSION :
HOLA.org has been implicated (and not denied) in using free subscriber’s computers as a part of a network that seems to be designed to do bad things on the internet like take down websites AND it is not as secure as we would like it to be.
This is because it has been found that Hola.org is selling users bandwidth to others through a service known as Luminati.
It has been claimed that the Luminati service has been used to launch attacks on targets like websites. This has not been denied by Hola that has gone on to say that it has suspended the user that mis-used the service and would cooperate with authorities.
Not exactly a comforting stance to take for a business trusted to provide a secure VPN to defeat geoblocking.
If you are using a free VPN service then it is highly likely that this post will apply to you also. This is possible with any other VPN service that does not monetize its service solely from user subscriptions.
The FAQ on Hola’s website does in fact disclose that it uses subscribers bandwidth while their systems are idle but does not say exactly what is might be used for.
This is also very similar to how traditional botnets operate.
Another big downside apart from higher usage figures is that your connection could be implicated as a part of a hostile network that might be used to launch attacks including distributed denial of service attacks.
This is inherent in the capabilities of the Luminati service that is only capable of sending HTTP POST requests (same as when you click on a link on a website to request a new page load). This is pretty incriminating stuff.
Hola states that you can opt out of this by subscribing to the US$5/month premium service.
I recommend that anyone not using the Hola premium service to uninstall the HOLA pluging immediately. Paid subscribers might also take a moment to reconsider if they should be subscribed to a service that supplies distributed denial of service tools.
When looking for a VPN provider, it might be worth making sure that your exit nodes are coming out of trusted servers under the control of the provider NOT distributed exit nodes where you are using another users computer to act as an exit node.
These distributed systems make it possible for a hacker to take part in the network and monitor all extra traffic leaving his computer and monitoring that stream of data for unencrypted information that may include things like email credentials.
It is worth noting that this is very similar to the TOR project even though it does not mean that your systems would be used as a part of a DDOS network. Just that others taking part in the network may be monitoring traffic for unencrypted sessions to gain unauthorized access to services.
Bottom line, think about what the VPN service is geared to and ask yourself how they are making money.