Thursday, October 15, 2020

HideMyAss! (HMA) VPN

One of the biggest names in the VPN business, HideMyAss! (HMA) has been protecting its users' privacy for more than 15 years, and it's been owned by security giant Avast since 2016.

The company offers a vast network of 1,100+ servers in 290+ locations across 190+ countries. That's fewer servers than some of the top providers, but many more locations and countries (NordVPN has 5,500+ servers across 59 countries, ExpressVPN has 3,000+ servers across 160 locations and 94 countries).

There's P2P support, but only on a handful of locations, in fact just eight via our Windows client (five in Europe, three in the US).

Industrial-strength privacy is provided via OpenVPN and IKEv2 support (no sign of WireGuard yet), AES-256-GCM data encryption, RSA-4096 for handshaking and SHA-256 data authentication, while app kill switches aim to keep you safe if the VPN drops.

HideMyAss! has its own DNS service to help avoid DNS leaks and, as a bonus, it also blocks malicious and phishing sites.

The HideMyAss! website proudly proclaims that it works on all your devices, and it just might have a point. Not only are there custom apps for Windows, Mac, Android, iOS and Linux, but there's installation advice to help you manually set up the service on many other platforms. And that includes the ability to configure some routers, which in theory should allow you to use the service with all your smart devices, too.

The big news since our last review is HMA has put itself through an independent security audit, and passed, allowing the company to proudly claim it's now a 'certified no-log VPN.'

Plans and pricing

Head off to the official HideMyAss! pricing page and the company looks distinctly short on plans, with just one-year and three-year options.

In reality, HideMyAss! has more plans than most of the competition, they're just not easy to find on the website. No, that doesn't make any sense to us, either, but there's a summary of what's available in this blog post.

The monthly plan is priced at $11.99. That's in the range you'd expect from a top VPN, but not something that's suitable for more than a very occasional one-off month. (Surfshark gives you two years of service for under $48, or $1.99 a month).

The six-month plan is also more expensive than we'd like at $7.99 a month. The price drops to $5.99 over a year, $4.99 over two years, and $3.99 over three. If you're happy with the company, these aren't bad prices, but many other providers offer much better value. You can sign up with Private Internet Access for just $3.33 a month, for instance, and that's just on the annual plan – there is no need to pay for several years upfront.

A Family plan gets you a year of coverage for everyone in your household, and supports up to 10 simultaneous connections, for $7.99 a month. It's good that this option is provided, but again, Surfshark gives you two years of service and fixed connection limits for a lot less in its first term ($59.76 for two years coverage vs $95.88 for one.)

HideMyAss! Business plans enable supporting more simultaneous connections. These are priced much the same as the Family plan – around $13 a month for 10 connections, $24 for 20, $33 for 30 – and HideMyAss! can do tailored quotes if you need more.

Bitcoin isn't accepted, whatever plan you choose, but HideMyAss! does support cards and PayPal.

A 7-day free trial gives you a decent amount of time to try out the service, something you won't get with most of the competition. You must hand over your payment details, and you're automatically billed for the annual plan when the trial ends, unless you cancel (which is easy to do online).

If you buy, and then run into problems, you're protected by a 30-day money-back guarantee. Years ago this had some sneaky catches in the small print (it was only valid for customers who used less than 10GB of data and made fewer than 100 connections), but they were ditched long ago, and if anything, the small print is more generous than most.

For instance, if you've had one refund from a VPN, then most won't give you another, even years later. HideMyAss! will give you as many as appropriate, just as long as there's at least six months between refund requests.

Logging

HMA has been audited to confirm its no logging credentials (Image credit: Avast)

Privacy and logging

HideMyAss! has so much small print that the Legal section has a sidebar with no less than 12 separate sections, and many of those are also very lengthy (the privacy policy alone has approaching 5,000 words).

This isn't quite as bad as it first sounds. The main reason for the cluster of documents is that HideMyAss! has moved key sections into separate articles, making them easier to find, and most of these are clearly structured and well-written. (If you're allergic to small print and just want the basics, though, check out HMA's no-log blog post.)

The privacy policy explains that there's no logging of originating IP addresses (a possible way to identify you), precise timestamps (when you connected or performed some action), DNS queries, browsing history or transferred data.

There is some general logging of service use, including the date of connection and whether it's AM or PM, and a very approximate idea of transferred data (the service only records whole 100Mbs, so 379Mb data transfer is logged as 300.)

HMA justifies this minimal data collecting on the grounds that it helps with troubleshooting, customer service and understanding network capacity, and that makes sense to us. 

If you're the skeptical type, though, there's no need to take these words on trust. In August 2020 HMA announced in a blog post that its no-logging policy had been audited by security consultancy VerSprite. 

The assessment 'included analyses of data, traffic, and storage on both the client and server-side, and the disconnection of user identities with data containing information about online user activity.' And HMA passed, the company explained, with VerSprite receiving the minimum possible 'low risk' user privacy impact rating.

The HMA site only gives broad details about the scope of the audit, for example talking about it including 'analyses of data, traffic, and storage on both the client and server-side, and the disconnection of user identities with data containing information about online user activity.' As the report isn't publicly available, there's no way to judge how meaningful the results might be. Still, we have to applaud any VPN which puts itself through this kind of expert independent scrutiny, and we hope HMA will run further audits in future.

Windows Client

This is the new and improved user interface of the Windows client (Image credit: Avast)

Apps

Signing up for a HideMyAss! trial works much like any other web service you've ever used. Choose a plan, select a payment method (card or PayPal) and hand over your money in the usual way.

A Download page pointed us directly to the correct app for our Windows device, while also giving us links to Mac, Android and iOS builds, and some pointers on using the service with Linux. This isn't as well-presented as high-end competitors such as ExpressVPN – you don't get the same number of tutorials on setting up the service manually, and there's no link to download the Android APK file for manual installation elsewhere – but it covers the basics well.

HideMyAss! apps have become much easier to use over recent years, with the old mode-based system replaced by streamlined, simplified interfaces that even the greenest of newbies will understand right away. 

The new design looks and feels much like most other VPN apps: it has a list of locations, an On/Off button, and a Settings dialog with some useful tweaks.

Windows Locations

The Location Picker has been nicely streamlined compared to the old app (Image credit: Avast)

The Location Picker doesn't force you to scroll – and scroll, and scroll – to find what you need. You're now able to view locations by continent or type (streaming or P2P optimized), enter text in a Search box, or save commonly used locations as Favorites for speedy access later.

The location names don't have any latency or server load indicators, but there is a Speed Test option which detects your nearest servers and calculates their latencies and download speeds.

Kill Switch

The Windows client has not one, but two, kill switches (Image credit: Avast)

A sidebar contains a small number of configuration options, including a setting to automatically connect to the VPN whenever you access the internet, and to enable the client's two kill switches. Yes, two: if the VPN drops, a system-wide kill switch protects you by blocking internet access, and an optional app kill switch closes down your chosen processes (your browser or torrent client, say).

We tested the kill switch by forcibly closing the Openvpn.exe process and its TCP connection, and monitoring IP leaks when we switched servers. In all cases the client correctly blocked all leaks, preventing our real IP from reaching the outside world.

The app kill switch is unusual, because as well as terminating specific apps if the VPN drops, it also automatically connects to HideMyAss! when you launch those apps.

This is a nice idea, and it worked during testing, but it doesn't offer enough control. You might not want to connect to the VPN every time you open your torrent client, for instance, but HideMyAss! doesn't care: once it's on the app kill switch list, that's what will happen. The client should treat the auto-connect option as a separate feature and make it configurable for each app.

Tucked away in the Preferences box, an unusual IP Shuffle feature changes your IP address at a defined interval (30 minutes, an hour, a day, whatever you like), making it even more difficult for others to track what you're doing. This is thoughtfully designed, for instance using the kill switch to block outgoing traffic as the connection updates.

Small but welcome touches include the ability to view your OpenVPN connection log, which is potentially very useful in troubleshooting connection issues.

Android App

The Android app includes support for split tunneling (Image credit: Avast)

The Android and iOS apps have a near identical interface to the Windows client, and once you've found your way around one, you'll have no problem using the others.

VPN providers often save their best features for the desktop, and 'forget' all about the mobile apps. HMA has done a better job than most, though, and even some of the more low-level features (UDP/ TCP connections, IP Shuffle) are also available on mobile devices.

The Android app goes a step further than the desktop clients with its split tunneling support. In a click or two you're able to decide which apps should use the encrypted tunnel, and which are left with your regular connection.

The mobile apps have smarter auto-connect rules, too, and can automatically connect you to the VPN when you join unsecure Wi-Fi networks only, or with any Wi-Fi, or both Wi-Fi and cellular networks.

The various HideMyAss! apps aren't the most powerful we've seen, and despite the redesign, they're not the easiest to use. They're likeable, though, and mostly do a good job, and we expect they'll quickly improve as HideMyAss! uncovers and fixes issues with the new interface.

New Speedtest Image

We used Ookla's SpeedTest and TestMy to measure the performance of HideMyAss! (Image credit: Ookla)

Performance

We began our HideMyAss! performance checks by choosing a small group of test servers: three in the US, three in the UK, two in Europe, and locations in Australia, Hong Kong and South Korea to represent the rest of the world.

(This required downloading OpenVPN configuration files, so we were happy to find that HideMyAss! provides a wide selection, sensibly named and right up to date.)

Our tests began by connecting to each server in turn, recording the connection time, running a ping check to look for latency issues, and using geolocation to verify that the server was in the location advertised.

There was positive news in every area. All servers appeared to be where HideMyAss! claimed they would be. Connection times were good at around six seconds, even for the most distant locations (some VPNs are twice that, or more), and ping times lengthened for faraway servers, but no more than we expected, and they didn't reveal any problems.

We moved on to checking the best-case download speeds, connecting to our nearest server from both US and UK locations, and measuring download performance using Ookla's SpeedTest and TestMy.

UK speeds were usable but a little below average at 100-130Mbps, perhaps in part because HMA doesn't support the more efficient WireGuard protocol. Private Internet Access reached 150-160Mbps via OpenVPN, but connecting using WireGuard and PIA reached 370Mbps in its best session.

We made our US checks from a superfast 600Mbps connection, but speeds were only fractionally better at 140-150Mbps. That's still more than enough for most purposes, of course, but if performance is a priority, Hotspot Shield reached 330-410Mbps in our last tests. 

Unblocking

HideMyAss! was able to unblock both UK and US Netflix in our tests (Image credit: Netflix)

Netflix

Point your browser at the HideMyAss! website and you'll read that the service allows you to "stream your favorite TV shows from wherever you are in the world using one of our dedicated streaming servers." Sounds good, but is it true?

The HideMyAss! Windows client enables filtering its location list to display only streaming servers, and right now there are just five of these: two in New York, one in Florida, one in London and another in Frankfurt. That's not exactly a lot of choice, and we wondered whether that would make it easier for streaming websites to detect and block them.

The answer seems to be: maybe. When we connected to the UK, for instance, we were able to stream UK Netflix content, but BBC iPlayer and UK Amazon Prime Video were blocked.

The US story was mixed, too. The first server got us into Netflix, but failed with Amazon Prime and Disney+. We tried the other two servers, with no change.

That's not great, and as the HideMyAss! website doesn't commit to supporting access for any particular service, it's probably not going to change any time soon. Keep in mind that you do get to try the service for a week for free, though, so there's plenty of time to test it for yourself.

Support

HideMyAss! provides support via 24/7 live chat, a web forum, FAQs and a searchable knowledgebase (Image credit: Avast)

Support

The HideMyAss! support site offers a wide range of resources, including setup guides, a searchable knowledgebase, FAQs, a web forum, and 24/7 live chat for anything urgent.

The web content isn't as in-depth or well-presented as some of the competition. ExpressVPN has a host of detailed setup guides, all easily accessible in a couple of clicks from the support page. HideMyAss! doesn't organize its articles quite as neatly, and when you do find them, there's less information, and occasionally some questionable points.

For example, the Windows setup tutorial starts by talking about downloading the latest version of the .NET Framework, for instance, before saying there's nothing out of the ordinary about warnings that the TAP driver isn't signed, and suggesting you fix this by disabling driver signing checks. This isn't necessarily bad advice if you know what you're doing, but it's also seriously advanced stuff with implications for your security, and we wouldn't expect it to appear in a general installation tutorial for all levels of user.

The HideMyAss! community forum isn't a busy place, but post a question there and it's normally answered by a staff member within a few hours. Replies are generally helpful, and if the problem isn’t solved on the forum, the support team will often create a ticket for you or send you a direct email to discuss the issue further.

If you can't wait, live chat is on hand for near instant assistance. We asked about a Windows installation issue, and within minutes, a support agent began giving us a helpful and accurate solution. That works for us, and overall, we think HideMyAss! should be able to help you solve most common VPN issues.

Final verdict

HMA's unblocking performance is below-par (though it did work with Netflix), and prices are higher than we’d ideally like. That said, the apps are easy to use, there's a huge choice of locations, and the company's no-logging promises are now backed by an independent audit. If these are your priorities, HideMyAss! might be worth a try.

  • We've also highlighted the best VPN services of 2020


from TechRadar - All the latest technology news https://ift.tt/37itGT8

No comments:

Post a Comment