A large network that's great for anyone wanting to access Netflix and similar geo-restricted sites but anonymity is not a strong point
HMA is situated in the UK and offers a huge VPN network easily accessed by highly configurable clients for Windows and Mac and simple but effective clients for iOS and Android. A highly useful feature of their network is the ability to utilize “virtual servers” which are locally situated but “appear” to be located in other countries such as the USA or Europe. Overall performance of the network was average to slow but by utilizing virtual servers we got good performance when connected to streaming video services in other countries, like HBO and Netflix in the USA. BitTorrent is allowed but not for illegal content. It is totally blocked on some of their servers for all content. A disappointing aspect of HBO is they log the user’s real IP both during account registration and VPN server connection. This is of little consequence to those simply wanting to access geographically restricted web services but will worry those seeking true anonymity.
The company behind HMA
HideMyAss VPN is a product of Privax Limited, a limited company registered in the United Kingdom.
Some may take comfort in the fact that this a UK company due to the strength of the legal system and the country’s long democratic tradition.
Others will feel less comfortable as the UK is part of the European Union and thus subject to the European Union's 2006 Data Retention Directive which requires service providers to retain user metadata for six months to two years.
Even more concerning is the UK’s 2014 The Data Retention and Investigatory Powers (DRIP) Act which expands on the Data Retention Directive. Add to this the pervasive reach of the UK Government’s GCHQ spying organization and concerns can only be amplified.
Most average users will give little import to these issues but they will be of real concern to whistle-blowers, journalists, political activists and others for whom anonymity is an imperative.
What is their offering?
HideMyAss (HMA) offers three pricing plans, monthly, six monthly or yearly:
Although the prices are shown as a monthly figure, the six month and annual plans are charged in a lump sum of $41.94 and $59.88 respectively.
All plans have the same service features and differ only in price. Features include unlimited bandwidth, unlimited server changes and the ability to contact up to two devices to the VPN network simultaneously.
Downloadable clients are available for Windows XP SP3 and later, Mac OS X 10.7 and later, iOS 5 and later and Android 4 and later. Additionally older clients are available for OS X 10.5 and 10.6. There is also a Linux script to install the VPN but no client.
Their VPN network is impressively large with 320 locations in 200 countries around the world. In the USA alone, there are over 60 access points in 44 cities while in the UK there are access points in 8 cities.
An interesting feature is that in a number of countries, HMA provide local “virtual servers” that appear to be located in another country while they are actually nearby. So for example UK users have available local virtual servers for the USA, Paris, Germany and Australia. If you connect to the USA virtual server you are connected to a server in the UK but have been allocated an IP address associated with the USA.
The advantage of this system is you get the faster response and lower latency of a server nearby yet USA websites like Netflix and HBO will think you are located in the USA and so allow you to use their services. This is an excellent feature, one that we would like to see offered by more VPN services.
HMA claim that BitTorrent is supported by their network for legal content but users' posts on their forums indicate that BitTorrent is totally blocked from some HMA servers. We asked HMA support for a list of those that are blocked but was told to just try different servers. On further questioning it became clear that they did not want to supply this information.
A disappointing aspect of the HMA service is they do not offer use of their own DNS server. Instead users are reliant on the DNS server provided by their ISP.
It is possible to configure your computer to use a more secure DNS like Open DNS or Commodo DNS and HMA have instructions on their site how this can be done. This however is a poor alternative as average users will not even be aware of the risks let alone the existence of the online instructions. Given most other VPNs offer access to a secure DNS service enabled automatically during client installation, HMA need to lift their game in this area.
How well does this VPN protect your privacy and security?
For average users mainly interested in accessing geographically restricted services like Netflix or European sports sites, the level of anonymity provided by HMA is fine.
For those with an elevated need for privacy and anonymity such as BitTorrent users or those with an extreme need such as journalists, whistleblowers and political activists there are some serious issues with HMA.
First there is the risk posed by HMA being based in the UK. This was discussed in the first section of this review headed “The company behind HMA”
“We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you.”
“This data is stored on our system for between 2 and 3 months unless we are required, for legal reasons or under exceptional circumstances (including our own investigations of fraud or abuse), to retain this data for an extended period.”
“We store the date and time of registration for the anonymous email service, your IP address, password, your actual email address…”
“You can delete your account at any time but your email address will be stored by us for no more than 2 years after you have deleted your account.”
We are not defending Lulzsec or any organization involved in criminal activities but rather are alerting those who have a legal need for high anonymity such as journalists, that HMA may not be the best choice. Such users may want to consider other VPN services that have a zero logging policy and are based in countries where, unlike the UK, there are no compulsory legislative data retention requirements.
Is the product easy to install and use?
On the whole, HMA is very easy to install and use. We tested the clients for Windows, Mac OS X and iOS and had no problems with any of them.
HMA does not provide a public area on its website where you can download the Windows and OS X clients. You must first have a web account and only when you login do you get access to the download area. The iOS app is of course available anytime from the Apple app store.
The procedure for the installation of the Windows and Mac clients is essentially the same except with Windows there was an additional step to install a TAP driver. This formed part of the installation process and worked seamlessly. That aside the clients for Windows and OS X are essentially identical so we will only deal with the Mac client here.
Once you have installed HMA this is what you see:
To connect to the VPN you first need to enter the username and password you created on the HMA website. Then you need to select the server you want to connect to. You do this by clicking the County selection button in the left sidebar.
As you can see the range of servers you can select from is huge. This includes the “virtual servers” each of which is a local server but with an IP belonging to the country you want to appear to be located in. This allows users in say the UK, to access USA services like HBO yet work from a server based in London.
To help you select the fastest server for your location there is a Speed guide option that allows you run tests to get ping times (latency) and download speeds for a designated set of servers, for example all the servers in your country.
There is also a geographical map showing the servers available and the number of users using each server.
Once you gain some experience finding out which servers work best you can do a quick server select from the dashboard using a pull-down list of recently used servers.
Yet another feature to help you utilize the best server is a “load balance” option available from within the Settings tab on the Dashboard. This appears to work by shifting some or all of your traffic to another server should your current server become heavily loaded. It only works though if you have configured the client to make all servers available rather than those in a particular location or city.
Also from the dashboard, you can switch between the OpenVPN protocol and PPTP. The latter is not as secure as the default OpenVPN but will often work in occasional situations such as some airports and public Wi-Fi networks, where OpenVPN is blocked or otherwise not functioning.
The HMA implementation of OpenVPN uses 128 bit Blowfish encryption while some other VPN suppliers use 256 bit which is more secure but slower than 128 bit. For most users 128 bit is adequate. HMA PPPT connections are 128 bit RC4 encrypted. RC4 is an older encryption standard and may not be as secure as more modern standards such as AES.
The iOS app is even simpler to install and use. Just download from the Apple app store, enter your HMA username and password and you are right away. An iOS VPN IPSec profile is then downloaded which you must authorize to install. Once installed you are connected immediately to the VPN using a local server.
If you don’t want to use IPSec you can select either L2TP or PPTP easily enough from a drop-down list though you will have to install a profile for each.
The iOS client has many fewer options than the desktop clients but it works effortlessly. My only beef being there is only an iPhone client so iPad users have to tolerate portrait mode viewing.
How well does the VPN perform?
Like many of the larger VPN networks, the performance of HMA varied considerably from server to server – some servers were excellent and some slow enough to be frustrating. Averaged across local servers, HMA was in the lower performing group of VPNs tested with average download speeds measured at speedtest.net being around 55% of speeds measured without a VPN. Results will of course vary from country to country and server to server.
As many users want a VPN to access services like Netflix in the States we tested HMA from Sydney Australia using the local “Sydney Australia Virtual USA” server to access hbo.com. Using that server we were able to successfully register at HBO in the States and access the service. We viewed SD movies successfully with only the occasional pause.
HMA do not provide their own DNS servers so we couldn’t test their DNS server security.
We did run an IPV6 leak test at http://ipv6leak.com/ and all three clients passed.
What other features are offered?
HMA offer free anonymous email and free web proxy from their website. You do not need an account to use these services. We assume these services, like HMA’s VPN service, are logged so don’t use them assuming your identity is fully protected.
HMA also maintains a free list of third party web proxies currently online. However using free third party web proxies carries a significant security risk and we don’t recommend the practice.
The Windows and Mac clients have some lots of configuration options compared to some other VPN services including the ability to change your apparent IP address either manually or on a scheduled basis. This could add to your anonymity but given your real IP is logged by HMA the gain may be illusory.
Another configuration option is “Secure IP Bind” which prevents internet-facing applications on your PC, such as your email, from using the internet when there is no secure connection.
How good is the support?
HMA offers email support, online chat, online documentation and access to a community forum. That sounds impressive but the reality falls somewhat short.
First, the online chat had the slowest response time of any VPN service we tested. On several occasions we simply gave up. To be fair when we did get a response, the operator was quite helpful.
Second, the online resources while extensive are poorly organized and actually quite difficult to use. The site navigation to these different resource areas needs to be much clearer and the material itself needs to be restructured in a way that more directly addresses common user concerns.
In a nutshell, HMA need to lift their support to match that supplied by other VPN services.
|Price||$9.99 month billed monthly, $59.88/year|
|Refund period||30 day|
|Max concurrent connections||2|
|Network size||200 countries 320 cities|
|BitTorrent allowed||Yes but illegal or copyright content not permitted. Some servers block all BitTorrent usage.|
|Own DNS server||No|
|Default Win protocol||OpenVPN 128 bit|
HideMyAss VPN Website: https://www.hidemyass.com/