HideMyAss is a big-name Virtual Private Network (VPN) provider. Within the VPN industry, however, HideMyAss (HMA) has a poor reputation. This is largely down to a history of it handing the extensive logs it keeps on customers over to the authorities, but it is also plagued by consumer dissatisfaction with the quality of the service provided.
There is also no getting away from the fact that the service is very feature-light.
What HideMyAss does have going for it, however, is a huge number of servers located in just about every country imaginable. No other VPN company has anything like this scale of network.
This makes HideMyAss a compelling proposition for the limited subset of VPN users who might need either access to a huge range of VPN sever locations, or access to a VPN server in a country that only HMA serves.
HideMyAss Pricing and Plans
HideMyAss has slightly increased its prices since last time we reviewed it. It offers one simple “all-in” plan, which now starts at $11.52 per month. This price goes down for six or 12-month subscriptions, dropping to $6.56 per month for the annual subscription.
At time of writing, a summer sale is underway. This provides savings of up to 56% (annual subscription) on the prices listed above.
A 30-day money back guarantee is available, but there are important restrictions on this. Most notably, you may not exceed 10GB of bandwidth. It is worth noting that this guarantee does not cover purchases made via Google Play or iTunes. Please also see the comments section beneath this review, as many readers report not receiving a refund to which they felt entitled.
Please also be aware that auto-renewal of subscriptions is enabled by default, and must be manually changed via the online account control panel.
Payment is via credit/debit card, PayPal, iDEAL, bank/wire transfer, UnionPay and SOFORT banking. No Bitcoin payment option is available, but then HMA is not a service to use if privacy matters to you anyway.
HideMyAss VPN Features
A HideMyAss subscription offers the following features:
- 720+ VPN servers in 320+ locations in 190+ countries
- Two simultaneous connections
- Supports OpenVPN, Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) VPN protocols
- 30-day money-back guarantee (but with important limits)
That is an impressive number of server locations, and they are scattered all over the world. This includes exotic locations such as the Falkland Islands, Papua New Guinea, Malawi, Serbia, and many more.
HMA otherwise offers a very feature-light service, and the two simultaneous connections is miserly.
HideMyAss is infamous within the security community for handing over data on its customers to the police.
The most well-known incident occurred in 2011, when HMA handed over internet records and personal details of one of its customers, Cody Kretsinger, to the police. Kretsinger was a LulzSec member accused of hacking the Sony Pictures website, and received a prison sentence for his involvement in the crime.
A similar incident also occurred last year in Galveston County, Texas, when a disgraced judge was arrested and forced out of office for harassing an ex-girlfriend. The culprit had hidden his real IP address using the HideMyAss VPN service, which the provider clearly must have handed over as evidence to Texas police.
Although now owned by Czech company Avast Software, HMA is a UK-based service. The UK now has the most draconian surveillance laws in the world.
“We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you.”
As we can see from the incidents noted above, this is more than enough logging to get you into trouble if you do something wrong. HMA says that logs are usually kept for two to three months, but the new Investigatory Powers Act legally requires that logs are kept for at least 12 months.
Peer-to-peer (P2P) torrenting
HMA permits legal torrenting, but not downloading copyrighted material. HMA says that if it receives a Digital Millennium Copyright Act (DMCA) complaint or similar, it will not hand over your identity. Repeated complaints, however, may lead to your account being suspended.
Anecdotally, I have heard reports from HMA users who have received warnings over copyright offences from their Internet Service Provider (ISP) or copyright holders after using the VPN to torrent with.
Are HideMyAss VPNs Secure
On its website, HMA says,
“OpenVPN is using OpenSSL with algorithms 3DES, AES 256, RC5, 256 bit encryption for control channel (e.g. password, authentication, etc.).”
This is meaningless techno-babble written by someone who knows nothing about encryption.
As noted below, when I asked for details about the OpenVPN encryption HMA uses, I was unable to get an answer. Fortunately, when my colleague Thomas reviewed the service last year and asked similar questions, support was more forthcoming for him. For OpenVPN encryption, it seems that HMA uses the following settings:
- Data channel cipher: Blowfish-128
- Control channel cipher: AES-128
- Handshake: RSA-1024
- Hash authentication (data and control channels): HMAC SHA-1.
Perfect forward secrecy is provided courtesy of a Diffie-Hellman key exchange.
Please see VPN Encryption: The Complete Guide for a detailed discussion on OpenVPN encryption. The main problem with the above configuration is the use of the unsecure 1024-bit RSA algorithm for handshake encryption.
Although I usually concentrate on the OpenVPN encryption used by VPN providers, I did notice that L2TP/Internet Protocol Security (IPsec) connections use a pre-shared key to authenticate connections (“HideMyAss”!).
Again, this is bad. An adversary could use the pre-shared key (PSK) to impersonate a VPN server. It could then eavesdrop on encrypted traffic, or even inject malicious data into the connection.
The bright yellow aesthetic and cartoony branding of the HMA website does not work for me, but that is a purely subjective assessment. An FAQ is available, which does have some useful-looking articles. As already noted, though, the page on encryption is almost laughably bad.
On the plus side, the HMA website is available in a variety of languages, which is nice.
Support is via live chat or a ticketed email system. I had to wait a few minutes for the live chat staff to respond to my queries, but it was friendly enough when it did.
I do not expect frontline live chat staff to have deep technical knowledge, so was happy for my more difficult questions regarding encryption to be elevated via ticketed email for attention by a more knowledgeable staff member. Unfortunately, my ticket was never answered…
In order to subscribe, you must provide a valid email address and payment details. As already noted, it is not possible to pay for HMA anonymously. Once payment has been processed, the desktop client will auto-download.
Guides are also available for setting up manually on other platforms.
The Windows Client
The Windows software looks surprisingly reserved when compared to the website! I like the clean interface.
Instant Mode automatically connects you to a server chosen by HMA. Although I am in the UK, this turned out to be in France. Freedom Mode connects you to server in the closest free speech country. In my case this was the UK.
HideMyAss offers an almost insane number of server and server location options!
Preferences are fairly basic, and there is no kill switch. I was told that, “As for DNS leak, we don’t have that issue,” but was then referred to a webpage offering advice on what to do it you have a DNS leak!
That said, as we can see later, I did not actually encounter any DNS leaks. So who knows?
The client is OpenVPN only, although you can choose between OpenVPN User Datagram Protocol (UDP) or OpenVPN Transmission Control Protocol (TCP), presumably using TCP port 443. This can be useful for evading VPN blocks. Since OpenVPN is the VPN protocol you should be using anyway, I do not consider lack of other options in the client to be an issue.
Performance (Speed, DNS, WebRTC, and IPv6 Tests)
All tests were performed on my Virgin Media UK fiber connection, using the OpenVPN UDP protocol. I chose the country to connect to, but let the HMA software pick the specific server.
These results are frankly all over the place. They range from excellent to poor. Bizarrely, the results get better the further away the test server is from my location!
What I think this tells me is that performance between servers is highly variable, but that with a little trial and error it is possible to find a fast server.
I was unable to get sensible upload results. Almost uniformly the results returned when using a VPN were much faster than the maximum speeds possible (that I pay my ISP for, and which were confirmed by the “no VPN” control tests).
As the results are invalid, I have decided not to publish them. I have contacted testmy.net about this issue.
Although I am a little confused over whether the Windows software includes DNS leak protection features, I detected no DNS or other IP leaks. Please note, though, that my ISP (Virgin Media UK) does not support IPv6 connections. I am therefore unable to test for IPv6 leaks at this time. This is a situation that should change in the near future.
BBC iPlayer was blocked, but I was able to access US Netflix using HMA with a US server.
HMA offers custom software for Windows, Mac OS, iOS, and Android. Unlike the Android app, the iOS app uses the IPsec VPN protocol. A command line script is available for configuring OpenVPN in Linux.
Manual setup guides for the various VPN protocols supported by HMA are also available for a number of platforms. This includes for Boxee, a selection of routers, Windows Mobile and so forth. It is also possible to buy pre-configured HideMyAss routers from FlashRouters.
The Android App
Assuming that you don’t mind the usual HideMyAss aesthetic, the Android app is pretty smart looking.
It uses the OpenVPN protocol.
Android users gain access to HMA’s huge server list.
For some reason Paranoid Mode connected me to a server in Ireland! All-in-all, the app is very polished and works well.
- Huge number of servers located just about everywhere
- Android app is good
- Fast servers are available
- US Netflix available
- No IP leaks
I wasn’t so sure about:
- Some servers are slow
- 30-day money-back guarantee, but there are important restrictions on this, as well as reports of people not receiving refunds they are entitled to
- RSA-1024 handshake for OpenVPN encryption is weak (and use of a PSK for L2TP is bad)
- BBC iPlayer was blocked
- Based in UK with a past history of betraying users
- Many connection logs
- P2P: no (technically speaking, legal torrenting is allowed)
- Support did not answer more technical questions
- Only two simultaneous connections
Despite a high profile among VPN consumers, HideMyAss is poorly regarded by those in the know. A big reason for this is its history of betraying users to the authorities. It could be argued that being based in Britain means that HMA has little choice in such situations, but whatever. It is not a service that you can trust with your privacy.
Next to PureVPN, HideMyAss is also the service that BestVPN.com has received the most complaints about. These center on poor customer service, not honoring its money back guarantee, and poor speed performance.
I was therefore a little surprised to see rather good speed test results on some servers. Some results were certainly poor, but with a little patience you should be able to find a fast server.
The main reason to choose HMA is the size and diversity of its VPN server network. It has servers in over 190 countries, so if you really need a VPN server in the Cook Islands, Equatorial Guinea, Haiti, Lebanon, or a host of other unusual locations, then HideMyAss is pretty much the only option available.