Friday, July 26, 2024

Howdy VPN review 2024

Howdy VPN is a confusing service, to say the least. The free VPN doesn't offer anything close to a traditional VPN provider at first glance – and the more I dig, the more I'm convinced that you should leave Howdy VPN alone. Keep reading, and I'll explain why it can't compete with today's best VPN services.

HowdyVPN: the basics

First off, let's go over the basics. Who is behind Howdy VPN? Unfortunately, I don't know.

Combing through the terms of service, privacy policy, and disclaimer only told me that the company is seemingly based in the Netherlands – or is at least subject to Dutch law. Beyond that, there’s not much more to know. The website itself is registered in Indonesia and you can reach out via a single Gmail address, but that's all I could find. It's not a great start.

I was expecting to find a traditional VPN provider, but as soon as I landed on the Howdy VPN website I realized I was looking at something entirely different. The website is light on details, but offers a few services you wouldn't expect to see side-by-side with each other.

Figuring out who Howdy VPN is for isn't straightforward, either. The VPN offers free networking services – which means there's a free VPN and a free VPN service, free RDP service, and something called "Find SNI", which initially perplexed me.

Each page offers virtually no information about what these tools do. Instead, they're bloated with loads of unrelated Chat-GPT-generated text about cryptocurrency and VPNs. Needless to say, this isn't very user-friendly. If you're not already aware of what these tools do, Howdy VPN won’t be of any help to you whatsoever.

Howdy VPN: features

Howdy VPN's selection of features worries me – it's like the VPN is throwing everything at the wall to see what sticks. So, with that in mind, I decided to take a closer look at the VPN tool.

There are actually two on offer – Howdy VPN and "Trojan VPN", which immediately rang some alarm bells. Upon closer inspection, I can see why it's called this, but it's still worrying.

Howdy VPN offers two free VPNs. The default VPN is available for seven days from the point you sign up for it, with unlimited bandwidth and a "no-logs" policy that I'm not entirely confident in.

The "Game" VPN provides lower latency at the cost of reduced maximum speeds and is available for thirty days instead of seven. Either way, you'll see a list of servers you can scroll through to see where each is located and the total number of users connected to the server. 

Once you've clicked through, you'll be presented with an options menu that allows you to set your username and password for the VPN, along with something called an "SNI" or "Bug Host". I'll dig into this more when I cover the SNI finder but, for now, clicking through the remaining options generates an OpenVPN config file that you'll then need to load into a third-party client.

Howdy VPN doesn't actually offer a VPN client of its own – and I think it's a little misleading to call it a VPN provider.

Then, there's the Trojan VPN based on TrojanGFW, an obfuscation service designed to evade deep packet inspection by tunneling your VPN traffic through an HTTPS tunnel. I was suspicious, seeing as Howdy VPN also offers "free RDP" services, that this was a Remote Access Trojan service, but it's relatively harmless. There's a quota system in place of a timed lockout, so when you sign up for a Trojan VPN server you'll only get around 30 GB or so of data before your account details stop working.

The VPN service requires you to visit a separate site that doesn't seem to be working, so I can't comment on it. Howdy VPN does have a bunch of additional servers with a bunch of obfuscation guarantees, including RDP servers that let you connect to a remote desktop to use as a proxy host.

However, the tool that really caught my eye was the "Find SNI" option.

Howdy VPN: Find SNI

There's hardly anything on the Howdy VPN website about what Find SNI is or what it does. In fact, the provider is weirdly coy about the tool, stating:

"We know you need this, but we can't show it to just anyone to make sure it will last longer so you'll have to figure out how to use this feature."

The Find SNO tool itself gave me a list of partially censored host names and, upon clicking through to one, I was presented with a captcha. Completing the captcha uncensored the host, giving me a full hostname and data about whether the IP associated with it was accessible, and a set of HTTP response headers. Weird. Really weird.

I managed to put two and two together after some digging and found what Howdy VPN was actually offering as a website. To give you the relevant context, I need to touch on bug hosts and how ISPs connect you to the internet.

When you connect to an ISP, your account is granted access to the World Wide Web – so long as you have a valid subscription. If you avoid paying your ISP bills for long enough, it'll cut off your internet connectivity. However, because your ISP does want you to pay your bills (and pay them as soon as possible), the username and password tied to your router will still be valid – it's just that your internet has been restricted so you can only access your ISP’s home page. All the requests you make to other hosts are processed by your ISP and dropped.

You'll see something similar if you try to access the internet without a data plan on mobile data, or if you're accessing a paid public router. Only certain websites are accessible without a subscription. I'll call these "zero-rated" websites, but they can be all sorts of different pages available for different reasons: think public health sites, government portals, and CDN hosts.

The important thing to note is that your ISP will allow you to connect to them without paying a subscription.

Here's where it gets tricky. The "SNI" I've been talking about is the Server Name Indicator and a key part of the TLS transaction that tells the server you're connecting to which website you want to visit. This makes SSL certification bookkeeping easier for servers that host multiple sites on the same IP, but that's not why we care about it today. Remember, you're advertising which hostname you want to connect to ahead of time. The ISP will read it and authorize your connection if it's to a zero-rated site, or drop the traffic otherwise.

What sites like Howdy VPN allow you to do is create a TLS connection through an SSL VPN that spoofs your traffic – making it seem as though it's heading to a zero-rated website through the SNI indicator before being sent on to the real destination by the VPN server. This is a massive violation of your ISP’s ToS by the way, if not outright illegal.

In the context of offering completely free VPN and VPS servers, I have no doubt that there's something weird going on here.

There's no third-party audit to validate Howdy VPN's privacy policy and, as a result, I'd have to assume that it's logging your traffic by default. In fact, there's no mention of what happens to the data that's passed through the free VPN servers – and I think this is a total failure to make explicit what it is you're giving up in return for the free service.

Howdy VPN: verdict

When I dug a little deeper into who actually providers Howdy VPN, I found two more websites: fastssh.com, which hosts most of the tutorial content for Howdy VPN on a separate blog space, and sshkit.com, which offers similar services.

There's a whole web of free VPN and SSH services associated with each other that all seem to do the same thing, all seemingly kept alive by aggressive website marketing popups and ad marketing agreements with Google.

As far as I can tell, it all falls under the ZXC brand, which operates several websites from the same hosting cluster in Indonesia. I can't say whether ZXC is just monetizing additional excess server capacity or up to something more nefarious – but if everything I've covered so far hasn't been enough to put you off, then let me make it clear: don't use Howdy VPN.

The complete lack of transparency surrounding the site, alongside some really suspect services and a total disregard for normal monetization practices, means I wouldn’t touch the service with a ten-foot pole. Plus, it looks like you can only sign up for Howdy VPN via telegram, which is the icing on the cake.

I'd instead recommend that you check out a legitimate VPN service that won't sell your data as soon as you fork it over –  like NordVPN.

NordVPN is the polar opposite of Howdy VPN in about every way I can think of. You'll get top-not encryption that'll keep personal data out of the hands of snoopers, an audited and airtight privacy policy, and some of the fastest speeds I've seen a VPN hit. Plus, if you're in the market for a streaming VPN, NordVPN leads the pack – and you can try it for yourself with its 30-day money-back guarantee.

Alternatively, if you'd rather stick to a free VPN, there are much better options out there. Proton VPN (designed by the minds behind Proton Mail) is a privacy-focused service that offers unlimited data with no catches; no ads, no tracking, just a really, truly, free service. The caveat is that you'll only have access to servers in three locations, and it's not as fast as other premium providers, but Proton VPN's free tier is more than enough for anyone wanting to shore up their digital security as they go about their day-to-day browsing.

0 comments:

Post a Comment

!!!!!!!!!!

Popular Posts

Categories

Blog Archive