• Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design

    From Maria Sophia@mariasophia@comprehension.com to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Mon Jun 8 21:38:57 2026
    From Newsgroup: alt.comp.os.windows-11

    Maria Sophia wrote:
    In summary, the Windows Aloha browser is a scam because Aloha's Windows VPN does not register a WFP callout, does not create an NDIS 6.x virtual
    adapter, does not bind DNS to a tunnel interface, and does not register
    with NCSI, meaning Windows has no way to detect the tunnel, enforce
    VPN-aware firewall rules, or prevent traffic leakage when the tunnel collapses.

    UPDATE.

    Good news, sort of. Well, not as bad news as it used to be, I guess.

    Up until about version 4.18.0.0 (where 4.19.0.0 was released May 29, 2026), prior Aloha versions would randomly drop the VPN while you were using it.

    Since that's sadistically the very last thing anyone would expect a VPN
    browser to do, that "feature" alone made the Aloha VPN browser worthless.

    Luckily, the sadism of the developers seems to have abated somewhat in that
    the current versions no longer randomly drop the VPN without any warning.

    They still drop the VPN randomly.
    And there still isn't any warning.

    But if you keep the mouse on the browser at all times, they don't drop it.

    It's only if the focus isn't on the browser now, that they will randomly
    drop the VPN connection (usually within a minute or two in my experience).

    When you manually bring the focus back on the browser, the VPN connection
    stays off, but you can reconnect by clicking the gray VPN shield which, in prior versions, would turn blue (indicating the VPN shield was active).

    In Aloha version 4.18.0.0 and newer versions, clicking the gray (off) VPN shield just brings up a dialog box asking you to pay to keep the VPN on.

    At the bottom of that dialog box is teeny tiny print where you can select
    "Continue with free servers"

    Clicking on that teeny-tiny extra line will then turn the VPN shield blue.

    And now you're back to the original setup (where it will stay blue until
    you remove focus on the browser, in which case it randomly turns gray).

    In summary, the mechanism for Aloha to maintain the VPN connection has drastically changed, where it takes more mouse movements now than before,
    but at least if you keep the focus on the browser at all times, the VPN no longer sadistically randomly drops right out from under your feet.

    It's still a terrible design, but at least it's no longer pure evil sadism.
    --
    Knowledge is just knowing what is while experience is knowing what happens.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Graham J@nobody@nowhere.co.uk to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Tue Jun 9 08:09:24 2026
    From Newsgroup: alt.comp.os.windows-11

    Maria Sophia wrote:

    [snip]

    In summary, the mechanism for Aloha to maintain the VPN connection has drastically changed, where it takes more mouse movements now than before,
    but at least if you keep the focus on the browser at all times, the VPN no longer sadistically randomly drops right out from under your feet.

    Every ordinary user I know always works with apps like a browser
    full-screen, so losing the focus isn't a issue.

    They don't seem to have understood that Windows means having the option
    for more than one window open on a screen.

    What was it we had before Windows? MS-DOS ???
    --
    Graham J
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Andy Burns@usenet@andyburns.uk to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Tue Jun 9 13:05:46 2026
    From Newsgroup: alt.comp.os.windows-11

    Graham J wrote:

    Every ordinary user I know always works with apps like a browser full- screen, so losing the focus isn't a issue.

    They tend to regard any explanation of how they could run apps
    not-maximised as being "told off".

    They don't seem to have understood that Windows means having the option
    for more than one window open on a screen.

    Dual monitors have given way to triple monitors for many users.

    What was it we had before Windows?-a MS-DOS ???

    Borland Sidekick?

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ...winston@winstonmvp@gmail.com to alt.comp.os.windows-11 on Tue Jun 9 10:23:09 2026
    From Newsgroup: alt.comp.os.windows-11

    Andy Burns wrote:
    Graham J wrote:

    Every ordinary user I know always works with apps like a browser full-
    screen, so losing the focus isn't a issue.

    They tend to regard any explanation of how they could run apps
    not-maximised as being "told off".

    They don't seem to have understood that Windows means having the
    option for more than one window open on a screen.

    Dual monitors have given way to triple monitors for many users.

    What was it we had before Windows?-a MS-DOS ???

    Borland Sidekick?

    Sidekick was a personal information manager, initially ran on DOS(later
    on Windows, OS2, Mac)
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Maria Sophia@mariasophia@comprehension.com to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Tue Jun 9 13:03:00 2026
    From Newsgroup: alt.comp.os.windows-11

    Andy Burns wrote:
    Graham J wrote:

    Every ordinary user I know always works with apps like a browser full-
    screen, so losing the focus isn't a issue.

    They tend to regard any explanation of how they could run apps
    not-maximised as being "told off".

    They don't seem to have understood that Windows means having the option
    for more than one window open on a screen.

    Dual monitors have given way to triple monitors for many users.

    What was it we had before Windows?a MS-DOS ???

    Borland Sidekick?

    I looked up all the reviews for Aloha VPN browser for Windows, and I
    haven't found a single review that wasn't a shill, not surprisingly.

    That's pretty shocking that there isn't a single Windows Aloha real review.

    Any "real review" of the VPN browser would have noted quite clearly that
    every privacy tool, when it fails, should fail in the open condition only.

    My original PSA warned that the VPN would randomly drop sans warning even
    if the user constantly kept the mouse focus on the VPN browser window.

    The latest update to the PSA revised that, in that in the current version (4.0.19.0), the VPN stays active as long as the browser window has the
    active focus, but the VPN still drops the connection within minutes, sans warning, if the user clicks away to another window for that time period.
    --
    We can learn from each other on Usenet if we simply put our minds to it.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Maria Sophia@mariasophia@comprehension.com to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Tue Jun 9 13:19:08 2026
    From Newsgroup: alt.comp.os.windows-11

    Graham J wrote:
    Every ordinary user I know always works with apps like a browser full-screen, so losing the focus isn't a issue.

    They don't seem to have understood that Windows means having the option
    for more than one window open on a screen.

    What was it we had before Windows? MS-DOS ???

    What's interesting is the irony of invoking MS-DOS (single-tasking) and
    Borland Sidekick (a crude, pop-up text utility used to fake multitasking)
    on a system satirically called "Windows" that behaves as if there is only
    one chromium window running at a time (which is really a chromium issue).

    While "windows" on Windows is the ironically paradoxical joke here,
    what's also ironically paradoxical about Aloha VPN is it's blazingly fast.

    Yet, it's so fantastically Superman-fast because it's badly designed!
    What a paradox!

    It should be shocking to everyone, if I'm right that there isn't a single
    real Windows VPN browser review on the entire Internet, that isn't a shill.

    Having extensively tested the Windows VPN browser, here's my review of it.
    a. Blazing speed
    b. System-wide hijack
    c. Silent, random drops
    d. Broken routing & DNS
    e. No integration with Windows security model
    f. Structural, not performance, failures

    Blazing speed:
    a. Apparent throughput:
    Measured TCP/UDP transfers through Aloha's tunnel show very high
    bandwidth and low latency compared with many consumer VPNs, where
    downloads and streaming feel near-native.
    b. Why it looks fast:
    Because Aloha forces all traffic through raw routed paths without
    encapsulation overhead (no full TAP/TUN encapsulation, no extra kernel
    filtering), packets bypass many normal VPN processing stages that add
    CPU or queueing delay.

    System-wide hijack:
    Aloha on Windows doesn't behave like a browser VPN-it rewrites the whole routing table, so all traffic (not just browser traffic) is forced through
    its tunnel, without using proper Windows VPN primitives (virtual adapter,
    NDIS miniport, WFP, NLA, NCSI, etc.).

    Silent, random drops:
    The tunnel collapses unpredictably, with no kill switch, no route lock, no OS-level awareness. When it drops, Windows just sends everything out over
    your normal connection-instantly exposing your real IP mid-session.

    Broken routing & DNS:
    After a drop, routes and DNS are left in a half-broken state: leaks,
    stalls, orphaned routes, resolver races, and users needing route -f to
    recover.

    No integration with Windows security model:
    Because it doesn't use official VPN APIs or register as a VPN interface, Windows can't apply VPN-aware firewall rules, DNS policies, or "VPN
    required" policies. The OS literally doesn't know a VPN is supposed to
    exist.

    Structural, not performance, failures:
    The instability isn't just "it's slow" or "it disconnects sometimes"-it's architected in a way that guarantees unsafe behavior: no kill switch, no
    IPv6 handling, no TAP/TUN-style queue, no WFP callout, no proper adapter,
    no documentation.
    --
    Knowledge is knowing what is, while experience is knowing what will happen.
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Tue Jun 9 16:29:23 2026
    From Newsgroup: alt.comp.os.windows-11

    On Tue, 6/9/2026 3:19 PM, Maria Sophia wrote:

    It should be shocking to everyone, if I'm right that there isn't a single real Windows VPN browser review on the entire Internet, that isn't a shill.

    When it drops, Windows just sends everything out over
    your normal connection-instantly exposing your real IP mid-session.

    It's not even listed as a "Chromium" browser.

    https://github.com/nerdyslacker/desktop-web-browsers

    Aloha Browser WebKit,Blink Windows Fast, free, full-featured browser

    It would take quite a while to review that browser list,
    and start by weeding out the ones that are no longer
    in development.

    [Paul looks at his big-bucket-of-browsers, discovering
    the bucket is entirely empty.]

    I don't think I even "want" to review browsers.

    This would be like reviewing six different colors
    of Docker pants :-) "Yeah, it stole my identity"
    "Yeah, it has telemetry and reports every URL"
    "Yeah, is that DOM folder big or what?"
    That's hard work.

    Speaking of Scumbaggery, Tomshardware has switched to the Deceptron FutureInc Web Format.
    Oh, well. We were always told, control would only be taken away from Toms, if they
    weren't making enough money for FutureInc. By not having scroll bars where you expect them,
    and having scroll bars in places you don't need them, all your interface requirements
    are met... as an advertiser. I'm using my PgDn and PgUp keys, to navigate items,
    and that is a lot of fun. A lot. Of fun. I hope they don't like a lot of telemetry
    that notes "pressed PgDn key 1000 times in 4 seconds". I had to turn off SVG rendering
    on the browser I use for that, just to cut down on the sheer volume of crud on the page.

    Yes, the Internet is alive and well, but is an acquired taste.

    I had a Google AI summary, use a slop-page prepared by an AI, as
    one of its "authoritative sources". My day is complete. You can't
    get quality like this at the public library.

    Paul
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Maria Sophia@mariasophia@comprehension.com to alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.microsoft.windows on Tue Jun 9 14:59:34 2026
    From Newsgroup: alt.comp.os.windows-11

    Paul wrote:
    When it drops, Windows just sends everything out over
    your normal connection-instantly exposing your real IP mid-session.

    It's not even listed as a "Chromium" browser.

    https://github.com/nerdyslacker/desktop-web-browsers

    Aloha Browser WebKit,Blink Windows Fast, free, full-featured browser

    It would take quite a while to review that browser list,
    and start by weeding out the ones that are no longer
    in development.

    [Paul looks at his big-bucket-of-browsers, discovering
    the bucket is entirely empty.]

    I don't think I even "want" to review browsers.

    This would be like reviewing six different colors
    of Docker pants :-) "Yeah, it stole my identity"
    "Yeah, it has telemetry and reports every URL"
    "Yeah, is that DOM folder big or what?"
    That's hard work.

    Speaking of Scumbaggery, Tomshardware has switched to the Deceptron FutureInc Web Format.
    Oh, well. We were always told, control would only be taken away from Toms, if they
    weren't making enough money for FutureInc. By not having scroll bars where you expect them,
    and having scroll bars in places you don't need them, all your interface requirements
    are met... as an advertiser. I'm using my PgDn and PgUp keys, to navigate items,
    and that is a lot of fun. A lot. Of fun. I hope they don't like a lot of telemetry
    that notes "pressed PgDn key 1000 times in 4 seconds". I had to turn off SVG rendering
    on the browser I use for that, just to cut down on the sheer volume of crud on the page.

    Yes, the Internet is alive and well, but is an acquired taste.

    I had a Google AI summary, use a slop-page prepared by an AI, as
    one of its "authoritative sources". My day is complete. You can't
    get quality like this at the public library.


    Hi Paul,

    That's interesting. Very interesting. Maybe it's its own browser engine, especially given the "vpn" part is nothing like any browser VPN anywhere.

    For just one example, if you go on a system-wide VPN, the Aloha VPN won't respect that system-wide VPN by punishing it with expensive metric changes.

    I do very much appreciate that you looked up this strange Aloha thing.
    a. It's not really a chromium browser, after all, and,
    b. It's almost impossible to find a "real" reliable review for it.

    Thanks for bringing up that detail, where if the Aloha situation is any indication, basically "all" browser reviews are nothing more than shills.

    BTW, even my browser review turned out to be wrong in a critical area.

    I just ran some tests that I should have run prior to my recent posts.

    In version 4.19.0.0, the Aloha browser loses the VPN randomly EVEN IF
    the user keeps the mouse focus on the browser window at all times!

    So, in reality, while the Aloha bastardized VPN is blazingly fast compared
    to other VPNs I've tested (e.g., when I tested the Browsec VPN extension in Brave), it's still worthless in the free version because it drops on you.

    No matter what you do, the free VPN promise is a mere sadistic gotcha.
    If you pay for the VPN, I'm sure it's really good.

    But the promise of the "trialware" VPN is so bad that it's shocking that
    the developers based in Cypress should be ashamed at themselves for it.

    Getting back to whether it's Chromium or "something else" and the reviews
    of the browsers, I wish we could find a single review that isn't a shill.
    --
    Knowledge is one thing... experience is something else.
    --- Synchronet 3.22a-Linux NewsLink 1.2