WireGuard, IKEv2 & Hydra Protocols Available
Hotspot Shield includes the common WireGuard and IKEv2 protocols, but also its own proprietary protocol called Hydra (formerly Catapult Hydra).
Hydra was developed by Hotspot Shield to deliver super fast speeds, and our speed tests show that it works. In terms of security, Hydra is safe: it is based on TLS 1.2. and uses 128-bit AES encryption, 2048-BIT RSA certificates for server authentication, and incorporates perfect forward secrecy.
Hotspot Shield offers three protocols: Hydra, IKEv2 & WireGuard.
However, the problem with closed-source proprietary technology like Hydra is that there’s no way for independent experts to examine it. Hotspot Shield claims the code is assessed by experts from cybersecurity firms like BitDefender and McAfee. If you trust this, you should use Hydra without concern. If not, it’s better to use WireGuard.
We typically recommend WireGuard or OpenVPN, as they are secure and open-source. But Hotspot Shield does not include OpenVPN in its list of protocols, preferring to push its Hydra protocol.
Hotspot Shield Passed Our Encryption Test
We tested to see whether Hotspot Shield actually encrypts your traffic by running it through the packet-sniffing tool, Wireshark. If Hotspot Shield did not encrypt our data, Wireshark would show the websites we visited.
However, as you can see in the image below, our test found that all ingoing and outgoing network packets were encrypted, and none of the websites we visited were decipherable.
Hotspot Shield successfully encrypts all of your network traffic.
No IP, DNS, or WebRTC Leaks
We tested the Hotspot Shield apps using our in-house tool to check for data leaks. The results came back safe: no IP, DNS, or WebRTC leaks were recorded and our real IP address remained hidden throughout.
However, Hotspot Shield does not support IPv6 traffic, so you run the risk of exposing your personal data on IPv6 connections. Other VPNs like Hide.me have come up with a dual-stack solution to this issue, and others like Surfshark simply block IPv6 traffic to prevent leaks.
Browser Extensions Failed Our Leak Test
While the Hotspot Shield apps came back leak-free, the same isn’t the case for its Chrome and Firefox browser extensions. Our tests showed that the Chrome extension leaks DNS requests, and the Firefox add-on leaked WebRTC requests – even with the WebRTC leak blocker enabled.
Hotspot Shield’s browser extension leaks WebRTC.
This means that your ISP can still see the websites you visit when connected to the Chrome extension, and your true IP address and location is exposed when using the Firefox extension. We caution against using Hotspot Shield’s browser extensions.
No Kill Switch on macOS
Hotspot Shield does not have a kill switch for macOS – not even an automatic one running in the background. We tested it with our kill switch test tool and found that our real IP address was exposed whenever we changed servers or caused an unexpected internet disconnection.
Thankfully, the kill switch works perfectly on other apps. Although, you should be aware that it’s not switched on by default.
Security Features We’d Like to See
We’d like to see Hotspot Shield bolster its security and privacy credentials. Here are some features it could add to do so:
- Always-on kill switch across all apps so that every Hotspot Shield client shares the same level of protection.
- Dedicated IP addresses to combat the frequency of CAPTCHAs.
- Diskless servers to prevent logging and the acquisition of data from hardware centers.
- Multi-hop (Double VPN) servers for extra protection.
- Open-source apps so that people can check the security of Hotspot Shield services.
- OpenVPN support so that users have greater protocol choice.
- Leak protection to stop IPv6, DNS, and WebRTC data exposure.