Hotspot Sheild Pro
Jennifer Kovachick
it seems it has became vey diffcult to block hotspot shield , even though the application is being idenfied by palo alto , still hot spot finds it way by port 80 . is there any way to block hot spot shield.Also From IPAD/IPHONE it is easily connecting
I'm getting a similar issue, have a user using Hotspot Shield , and even though i've told PA to block the app, its still working. comes across port 80 as "unknown-tcp" and port 990 as "insufficient-data"
Second, I doubt that the port 990 traffic identified as "insufficient-data" would be enough to make the application run in long term (perhaps only as a way to find other nodes) - from the admin guide:
If you are positive that the PA didnt successfully identify hotspot shield even if you were using ssl-termination (as a debug use both "log on session start" and "log on session end" on all rules) you can contact the appid team and submit some pcaps so they can improve the hotspot shield detection: Tools ‹ Palo Alto Networks BlogPalo Alto Networks Blog
thanks. i ended up blocking "unknown-tcp" for now until we find a better resolution. after i did that i started seeing the hotspot-shield app-id start hunting ports trying to get out, but wasnt able too.. now i see him trying to get to ultrasurf and cyberghost vpn, but url filter is catching him. Its fun to watch them squirm
I tried it just now and PA detected hotspot-shild app without SSL decrpytion. However i don't know what happens if you put it on block and app tries to connect to some less known IPs and/or URLs. I guess in that case SSL decryption is needed.
It seems that you are struggling with blocking Proxy applications like Hotspot Shield but the major point here is that you can only ensure that all Hotspot shield attempts are blocked by enabling the SSL Decryption.
As you say the SSL Decryption is not possible on your network then the possibility of the user to bypass the Firewall is high because these Proxy applications like Hotspot shield users IKE, IPSEC, SSH, SSL to create encrypted tunnels which will completely bypass the filtering...
You may block Unknown-UDP / TCP and it will block a considerable amount of users but again these apps are trying to bypass the limitation using these ports which will be very difficult to block with a security policy....
It's a security product. Let me share: I've come to realize that the hotspots (places that offer free WiFi like McDonalds, Hotels, etc) I've had to use provide only UNSECURED connections, even those requiring a provided username/password. Hotspot Shield connects you through their US based VPN server for free from anywhere in the world (do use an adblocker and deselect all the crap you don't want when installing). It will slow things down but it encrypts everything you do online keeping you safe from those with a little know-how from stealing your credit card info, passwords, etc.
Hotspot is just somebody letting you use their internet via a wireless router as opposed to, what I hope you do at home, password protecting your wifi via a key or passcode. that key or passcode becomes the private handshake of encryption that most of these free hopspots aren't using.
I think you might be better off in purchasing something like the cisco valet or other home VPN solutions (I won't go as far as suggesting you build your own, though in time that's what I'm going to do) and connect to your home internet, which in the end would probably be safer and much more secure
MOstly, when I'm on an unencrypted connection, I don't use sites that need passwords (e.g. Banks, Amazon, eBay. sites like this forum are fine because someone gets my password & meh), else I sign into my work's vpn (see my answer for you above).
fwiw, it appears that hotspot shield keeps some processes running even after you shut it off and exit from the little systray icon. Could that be why CCleaner doesn't wipe it completely, because the processes are active?
If just encrypting e-mail is all you're after, I use GPG4Win to encrypt any attahment. Even when home, I don't send anything sensitive via e-mail without first making it an attachment encrypted with GPG4Win. And if websites send me my username/passwords in plain view via e-mail, I immediately change it. E-Mail is generally not secure, as you mentioned yourself, your ISP, the detinations ISP, and all hands involved between the two, can easily see it.
I'm the proud owner of our online Family Tree, it's now nearing 900 individuals, and I make it loud and clear to all who collaborate with me to never send anything unless they also use GPG4Win. Sadly, if it's too confusing for them, I insist on snail mail instead. My Public Key can be found here:
This whole topic of Unsecured Hotspots came about because I happened to take my laptop with me on a recent vacation. I never knew they were most all unsecured. I had to scramble for a solution just so I could check my non-https web based e-mail. And, it appears that OpenVPN is the best solution. Fortunately, it's offered as a free service but, like most all stuff I've used for free, it won't be long before the good ones will start charging. But, hopefully not.
Have you ever thought twice about E-mailing sensitive information because you knew personal E-mail was unsecured? Send it as an encrypted attachment for free in three simple steps but only after completing the below three steps once to install and prepare.
You need an OpenPGP key pair (see Wikipedia about), one is shared (public key) and, the other is kept private (secret key). What I encrypt with your public key can only be decrypted by you with your secret key or, in other words, what you encrypt with my openly shared public key can only be decrypted by me with my secret private key which is never shared. Don't worry, it really is very easy once you get past the install and key pair creation (see below on how to encrypt or decrypt, it's only 3 steps).
I've found, to me, the easiest way to stop Hotspot Shield from starting, short of uninstalling it, is to use WinPatrol to disable the four Hotspot Shield services seen in the image below. It stops it dead, 100%, on startup, and I'm a regular user of WinPatrol anyway.
b37509886e