Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.microsoft.windows > #3381 > unrolled thread

Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design

Back to article view | Back to alt.comp.microsoft.windows

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-04-09 23:32 -0700
    Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-08 21:38 -0600
      Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Graham J <nobody@nowhere.co.uk> - 2026-06-09 08:09 +0100
        Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Andy Burns <usenet@andyburns.uk> - 2026-06-09 13:05 +0100
          Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-09 13:03 -0600
        Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-09 13:19 -0600
          Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Paul <nospam@needed.invalid> - 2026-06-09 16:29 -0400
            Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-09 14:59 -0600

#3381 — Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design

While the Windows Aloha browser is arguably the worst designed privacy
browser ever provide to Windows users, there appear to be two fundamental
flaws which make the browser unusable in Windows environment.

The first flaw, of course, is that it's NOT a VPN browser by any stretch of
the imagination because it randomly drops the VPN every few minutes. 

But the second flaw is the VPN implementation is almost sophomoric in being
different from every known professional implementation of browser based
VPN.

For example, a real VPN on Windows (WireGuard, OpenVPN TAP, IKEv2, etc.)
creates a virtual network adapter backed by an NDIS 6.x miniport driver.
This provides:
 a. Stable Layer-2/Layer-3 encapsulation
 b. Predictable routing behavior
 c. A consistent interface index
 d. A known MTU
 e. A stable binding to TCP/IP stack components

Aloha does none of this. 

Aloha
 a. Injects routes pointing to a transient interface
 b. Does not expose a stable adapter GUID
 c. Does not register with the Network Location Awareness (NLA) service
 d. Does not expose a proper MTU, 
    (causing fragmentation and path MTU blackholes)
Which is one reason why the Windows networking stack becomes unstable.

Windows provides official APIs for VPN clients:
 a. RasDial / RasSetEntryProperties (legacy)
 b. VpnPlugin APIs (modern UWP)
 c. WFP callouts
 d. NDIS lightweight filter drivers

Aloha uses none of them.

This means:
 a. Windows cannot detect that a VPN is active
 b. Windows cannot apply VPN-aware firewall rules
 c. Windows cannot apply VPN-aware DNS policies
 d. Windows cannot enforce "VPN required" policies 
    (e.g., for apps or enterprise profiles)

Which is one reason why the OS treats Aloha's VPN as "just another network
path" instead of a protected tunnel.

The more you look at the Aloha design, the worse you find it is.
For example, Aloha does not register with the Windows Network Connectivity
Status Indicator (NCSI) so Windows can't warn the user when the VPN drops.

But wait. There's more!

Aloha causes DNS resolver race conditions Because Aloha does not bind DNS
to a virtual adapter because Aloha does not bind DNS to a virtual adapter.

It doesn't even stop there. It just gets worse.

Aloha does not set route metrics correctly, which why users often need to
run route -f to recover.

I coudl go on and on about how bad Aloha's implementation is, for example, 	
Aloha does not implement a TAP/TUN-style user-mode packet queue and, for
example, Aloha does not register with Windows Firewall as a VPN interface.

Aloha does not support IPv6 tunneling or IPv6 suppression.
Aloha does not implement a kill switch at any layer.

The evidence of how badly designed Aloha is, goes on seemingly forever.

In summary, the Windows Aloha browser is a scam because Aloha's Windows VPN
does not register a WFP callout, does not create an NDIS 6.x virtual
adapter, does not bind DNS to a tunnel interface, and does not register
with NCSI, meaning Windows has no way to detect the tunnel, enforce
VPN-aware firewall rules, or prevent traffic leakage when the tunnel
collapses.

When a "privacy" tool bypasses the Windows Filtering Platform (WFP) and
NDIS drivers in favor of raw routing table manipulation, it isn't just bad
design. It's a catastrophic failure of the "fail-closed" principle	.

[toc] | [next] | [standalone]

#3414

Maria Sophia wrote:
> In summary, the Windows Aloha browser is a scam because Aloha's Windows VPN
> does not register a WFP callout, does not create an NDIS 6.x virtual
> adapter, does not bind DNS to a tunnel interface, and does not register
> with NCSI, meaning Windows has no way to detect the tunnel, enforce
> VPN-aware firewall rules, or prevent traffic leakage when the tunnel
> collapses.

UPDATE. 

Good news, sort of. Well, not as bad news as it used to be, I guess.

Up until about version 4.18.0.0 (where 4.19.0.0 was released May 29, 2026),
prior Aloha versions would randomly drop the VPN while you were using it.

Since that's sadistically the very last thing anyone would expect a VPN
browser to do, that "feature" alone made the Aloha VPN browser worthless.

Luckily, the sadism of the developers seems to have abated somewhat in that
the current versions no longer randomly drop the VPN without any warning.

They still drop the VPN randomly.
And there still isn't any warning.

But if you keep the mouse on the browser at all times, they don't drop it.

It's only if the focus isn't on the browser now, that they will randomly
drop the VPN connection (usually within a minute or two in my experience).

When you manually bring the focus back on the browser, the VPN connection
stays off, but you can reconnect by clicking the gray VPN shield which, in
prior versions, would turn blue (indicating the VPN shield was active).

In Aloha version 4.18.0.0 and newer versions, clicking the gray (off) VPN
shield just brings up a dialog box asking you to pay to keep the VPN on. 

At the bottom of that dialog box is teeny tiny print where you can select
 "Continue with free servers"

Clicking on that teeny-tiny extra line will then turn the VPN shield blue.

And now you're back to the original setup (where it will stay blue until 
you remove focus on the browser, in which case it randomly turns gray).

In summary, the mechanism for Aloha to maintain the VPN connection has
drastically changed, where it takes more mouse movements now than before, 
but at least if you keep the focus on the browser at all times, the VPN no
longer sadistically randomly drops right out from under your feet.

It's still a terrible design, but at least it's no longer pure evil sadism.
-- 
Knowledge is just knowing what is while experience is knowing what happens.

[toc] | [prev] | [next] | [standalone]

#3415

Maria Sophia wrote:

[snip]

> In summary, the mechanism for Aloha to maintain the VPN connection has
> drastically changed, where it takes more mouse movements now than before,
> but at least if you keep the focus on the browser at all times, the VPN no
> longer sadistically randomly drops right out from under your feet.

Every ordinary user I know always works with apps like a browser 
full-screen, so losing the focus isn't a issue.

They don't seem to have understood that Windows means having the option 
for more than one window open on a screen.

What was it we had before Windows?  MS-DOS ???


-- 
Graham J

[toc] | [prev] | [next] | [standalone]

#3416

Graham J wrote:

> Every ordinary user I know always works with apps like a browser full- 
> screen, so losing the focus isn't a issue.

They tend to regard any explanation of how they could run apps 
not-maximised as being "told off".

> They don't seem to have understood that Windows means having the option 
> for more than one window open on a screen.

Dual monitors have given way to triple monitors for many users.

> What was it we had before Windows?  MS-DOS ???

Borland Sidekick?

[toc] | [prev] | [next] | [standalone]

#3417

Andy Burns wrote:
> Graham J wrote:
> 
>> Every ordinary user I know always works with apps like a browser full- 
>> screen, so losing the focus isn't a issue.
> 
> They tend to regard any explanation of how they could run apps 
> not-maximised as being "told off".
> 
>> They don't seem to have understood that Windows means having the option 
>> for more than one window open on a screen.
> 
> Dual monitors have given way to triple monitors for many users.
> 
>> What was it we had before Windows?  MS-DOS ???
> 
> Borland Sidekick?

I looked up all the reviews for Aloha VPN browser for Windows, and I
haven't found a single review that wasn't a shill, not surprisingly. 

That's pretty shocking that there isn't a single Windows Aloha real review.

Any "real review" of the VPN browser would have noted quite clearly that
every privacy tool, when it fails, should fail in the open condition only.

My original PSA warned that the VPN would randomly drop sans warning even
if the user constantly kept the mouse focus on the VPN browser window.

The latest update to the PSA revised that, in that in the current version
(4.0.19.0), the VPN stays active as long as the browser window has the
active focus, but the VPN still drops the connection within minutes, sans
warning, if the user clicks away to another window for that time period.
-- 
We can learn from each other on Usenet if we simply put our minds to it.

[toc] | [prev] | [next] | [standalone]

#3418

Graham J wrote:
> Every ordinary user I know always works with apps like a browser 
> full-screen, so losing the focus isn't a issue.
> 
> They don't seem to have understood that Windows means having the option 
> for more than one window open on a screen.
> 
> What was it we had before Windows?  MS-DOS ???

What's interesting is the irony of invoking MS-DOS (single-tasking) and
Borland Sidekick (a crude, pop-up text utility used to fake multitasking)
on a system satirically called "Windows" that behaves as if there is only
one chromium window running at a time (which is really a chromium issue).

While "windows" on Windows is the ironically paradoxical joke here, 
what's also ironically paradoxical about Aloha VPN is it's blazingly fast.

Yet, it's so fantastically Superman-fast because it's badly designed!
What a paradox!

It should be shocking to everyone, if I'm right that there isn't a single
real Windows VPN browser review on the entire Internet, that isn't a shill.

Having extensively tested the Windows VPN browser, here's my review of it.
 a. Blazing speed
 b. System-wide hijack
 c. Silent, random drops
 d. Broken routing & DNS
 e. No integration with Windows security model
 f. Structural, not performance, failures

Blazing speed:
 a. Apparent throughput: 
    Measured TCP/UDP transfers through Aloha's tunnel show very high 
    bandwidth and low latency compared with many consumer VPNs, where
    downloads and streaming feel near-native.
 b. Why it looks fast: 
    Because Aloha forces all traffic through raw routed paths without 
    encapsulation overhead (no full TAP/TUN encapsulation, no extra kernel
    filtering), packets bypass many normal VPN processing stages that add 
    CPU or queueing delay.	 

System-wide hijack: 
Aloha on Windows doesn't behave like a browser VPN-it rewrites the whole
routing table, so all traffic (not just browser traffic) is forced through
its tunnel, without using proper Windows VPN primitives (virtual adapter,
NDIS miniport, WFP, NLA, NCSI, etc.).

Silent, random drops: 
The tunnel collapses unpredictably, with no kill switch, no route lock, no
OS-level awareness. When it drops, Windows just sends everything out over
your normal connection-instantly exposing your real IP mid-session.

Broken routing & DNS: 
After a drop, routes and DNS are left in a half-broken state: leaks,
stalls, orphaned routes, resolver races, and users needing route -f to
recover.

No integration with Windows security model: 
Because it doesn't use official VPN APIs or register as a VPN interface,
Windows can't apply VPN-aware firewall rules, DNS policies, or "VPN
required" policies. The OS literally doesn't know a VPN is supposed to
exist.

Structural, not performance, failures: 
The instability isn't just "it's slow" or "it disconnects sometimes"-it's
architected in a way that guarantees unsafe behavior: no kill switch, no
IPv6 handling, no TAP/TUN-style queue, no WFP callout, no proper adapter,
no documentation. 	 
-- 
Knowledge is knowing what is, while experience is knowing what will happen.

[toc] | [prev] | [next] | [standalone]

#3419

On Tue, 6/9/2026 3:19 PM, Maria Sophia wrote:

> It should be shocking to everyone, if I'm right that there isn't a single
> real Windows VPN browser review on the entire Internet, that isn't a shill.
> 
> When it drops, Windows just sends everything out over
> your normal connection-instantly exposing your real IP mid-session.

It's not even listed as a "Chromium" browser.

  https://github.com/nerdyslacker/desktop-web-browsers

     Aloha Browser   WebKit,Blink    Windows    Fast, free, full-featured browser

It would take quite a while to review that browser list,
and start by weeding out the ones that are no longer
in development.

[Paul looks at his big-bucket-of-browsers, discovering
 the bucket is entirely empty.]

I don't think I even "want" to review browsers.

This would be like reviewing six different colors
of Docker pants :-) "Yeah, it stole my identity"
"Yeah, it has telemetry and reports every URL"
"Yeah, is that DOM folder big or what?"
That's hard work.

Speaking of Scumbaggery, Tomshardware has switched to the Deceptron FutureInc Web Format.
Oh, well. We were always told, control would only be taken away from Toms, if they
weren't making enough money for FutureInc. By not having scroll bars where you expect them,
and having scroll bars in places you don't need them, all your interface requirements
are met... as an advertiser. I'm using my PgDn and PgUp keys, to navigate items,
and that is a lot of fun. A lot. Of fun. I hope they don't like a lot of telemetry
that notes "pressed PgDn key 1000 times in 4 seconds". I had to turn off SVG rendering
on the browser I use for that, just to cut down on the sheer volume of crud on the page.

Yes, the Internet is alive and well, but is an acquired taste.

I had a Google AI summary, use a slop-page prepared by an AI, as
one of its "authoritative sources". My day is complete. You can't
get quality like this at the public library.

   Paul

[toc] | [prev] | [next] | [standalone]

#3420

Paul wrote:
>> When it drops, Windows just sends everything out over
>> your normal connection-instantly exposing your real IP mid-session.
> 
> It's not even listed as a "Chromium" browser.
> 
>   https://github.com/nerdyslacker/desktop-web-browsers
> 
>      Aloha Browser   WebKit,Blink    Windows    Fast, free, full-featured browser
> 
> It would take quite a while to review that browser list,
> and start by weeding out the ones that are no longer
> in development.
> 
> [Paul looks at his big-bucket-of-browsers, discovering
>  the bucket is entirely empty.]
> 
> I don't think I even "want" to review browsers.
> 
> This would be like reviewing six different colors
> of Docker pants :-) "Yeah, it stole my identity"
> "Yeah, it has telemetry and reports every URL"
> "Yeah, is that DOM folder big or what?"
> That's hard work.
> 
> Speaking of Scumbaggery, Tomshardware has switched to the Deceptron FutureInc Web Format.
> Oh, well. We were always told, control would only be taken away from Toms, if they
> weren't making enough money for FutureInc. By not having scroll bars where you expect them,
> and having scroll bars in places you don't need them, all your interface requirements
> are met... as an advertiser. I'm using my PgDn and PgUp keys, to navigate items,
> and that is a lot of fun. A lot. Of fun. I hope they don't like a lot of telemetry
> that notes "pressed PgDn key 1000 times in 4 seconds". I had to turn off SVG rendering
> on the browser I use for that, just to cut down on the sheer volume of crud on the page.
> 
> Yes, the Internet is alive and well, but is an acquired taste.
> 
> I had a Google AI summary, use a slop-page prepared by an AI, as
> one of its "authoritative sources". My day is complete. You can't
> get quality like this at the public library.


Hi Paul,

That's interesting. Very interesting. Maybe it's its own browser engine,
especially given the "vpn" part is nothing like any browser VPN anywhere.

For just one example, if you go on a system-wide VPN, the Aloha VPN won't
respect that system-wide VPN by punishing it with expensive metric changes.

I do very much appreciate that you looked up this strange Aloha thing.
 a. It's not really a chromium browser, after all, and,
 b. It's almost impossible to find a "real" reliable review for it.

Thanks for bringing up that detail, where if the Aloha situation is any
indication, basically "all" browser reviews are nothing more than shills.

BTW, even my browser review turned out to be wrong in a critical area.

I just ran some tests that I should have run prior to my recent posts.

In version 4.19.0.0, the Aloha browser loses the VPN randomly EVEN IF
the user keeps the mouse focus on the browser window at all times!

So, in reality, while the Aloha bastardized VPN is blazingly fast compared
to other VPNs I've tested (e.g., when I tested the Browsec VPN extension in
Brave), it's still worthless in the free version because it drops on you.

No matter what you do, the free VPN promise is a mere sadistic gotcha.
If you pay for the VPN, I'm sure it's really good. 

But the promise of the "trialware" VPN is so bad that it's shocking that
the developers based in Cypress should be ashamed at themselves for it.

Getting back to whether it's Chromium or "something else" and the reviews
of the browsers, I wish we could find a single review that isn't a shill.
-- 
Knowledge is one thing... experience is something else.

[toc] | [prev] | [standalone]

Back to top | Article view | alt.comp.microsoft.windows

csiph-web