Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-10 > #193067

Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design

From Maria Sophia <mariasophia@comprehension.com>
Newsgroups alt.comp.os.windows-10, alt.comp.os.windows-11, alt.comp.microsoft.windows
Subject Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design
Date 2026-04-09 23:32 -0700
Organization BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID <10ra5is$1h6b$1@nnrp.usenet.blueworldhosting.com> (permalink)
References <10r7tan$2ro8$1@nnrp.usenet.blueworldhosting.com> <10r96ib$lc0k$4@dont-email.me>

Cross-posted to 3 groups.

Show all headers | View raw

While the Windows Aloha browser is arguably the worst designed privacy
browser ever provide to Windows users, there appear to be two fundamental
flaws which make the browser unusable in Windows environment.

The first flaw, of course, is that it's NOT a VPN browser by any stretch of
the imagination because it randomly drops the VPN every few minutes. 

But the second flaw is the VPN implementation is almost sophomoric in being
different from every known professional implementation of browser based
VPN.

For example, a real VPN on Windows (WireGuard, OpenVPN TAP, IKEv2, etc.)
creates a virtual network adapter backed by an NDIS 6.x miniport driver.
This provides:
 a. Stable Layer-2/Layer-3 encapsulation
 b. Predictable routing behavior
 c. A consistent interface index
 d. A known MTU
 e. A stable binding to TCP/IP stack components

Aloha does none of this. 

Aloha
 a. Injects routes pointing to a transient interface
 b. Does not expose a stable adapter GUID
 c. Does not register with the Network Location Awareness (NLA) service
 d. Does not expose a proper MTU, 
    (causing fragmentation and path MTU blackholes)
Which is one reason why the Windows networking stack becomes unstable.

Windows provides official APIs for VPN clients:
 a. RasDial / RasSetEntryProperties (legacy)
 b. VpnPlugin APIs (modern UWP)
 c. WFP callouts
 d. NDIS lightweight filter drivers

Aloha uses none of them.

This means:
 a. Windows cannot detect that a VPN is active
 b. Windows cannot apply VPN-aware firewall rules
 c. Windows cannot apply VPN-aware DNS policies
 d. Windows cannot enforce "VPN required" policies 
    (e.g., for apps or enterprise profiles)

Which is one reason why the OS treats Aloha's VPN as "just another network
path" instead of a protected tunnel.

The more you look at the Aloha design, the worse you find it is.
For example, Aloha does not register with the Windows Network Connectivity
Status Indicator (NCSI) so Windows can't warn the user when the VPN drops.

But wait. There's more!

Aloha causes DNS resolver race conditions Because Aloha does not bind DNS
to a virtual adapter because Aloha does not bind DNS to a virtual adapter.

It doesn't even stop there. It just gets worse.

Aloha does not set route metrics correctly, which why users often need to
run route -f to recover.

I coudl go on and on about how bad Aloha's implementation is, for example, 	
Aloha does not implement a TAP/TUN-style user-mode packet queue and, for
example, Aloha does not register with Windows Firewall as a VPN interface.

Aloha does not support IPv6 tunneling or IPv6 suppression.
Aloha does not implement a kill switch at any layer.

The evidence of how badly designed Aloha is, goes on seemingly forever.

In summary, the Windows Aloha browser is a scam because Aloha's Windows VPN
does not register a WFP callout, does not create an NDIS 6.x virtual
adapter, does not bind DNS to a tunnel interface, and does not register
with NCSI, meaning Windows has no way to detect the tunnel, enforce
VPN-aware firewall rules, or prevent traffic leakage when the tunnel
collapses.

When a "privacy" tool bypasses the Windows Filtering Platform (WFP) and
NDIS drivers in favor of raw routing table manipulation, it isn't just bad
design. It's a catastrophic failure of the "fail-closed" principle	.

Back to alt.comp.os.windows-10 | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-04-09 09:59 +0000
  Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Hank Rogers <Hank@nospam.invalid> - 2026-04-09 16:43 -0500
    Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-04-09 23:32 -0700
      Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-08 21:38 -0600
        Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Graham J <nobody@nowhere.co.uk> - 2026-06-09 08:09 +0100
          Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Andy Burns <usenet@andyburns.uk> - 2026-06-09 13:05 +0100
            Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-09 13:03 -0600
          Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-09 13:19 -0600
            Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Paul <nospam@needed.invalid> - 2026-06-09 16:29 -0400
              Re: PSA: Windows Aloha browser system-wide IP leakage & dangerous design Maria Sophia <mariasophia@comprehension.com> - 2026-06-09 14:59 -0600

csiph-web