— celebrating 25 years

Skip to main content

Main menu
Home
Your account
Help
About us
Labs

Privacy policy

This page summarizes our policies and practices regarding information about you, our users. It does not constitute a contract and is subject to change.

Last updated: 2017-09-07

Contents

Our motivations

Whenever you interact with someone, it’s important to consider what drives them—what they want, how they make their money, and so on. For example, many Web sites support themselves by selling advertising space instead of taking payments directly from their users. Thus, their first loyalty is to the advertisers who are their real customers.

How does Hexillion make money?

Our business model is simple: we provide information services to our users for a fee. We don’t sell advertising space, customer lists, or information about our customers’ activities or interests.

In fact, many of our customers are security companies, lawyers, Internet intelligence companies, law enforcement agencies, and other government agencies that want complete privacy and security, so that’s what we aim to provide.

Why does Hexillion make tools available for free?

We offer limited use of our tools for free as a way of building our reputation and attracting interest in our tools. We want users to like the tools and recommend them to their friends and colleagues. Some fraction of the free users will want more access and features and thus become paying customers. In other words, we advertise our business with free use of our tools instead of putting banner ads on other sites.

Information collected as you use our site

Web logs

If you visit our site, our Web servers will make log entries as most servers do. These entries include such information as:

  • Your IP address
  • Pages visited
  • Time and date of visit
  • User agent string (browser and operating system identification)
  • Referrer URL

We only use these logs for troubleshooting and understanding our Web site traffic. We guard the logs carefully and don’t give them to anyone else. We might provide limited log information to authorities in special cases noted below.

Account usage

If you have an account, we will naturally keep track of your account balance and usage. In general we only record aggregate statistics about your usage (for example, how many times you used a particular tool within a certain time frame), but we may keep more detailed information such as the exact inputs and outputs of a few requests to help troubleshoot technical problems. We may keep results of your requests available to you on our servers for a limited time to save you the expense of making those requests again.

Cookies

You don’t need to enable cookies to use our site, but we do send cookies to your browser for your convenience in a couple of situations:

  • We send a cookie with the tool settings and inputs you’ve used most recently so you won’t have to re-type or re-select them when you switch tools.

  • We offer cookie-based authentication; that is, you have the option of using cookies to stay logged in to our site. (Most Web sites use cookies this way.)

We take steps to prevent other sites from embedding content from ours, so we can’t (and don’t) use cookies to track your activities elsewhere. Likewise, we don’t embed any third-party content or scripts, therefore there’s no way for other companies to use their cookies to track your visits to our site.

Back-end requests to third parties

When our systems make behind-the-scenes requests to third-party servers for Whois information, Web pages, DNS records, or other items, they never provide information about you directly to those servers. Furthermore, we mix the back-end requests made on your behalf with those made for our other users, thus masking the pattern of your activity to some degree.

In general, third-party servers will not be able to know that a request came from you unless they know that you asked for a particular record during some period of time. For example, if they can induce you to look up something distinctive, they can know you did it despite the fact the request came from our servers.

Information that you give us yourself

If you open a paid account with us, we ask for basic information such as:

  • Your name
  • Organization name
  • Email address
  • Phone number
  • Mailing address

We’ll also ask for payment-related information, though we do not retain sensitive information such as credit card numbers on our servers.

If you enter any preferences or settings for your account, we will keep those in our systems.

We store your password in encrypted form (a salted hash). This is a very strong system (bcrypt or better), but we still advise that you not use your Hexillion password for any other account. Consider using a password manager such as Password Safe or KeePass to help you use strong and different passwords for all of your accounts.

We keep all customer information strictly confidential and never provide it to anyone else without express consent unless we are legally compelled. We will make our best effort to notify you if we’re ever compelled, except when we are legally prohibited from doing so.

Anonymous users versus paying customers

We are happy to offer limited, free use of our tools to anonymous users from the Internet. Most of the time there is no problem at all, and we guard our users’ privacy jealously. However, inevitably, a few people try to use our site to attack others or prepare for such attacks. Thus, we must reserve the right to report such abuses and any relevant information we have about the abusers, including log entries, to the relevant authorities.

Our paying customers, on the other hand, have the greatest level of protection we can offer: though we reserve the right to terminate service in the case of abuses, we will not release customer information unless legally compelled to do so.

Unusual ways in which we protect your privacy

No advertising on our sites

We don’t display advertising on our pages, even on tools used by anonymous users for free. Serving ads from advertising networks would compromise your privacy by sending those networks information about your use of our site, including every page you visited that had ads. Such networks have also been known to (inadvertently) deliver malicious code in advertisements (“malvertising”). They also track your movements across sites that are showing their ads. And even if we served safe advertisements from our own servers, the advertisers would naturally want as much information about our users as possible to optimize their targeting. For these and other reasons, we serve no advertising at all.

No third-party analytics

Many organizations use third-party analytics services to understand how visitors are using their sites and where they come from. By their very nature, such analytics services involve reporting every page you visit to a third party. When many sites use those same services, the third party can also track your activity across the Web. At Hexillion we do our analysis in-house instead of using a service, thus keeping your activity on our sites confidential.

No third-party embedded content

Many sites embed third-party resources in their pages. In other words, when your browser loads those pages it requests additional resources such as images and JavaScript from entirely different sites. In doing so, your browser reveals the pages you’re visiting to third parties, particularly if it’s sending HTTP referrer headers (as is the default for all major browsers at this time). At Hexillion, by contrast, we don’t embed content in our pages from third parties at all—no fonts, style sheets, JavaScript frameworks, or images. We serve all our content from our own servers and don’t give your browser any reason to betray you. Furthermore, our site instructs browsers to not send referrer headers to external sites in general, thus preventing other sites we link to from knowing that you’re reaching them from a page on our site.

No content delivery networks (CDNs)

Many Web sites use CDNs to deliver their static content or even all of their content to you. CDNs are intermediaries that move the content closer to you physically and provide other services (such as DNS) for Web sites. This can improve performance and availability, but it comes at the expense of reporting your activity on a Web site to its CDN as well showing that CDN your movements across the many other sites that use it. Worse, when you’re getting the content over a supposedly secure connection, CDNs are men-in-the-middle and undermine the security properties of that connection. Specifically:

  • CDNs can see the unencrypted content of your requests and responses. You don’t have a direct, secure line to the site you’re visiting as you might think.

  • CDNs sometimes relay your requests to the site’s normal Web servers over an insecure connection. If you’re browsing https://example.com/ via a CDN, your connection to the CDN will be encrypted, but it may be passing your requests to the example.com server over a completely unsecured connection—and you’ll have no way of knowing.

  • CDNs sometimes serve their customers’ content using their own domains and TLS certificates instead of the customers’, thus putting the origin of the content into question. Suppose, for example, that you’re browsing https://www.xyz-corp.example/. If the embedded JavaScript files are served from a CDN at https://host123.cdn-company.example/, and the TLS certificate is for *.cdn-company.example, how can you know whether the JavaScript is originally from xyz-corp.example?

At Hexillion we serve all of our content directly from our own servers and domains, using TLS certificates for our own domains. We don’t use CDNs.

No client-side scripting

When you allow sites to run programs in your browser (JavaScript, WebAssembly, Flash, Java applets, etc.) you are giving them intimate access to your computer that can be easily abused—sandboxes notwithstanding—to track your activity across the Web, reveal your browsing history, reveal the identity you were trying to hide, and much more. Furthermore, because it’s so easy and common for honest sites to be subverted with malicious scripts, you open yourself to trouble by trusting even the trustworthy.

We don’t use any JavaScript or other client-side code on our site (except on the Browser Mirror tool that’s designed to show you some of your vulnerability to JavaScript). In fact, our servers send a Content Security Policy header with each page that tells your browser not to run any client-side code. You can do everything on our site with a locked-down browser that allows no JavaScript, Flash, or other such code.

No outsourced email

A lot of sites outsource their bulk emailing. In doing so, they reveal their customer lists, customer email addresses, and bulk communications to outside companies. In fact, many companies now outsource all of their email service, both incoming and outgoing. Again, this reveals the customers and their correspondence to third parties. At Hexillion we manage our own email on our own servers that deliver directly to your servers.

We don’t block Tor users

Because abusers sometimes cover their tracks by using Tor, some sites just block Tor users altogether. We recognize the important privacy and security benefits that Tor can provide, however, and don’t punish all Tor users for the misdeeds of the few. We don’t block Tor users for using Tor.

That said, as a practical matter, Tor funnels users through a relatively small number of exit routers and thus causes the users to share their daily allotment of free service units on our site. If you’re visiting our sites through Tor, you may find that you have few or no free units left on any given day. If switching to a different exit router doesn’t help, the only workaround is to get a paid account (that you can use through Tor).

We may need to update this policy in the future

Though our general stance on privacy is not likely to change, we will probably have to update the details of this policy as we get feedback and as issues arise. It won’t be practical to individually notify all our users or give advance notice, but we will try to bring your attention to any significant changes. In any case, you can always find the latest version right here.


© 1997–2024