This sounds like how I'd design a VPN if I were an intelligence agency.
I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”
If NSA aren’t installed at Cloudflare, I wonder what they are even doing.
That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.
People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA.
The NSA leaks dominated news cycles for the entirety of 2013.
it does give better peering. reduces latency a bit for me.
That doesn't mean collusion
Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire.
The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said.
This is a massive issue in my view, it allows correlation across multiple VPNs exit nodes, but that’s it. It doesn’t allow to identify you automatically. It does significantly lower the bars for identifying you though, but the requirements are still high.
Hopefully they fix this soon.
I can’t believe this type of “let’s make it a hash or something sensitive” still happen, and at mullvad, of all places. Why not randomise it simply?
If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.
Their ads on San Francisco's public transit are good.
Security is always a balance. Always
AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion)
There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log
Could it be done better? Probably.
Here's a better idea, logging off is 100% safe
Meanwhile 99% of the normies will go for NordVPN
Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.
So does your comment...
I don't know the answer, but there are two ways to take it:
1. Submarining to destroy confidence in an actually trustworthy, decent VPN company
2. They're an intelligence front.
For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.
Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.
I don't see how the author is arriving at this ">99% chance" purely from the numbers provided in the article. Assuming the first (banned IP) seed and the second seed are both in the range 0.4423 - 0.4358 (a stronger assumption than is justified by the example), all this tells us is that the first and second IP addresses both have seeds in a range that would contain 0.4423 - 0.4358 = 0.65% of all Mullvad users, which 0.0065 * 100,000 = 650 users. We've eliminated >99% of users as "suspects", but we haven't actually gotten >99% accuracy in identifying an individual across multiple exit IPs.
In more Bayesian thinking, the overlap in potential seeds is great evidence to think these IP addresses represent one and the same person (or Mullvad VPN account at least), but as far as I can tell, that's not what the author is saying.
What are the chances that someone uses this vpn, joins your forum the day after someone was banned, and has an ip in a similar range?
For most small websites this would be strong evidence.
If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.
Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.
If you are talking about private VPNs.. Mullvad isn't one.
I'm a little confused on this... what is stopping third parties from doing key rotations like the main app clients if it is detailed in the repo how to do it?
Knowing to do so, primarily.
It does seem ridiculous once you spell it out like that, and then you have to realize that it’s plausible to de-anonymize even Tor users by controlling exit nodes.
Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.
It works well enough for this goal. Not everyone needs NSA-proof solution.
PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.
Do you have any facts? I know they really on _additional_ stuff, but do you have sources showing that they never use cookies or source IPs?
Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.
I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.
1. It's the preferred VPN of TeamPCP.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
That's exactly what the article is about, a side channel information leak that de-anonymises users, did you read it?
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".
But when you connect to the site from via server A and later via server B they can tell that you're the same person.
And they can deanonymise you through data brokers. All Mullvad IPs are traceable back to the same number (acting as a pseudo account identifier) so if you ever entered your PII on any website when using Mullvad, it can be linked to the same Mullvad account.
And if you ever visited any of those sites without using a VPN, your home IP can be linked to your Mullvad ID through browser fingerprinting.
And if you ever entered any PII on any website from your home IP, you can once again be deanonymised.
Now the existence of browser fingerprinting isn't Mullvad's fault, but this flaw makes it a lot easier to accidentally deanonymize yourself.
"23034 IPs to blocklist.txt"
blocked IPs they contain all VPN providers. Often VPN providers seed Geofeeds with wrong data, this is why i use traceroute and ping network to locate their real location.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
Because I'm quite curious on where the IPs are from. Usually residential IPs is a fancy wording for malware infested devices from regular people.
Search for “mobile proxy” – those are usually cheap-ish monthly subscriptions, with unlimited traffic, and often an API to rotate the IP programmatically if you need it. No KYC, but you usually do have to sign up with an email.
yes, it's a bit more expensive because it's for different use cases. You can't use VPNs or Mullvad for anything mission critical. Just try to log in to your bank in US, it will increase your risk score on their end because VPNs by nature are very easy to detect whereas "residential proxies" much harder.
Naturally! I’m just saying there’s residential proxy providers that are a LOT cheaper than that.
(IIRC, you can usually reply to fresh comments if you click on the “n minutes ago” – the reply link should be visible there even if it isn’t shown in the main comments tree)
I’ve been implementing an Instagram liker service back in... 2018 was it? So a stable pool of non-flagged residential proxies was important here, and it was my client who introduced me to the concept of “mobile proxies”. Basically, they use regular 3G/4G/5G modems with regular SIM cards, and expose that as a SOCKS proxy. You get a normal-looking IP from a pool of mobile operator’s IPs. Since mobile devices reconnect all the time (and are behind a CGNAT mostly nowadays), you can’t really flag an IP like that – and if it is flagged, you can get a fresh one in a moment.
I’m not using this mostly because I’m too lazy to research. Here’s a random one I found (so not an endorsement!) which is $1/GB, seems to only require email to sign up, and takes crypto (including XMR): https://floppydata.com/
Like when I was travelling, sites would routinely use the language of my IP address location, not the language preference as I set it in my browser. So I would be served a site that I couldn't read. My only option was to use a VPN to spoof my location so that it would serve me a site in a language I understand.
What's the point of this? This seems more complicated to implement than mapping exit ips at the server level, so surely they must be doing this for a good reason?
If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.
With a static mapping derived from the key, you don't need a table like that.
It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.
It's a practical measure, but definitely has a privacy cost though.
It seems more likely this is just about load-balancing use against their available nodes.
Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.
This is an AI comment from an AI account.
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.
Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).
Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.
(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
What is that they know and we don't know?
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
VPNs are useful for the reasons you mentioned.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
I mean, let's be real.
All known US VPN servers and Tor exit nodes--and probably all US Tor relays regardless of exit policy--are going to be considered a totally legitimate "communications facility" target for the warrantless wiretapping system due to exactly the scenario you just posited.
From that perspective you'd be better off using US residential proxies. Of course, while they'll never admit it in court, NSA just does whatever they want, laws be damned, and are almost certainly logging everything. So while such a scheme might theoretically hinder the introduction of evidence in a court case, it doesn't really matter; NSA is still gonna see your traffic and they're still gonna either drone strike you or "parallel construction" your ass, anyway.
When you share the evidence for this, it will be international news.
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
And then sells it?
What gives you the confidence that Bigfoot does not exist?
What gives you the confidence we're not ruled by Reptile overlords?
What gives you the confidence we're not just in the Matrix and nothing matters?
What gives you the confidence you're not just a dream by a dog in Sicily?
What gives you the confidence I even exist and you're not talking to yourself?
Neither of those is possible with my ISP.
Phone doesn't even need data if you have access to wifi wherever you stash it.
VPN chaining easier though.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
That said, you might still want to use a VPN on top of that, depending on what you’re doing.
Citation needed.
For everyone in the industry it is le secret de Polichinelle.
Should I trust my ISP than Mullvad? LMFAO.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
They have their own tools + tor, they do not need mullvad.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects password managers, emails and etc
VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.