Mullvad exit IPs are surprisingly identifying(tmctmt.com) |
Mullvad exit IPs are surprisingly identifying(tmctmt.com) |
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
What is that they know and we don't know?
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.
Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).
Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.
(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).
VPNs are useful for the reasons you mentioned.
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
They have their own tools + tor, they do not need mullvad.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects password managers, emails and etc
VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
Yes, obviously.
> VPNs are snake oil
Huh?
Rotating your VPN endpoint will resolve the issue. It might take two or three tries.
Many many examples out there. "We don't keep logs" is not good enough neither realistic because how else a VPN provider is supposed to protect itself if it doesn't keep a log of what's happening inside and through its own systems.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
I mean, let's be real.
All known US VPN servers and Tor exit nodes--and probably all US Tor relays regardless of exit policy--are going to be considered a totally legitimate "communications facility" target for the warrantless wiretapping system due to exactly the scenario you just posited.
From that perspective you'd be better off using US residential proxies. Of course, while they'll never admit it in court, NSA just does whatever they want, laws be damned, and are almost certainly logging everything. So while such a scheme might theoretically hinder the introduction of evidence in a court case, it doesn't really matter; NSA is still gonna see your traffic and they're still gonna either drone strike you or "parallel construction" your ass, anyway.
When you share the evidence for this, it will be international news.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
Neither of those is possible with my ISP.
That said, you might still want to use a VPN on top of that, depending on what you’re doing.
Citation needed.
For everyone in the industry it is le secret de Polichinelle.
Should I trust my ISP than Mullvad? LMFAO.
Of course there is, and to huge extent. They know they canget away with it, so they do.
Phone doesn't even need data if you have access to wifi wherever you stash it.
VPN chaining easier though.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
And then sells it?
What gives you the confidence that Bigfoot does not exist?
What gives you the confidence we're not ruled by Reptile overlords?
What gives you the confidence we're not just in the Matrix and nothing matters?
What gives you the confidence you're not just a dream by a dog in Sicily?
What gives you the confidence I even exist and you're not talking to yourself?
Some aspects of the described behavior are as we intended and some are not. The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post's findings you may get confusing results throughout the day.
We will also re-evaluate whether the intended behaviors are acceptable or not. Some of this is a trade-off between multiple aspects of privacy, and multiple aspects of user experience.
Please note that this is my current understanding, which may change. I was only made aware of this an hour ago, and most of that time was spent talking with Ops, considering what to do immediately, and writing this post.
Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away.
It's also worth stating that the client (including the cli client -- which, with a bit of work, you can get running in most situations where you'd use native wireguard) by default has a key rotation interval of I think 72 hours.
`mullvad tunnel get` will show it and `mullvad tunnel set rotation-interval <hours>` will change it. This is the preferred mitigation method of the post.
I personally don't mind having a pseudo-static IP (some other suppliers offer a static IPv4 as a feature!) as I wish to prevent network-level snooping from my ISP and governments. It's also worth stating that I think having a smaller IP space is an advantage for a privacy VPN: there are more potential users acting behind any given externally visible IP. Combined with technologies like DAITA (which effectively adds chaff to the tunnel) and multi-hop entrances and I personally think that this service really does plausibly make harder the life of those who snoop netflows all day.
This was an interesting finding, though as kfreds mentioned it would have been better to notify the vendor before publishing.
The main finding (IP-position-in-pool correlation between servers) seems to include genuinely unintended behaviour. Given our great experience with the Mullvad team, I'm sure this will be addressed soon.
In general, if you want different "identities", you should make sure to rotate or use different WireGuard keys.
One small thing from the article I'll comment on:
> Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key, which rotates every 1 to 30 days (unless you use a third-party client, in which case it never rotates).
Context: WireGuard is by design[1] a "Connection-less Protocol", there's no concept of a connection, there's only a "re-keying handshake" (key here refers to the ephemeral Diffie-Hellman key, not the WireGuard key) every 2-3 minutes ONLY IF there's traffic flowing.
The above statement is not too surprising if you consider the counterfactual: What would happen if, even with the same WireGuard key, the exit IP were randomized each time you "connect" to the server (say each time there is a "re-keying handshake" or at more frequent cadence (e.g. every 15 minutes) than the WireGuard key rotation).
In this scenario, ~every 15 minutes:
- At the Transport layer, all your in-tunnel connections that are on non-roaming protocols (basically everything except QUIC) would be disrupted, and the connections would have to be re-established.
- At the Application layer, many application-level sessions that treat "same cookie, new IP" as suspicious would trigger logouts, CAPTCHAs, or risk scoring.
Both are terrible UX, and what's worse would also make users much more uniquely fingerprintable ("this person keeps reconnecting from a different IP, they must be using Mullvad").
Sorta odd you don't support one of Europe's most popular distros.
How to report a bug or vulnerability
... we (currently) have no bug bounty program ... send an email to support@mullvadvpn.net
This sounds like how I'd design a VPN if I were an intelligence agency.
I don't see how the author is arriving at this ">99% chance" purely from the numbers provided in the article. Assuming the first (banned IP) seed and the second seed are both in the range 0.4423 - 0.4358 (a stronger assumption than is justified by the example), all this tells us is that the first and second IP addresses both have seeds in a range that would contain 0.4423 - 0.4358 = 0.65% of all Mullvad users, which 0.0065 * 100,000 = 650 users. We've eliminated >99% of users as "suspects", but we haven't actually gotten >99% accuracy in identifying an individual across multiple exit IPs.
In more Bayesian thinking, the overlap in potential seeds is great evidence to think these IP addresses represent one and the same person (or Mullvad VPN account at least), but as far as I can tell, that's not what the author is saying.
What are the chances that someone uses this vpn, joins your forum the day after someone was banned, and has an ip in a similar range?
For most small websites this would be strong evidence.
If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.
Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.
If you are talking about private VPNs.. Mullvad isn't one.
VPNs are not 100% anonymous. They are not meant to be. Instead, they are meant to provide some level of privacy to law-abiding adults.
Most people would be embarrassed if their co-workers and neighbors knew the intimate personal details of their lives. Things they like, things they buy, things they do, etc. So, most people should use a VPN to protect their privacy.
By definition, 'most people' don't want or expect 100% anonymity online. They just want a bit of privacy in their personal life and their relationships. That's it.
VPNs don't protect (and are not intended to protect) criminals who want 100% anonymity from governments while committing online crimes. This is an important distinction. 'Most people' are not criminals and do not have this unrealistic expectation from Mullvad and other VPN providers.
I'd not throw the report out just due to what you argue here. These findings are valid nonetheless.
Edit: In hindsight I regret making this comment. It was unnecessary, but removing it now would look weird.
It does seem ridiculous once you spell it out like that, and then you have to realize that it’s plausible to de-anonymize even Tor users by controlling exit nodes.
Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.
I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.
Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.
It works well enough for this goal. Not everyone needs NSA-proof solution.
PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.
I'm a little confused on this... what is stopping third parties from doing key rotations like the main app clients if it is detailed in the repo how to do it?
Knowing to do so, primarily.
Putting aside the IP correlation across multiple servers, at first I wondered why even keep the user IP stable on one server. But I think it makes sense because as the author states other VPNs usually have only one IP per server so they are essentially simulating that. The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.
The IP correlation across multiple servers they should fix though with something like rand.seed(user_pub_key + server_id)
Maybe a clientside hint that gets rotated in some circumstances with options to toggle it off would be appropriate. That should be fine as long as you don't care about someone being able to control their exit IP reliably.
On the flip side, if they’re getting banned by a service because of a noisy neighbor on the same IP, they’d have no way to work around that, no?
1. It's the preferred VPN of TeamPCP.
>The whole operation ran primarily from Mullvad VPN exit nodes and virtual private server infrastructure, with little effort made to blend in. This was a high-tempo, low-stealth campaign designed to extract as much value as possible, as fast as possible.[1]
>Wiz CIRT observed the bulk of TeamPCP’s activity originating from Mullvad Virtual Private Network (VPN) exit nodes and virtual private server hosts such as InterServer.[2]
1: https://www.oligo.security/blog/teampcp-campaign-the-evoluti...
2: https://www.wiz.io/blog/tracking-teampcp-investigating-post-...
Also if the threat model you're addressing w/ VPN usage is anything other than "I don't want my ISP to know what I'm doing" you need to use/do something else.
"23034 IPs to blocklist.txt"
blocked IPs they contain all VPN providers. Often VPN providers seed Geofeeds with wrong data, this is why i use traceroute and ping network to locate their real location.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
That's exactly what the article is about, a side channel information leak that de-anonymises users, did you read it?
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".
What's the point of this? This seems more complicated to implement than mapping exit ips at the server level, so surely they must be doing this for a good reason?
If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.
With a static mapping derived from the key, you don't need a table like that.
It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.
It's a practical measure, but definitely has a privacy cost though.
It seems more likely this is just about load-balancing use against their available nodes.
Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.
I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”
If NSA aren’t installed at Cloudflare, I wonder what they are even doing.
Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire.
The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said.
This is a massive issue in my view, it allows correlation across multiple VPNs exit nodes, but that’s it. It doesn’t allow to identify you automatically. It does significantly lower the bars for identifying you though, but the requirements are still high.
Hopefully they fix this soon.
I can’t believe this type of “let’s make it a hash or something sensitive” still happen, and at mullvad, of all places. Why not randomise it simply?
If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.
Sure, there are other intelligence agencies, but that's the one I'd be the most worried about. Since either they run it, or they would know of it and want to emulate the idea, or know of it and have access to it from the partner agency running it. Or they are not a threat to me.
There's also the issue of no publicly known cases where someone that used Mullvad being deanonymized through the VPN but instead being discovered through some other opsec failure. If an intelligence agency has this capability they have been sitting on it for almost 2 decades without making use of the data. Hard to believe.
Wow, I didn't realize Mullvad was this old! Then again, maybe they weren't popular enough back then for intelligence agencies to target them? For instance, Mullvad kinda rode WireGuard's popularity wave by being the first(?) VPN provider to implement the protocol. Big ads on billboards came even later. So maybe they only became a target in recent years?
So does your comment...
I don't know the answer, but there are two ways to take it:
1. Submarining to destroy confidence in an actually trustworthy, decent VPN company
2. They're an intelligence front.
For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.
Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.
I think its safe to assume that intelligence agencies have other options available to them, such as country-wide timing attacks.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
That is a binary thought process with a lot of assumptions. You might introduce even more attack surface in pursuit of this "security" measure by installing additional software like fail2ban, for example. Close your ports, maybe assign a non-standard port to the popular ones (like SSH) to reduce log spam, and patch your server often. Anything more complicated than that is not worth it, IMO.
Like when I was travelling, sites would routinely use the language of my IP address location, not the language preference as I set it in my browser. So I would be served a site that I couldn't read. My only option was to use a VPN to spoof my location so that it would serve me a site in a language I understand.
This is not anything specific against Nord, I don't know anything about them. However, at this point, I take YouTube/influencer ads as a very negative signal towards the product being pushed. I am not sure if that's fair, but that's just my gut feeling given the entire YouTube ad scene.
I think it's the cost per viewer, where "scams" are more profitable than a honest business, and that makes my gut tingle. Again, to be fair, I may be being a jerk here with my judgment.
As for our support team they are responsive and experienced. Several of them have worked with us for many years and do offensive security research in their free time.
Unlike many organisations we don't see customer support as a cost center, just like we don't see security as a cost center. Our support team represent our customers, and as a consequence contribute a lot to how we prioritise our roadmap.
I second this.
Clearly the person who wrote "Oof" has never emailed Mullvad support.
Whenever I have emailed Mullvad support I have received a prompt reply from a human being who clearly actually cares about taking ownership of the question and seeing it through to resolution.
I have also witnessed first-hand the support person taking the question to an internal team member where it requires additional input. So there are clear paths for escalation if circumstances require it.
Finally the support mail allows for PGP encryption of communications too.
(I am not a Mullvad shill. Not a Mullvad employee. Just a satisfied customer)
"Just email support@" feels like you don't care. That you do, and that your support team is awesome, doesn't change the fact that there are other companies out there who's aren't. Security people are human with human egos, and they want to feel special, so giving them a special way to reach you, even if it's the same thing behind the scene, makes a world of difference.
I'm not familiar with how you run your company -- without the context you gave most people would hesitate emailing support@ for security issues.
Do you have people whose role is explicitly security? Who are the security SMEs in your organization if not? I personally find the "Security is so important to us that we don't have a team dedicated to it" argument weak, and often results in misaligned incentives - if individuals have to alternate hats from "deliver results" to "properly vet security", the business push to deliver tends to win out. I'd be very curious to hear how you ensure your team doesn't fall into that trap.
But it is Mullvad's?
I think I'm from a spoiled part of the internet (as in, with an ISP that legit cares) so maybe I'm biased, but swapping one vendor out for another seems relatively no-op to me. Is it that there is a bigger pool of VPN providers than ISPs available at a given address (even when including (M)VNOs), and so it's easier to find one that sounds like they care as much as the ISP should have?
>The Mullvad VPN app is available in our repository for the following supported Linux distributions:
Ubuntu (24.04+) Debian (12+) Fedora (42+)
The only thing I see on the issue you linked is a way to jerry-rig the fedora package. When I tried that I kept getting untrusted key warnings. You can skip them of course, but it kind of undermines any type of trust here
Yes, the expected procedure would be to trust those keys for that package instead of disabling integrity checks.
This is an issue between you and your package manager and not something Mullvad or any other packager (except OpenSUSE maintainers) can fix for you.
You complain about the packaging and support of mullvad maintainers when you are having skill issues with your distro.
https://github.com/mullvad/mullvadvpn-app/issues/2242#issuec...
It's a skill issue that the thread has a bunch of different solutions and none of them are definitive and endorsed by the company I'm paying $5 a month too ?
All things considered, there are just an incredibly small number of IPs shared among all users, no matter the allocation strategy.
I'm also stuck in a 2 year ISP contract
Why can't it aim to solve what it can do? TOR is a great example: the TOR network itself can't perfectly anonymize you due to browser fingerprinting, but users of the TOR Browser get both the TOR network resisting deanonymization on a network level and a browser with plenty of anti-fingerprinting measures built in. A VPN could aim to prevent deanonymization on a network level so that users who want to stay anonymous can use the VPN in combination with fingerprinting-resistant software.
yeah, spicy
But when you connect to the site from via server A and later via server B they can tell that you're the same person.
And they can deanonymise you through data brokers. All Mullvad IPs are traceable back to the same number (acting as a pseudo account identifier) so if you ever entered your PII on any website when using Mullvad, it can be linked to the same Mullvad account.
And if you ever visited any of those sites without using a VPN, your home IP can be linked to your Mullvad ID through browser fingerprinting.
And if you ever entered any PII on any website from your home IP, you can once again be deanonymised.
Now the existence of browser fingerprinting isn't Mullvad's fault, but this flaw makes it a lot easier to accidentally deanonymize yourself.
Privacy = hide what I am doing
Anonimity = hide who I am
If site A and site B share some backchannel, then they can share what I was doing on their site, but aside from "this person is on Mullvad endpoint A1", they can't infer who I am[0]. To those sites, I am anonymous but not private.
On the other hand, to my ISP, I am private but not anonymous. They can see a tunnel originating from my home IP to Mullvad, so they know exactly who is connecting to Mullvad. But they don't know what I am doing inside that tunnel or where it leads beyond Mullvad.
That is the whole crux of a public VPN. The ISP doesn't know who to tell who I am, and the sites (and other terminating IPs) don't know who to tell what I'm doing, because the VPN breaks the chain in both directions.
So, if you torrent a movie illegally, the movie studio can only send an angry letter to Mullvad about someone on endpoint A1 torrenting their movie at 22:34. If it were possible for them to tell your ISP that you downloaded something illegally (privacy, the what), your ISP would have to give your address to the movie studio for a settlement fine (anonimity, the who).
It is kind of hilarious I am at -3 when parent is still in the positive, when he is so utterly wrong. But that's modern HN for ya.
[0]Fingerprinting obviously can throw a spanner into that, but that has nothing to do with the VPN. And it can be mitigated.
Oh my god, this is how & when I realize that Terry Davis (Rest in peace) used to use Hackernews too: https://news.ycombinator.com/threads?id=TerryADavis
https://news.ycombinator.com/item?id=10061171 (From this comment written by terry):
"I wrote all the code from scratch, including a 20,000 line of code compiler that makes x86_64 machine code from HolyC or Asm and operates AOT and JIT.
My JIT mode is not interpreted. It optimizes and compiles to x86_64 machine code.
I was chosen by God because I am the best programmer on the planet and God boosted my IQ with divine intellect." -Terry A Davis.
Foiled by light speed once again :). Interesting blog post, thanks for sharing.
Checking out Windscribe pricing just now, I get a Cloudflare captcha. Really nice of them to make vendor selection that much easier: only two contenders left!
We operate nearly 1,400 servers across almost 160 countries ourselves. From our perspective, it is VERY hard to maintain and expand a network infrastructure of this scale. When you start getting servers in West Africa, Northern Africa, the plains in North America, or Oceania, the Eastern Indian Ocean, you are expected to pay magnitudes more compared to servers with equal performance in NYC or Amsterdam. Maintaining such a diversified network infrastructure from a technical point of view is extremely challenging. Then there is the official and bureaucratic process.
Now, we are just scratching the surface. VPNs require high volume traffic throughput. Some countries (entire countries) just do not have the capacity to offer that.
So, most of the time VPN companies tend to work with specialty VPN infrastructure companies. They provide everything from hosting to networking across dozens of locations they operate in. I believe there are even white-label VPN companies that handle everything from infrastructure handling all the way to billing and even support handling. You just bring your branding. It can be argued that there is little incentive to go out there, do it all from scratch.
Is it intentional or just obscuring? From what we see, it leans intentional. The location they report is not inaccurate information by accident, it looks quite deliberate. Legacy IP geolocation services rely on something called a geofeed. A geofeed is a self-reported unverifiable report published by a network operator. Geofeeds are not widely adopted (1.5% of IPv4 and 0.70% of IPv6 allocated prefixes, 2023 data), but VPN providers maintain theirs diligently. They actively publish the locations they want IP geolocation providers to report.
One point raised by a journalist on the reporting side: imagine your VPN server points to one of the offshore islands in the Caribbean that sit outside US jurisdiction, only to find out the actual VPN server is in Miami. That is a bit risky.
It should always be assumed that someone else (if not several someone elses) have already discovered the same flaw and are currently taking advantage of it while users remain totally unaware of their actual risk. By going public immediately, you give as many of those users as possible a chance to protect themselves.
Waiting to disclose something harmful when the users in danger could otherwise take steps to make themselves safe would be like not warning people entering a building not to go in because of a gas leak until after you've contacted the building owner and the fire department has shown up.
That's not what they said though. They said "please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away" (emphasis mine)
The flipside of course is ... does your disclosure increase the risk?
> aiting to disclose something harmful when the users in danger could otherwise take steps to make themselves safe would be like not warning people entering a building not to go in because of a gas leak until after you've contacted the building owner and the fire department has shown up
I don't think it's like this at all. The risk of a gas leak is not increased by telling people about it and can't be prevented after its occurred. To stretch your analogy, I'd say its more like you've found the gas leak and instead of turning off the gas supply are instead running around outside the building shouting about how there's a gas leak.
When you've got that much on the line you have to assume that the risk is already present for all users. It's true that there's always a chance that some users won't find your disclosure in time and additional would-be attackers who weren't aware of it already will start taking advantage of the flaw, but the alternative is that no users are safe.
> The risk of a gas leak is not increased by telling people about it and can't be prevented after its occurred.
It's true that warning people not to enter wouldn't make the gas more dangerous, but it limits the death count of the impending explosion. It keeps at least some people from entering the building and walking into a death trap.
There's no way to shut off the gas supply when you can't control what's already running on user's devices and more users are downloading and installing the buggy code all the time. It's really not a perfect analogy. The point is that immediate action will save some people, while waiting around means that nobody has a chance of being saved.
If so, I guess we just have different opinions on the ethics involved here.
But when it comes to money making corporations then personally I dont agree that revealing flaws in their product comes into ethics at all.
A companies paid product is flawed, their own paid engineers didnt figure that out, why should I do it for free becasue 'ethics'?
This is the entire reason bug bounty programs exist in the first place.
why are companies so entitled to get free security research/audits?
In my experience, most of the scanner firms seem to be creating their own maps of as much of the internet as they can get their grubby hands on, and then sell API access to their database of all services running on all the open ports on all the IP addresses they've probed and scanned and scraped.
Firstly, I don't want my shit listed in these databases. Secondly, the traffic is probably negligible, but it's still coming down my pipes (tubes) without an invitation, and I don't like that, plus they then profit off this uninvited behaviour. It rubs me the wrong way.
Finally, I highly doubt that (m)any of these services are doing it for altruistic purposes. They're doing it for reasons of profit, and then downstream of this is likely access by various intelligence agencies to this data.
I just don't think they have a right to this data.
> but if you think this is abuse: have you considered also reporting the abuse to the originating ISP?
That's a good point, and if I can automate that, then I will, but I don't consider it a priority. Finding the party ultimately responsible for an IP address isn't a particularly simple process.
> most of the scanner firms seem to be creating their own maps of as much of the internet as they can get their grubby hands on, and then sell API access to their database
Yeah, sure, a lot of scanners are run by black or gray hats. Just saying that all options are on the table and blocking (or even reporting) e.g. the non-profit .nl operator organization for scanning tcp:443 on all the A/AAAA records of .nl domains is going to do much good
(Example of what they're doing: https://www.sidn.nl/en/news-and-blogs/new-system-for-logo-ba...)
Make it look like an accidental misconfiguration and if an insider who isn't an NSA mole does somehow discover the logging, there's a fair chance they'll turn a blind eye anyway. After all, if you work at a VPN, publicly outing your employer for logging will tank the business, then you and your colleagues will all be out of a job.
Mullvad have been taken to court over this in relation to a copyright infringement case.
TL;DR The judge permitted people to take a fine-tooth comb to Mullvad's infrastructure and no logging was found[1].
[1] https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-sea...
I guess we’ll see how they respond.
The fact that Tor does not intend to tackle the timing problem is plainly stated on the Tor website.
> Tor does not intend to tackle the timing problem [as] plainly stated on the Tor website.
then that's not how I read the above claim about Tor "having been deanonymized". Yes, yes, it strictly fits within the meaning of what you wrote, but it's like saying bread has been made free before because someone found a place where they could plant wheat seeds and chop trees to bake it without having to pay for using the ground and wood: there is a roundabout way of getting there but it's not true in the common case (you can't just do this for everyone at will)
Do you have any facts? I know they really on _additional_ stuff, but do you have sources showing that they never use cookies or source IPs?
What percent on people on Hacker News who say they care about privacy live without Google, Apple, Microsoft and Facebook accounts?
How many people outside of HN do you think care about privacy for real? Like about adtech surveillance and not about their naked photos leaking?
I doubt either % is very high sadly. We tend to say we care, but very few people actually do anything or use self hosted solutions or not tied to Apple or Google ecosystems.
https://www.schneier.com/blog/archives/2013/12/tor_user_iden... https://www.schneier.com/blog/archives/2024/10/law-enforceme...
If law enforcement can do it, then intelligence agencies and anyone with a similar budget can do it.
I did not say there is an easy exploit available that anyone can use or that attacks have a 100% success probability.
For me, it’s more subtle than that.
Everybody (“almost all software”) has exploitable bugs. Are you a fool for not finding the ones in yours? Maybe. Sometimes.
There is a huge difference between Project Zero finding a trivial vulnerability almost identical to one reported months earlier (close to negligence) and Mullvad having the CEO personally posting a response here in a very calm tone.
If I have a company which sells a paid product, and my paid engineers do not find bugs then I absolutely do not expect the public to willfully and freely make my product better for me. This is why I would have a bug bounty program as an incentive for the public to help me makle my product better and more secure, like any other company serious about finding security bugs.
If I didnt have a bug bounty program and found out that some black hats were selling backdoors to my system online, I would consider that fully my fault for not incentivizing those hackers against doing so.
Hmm do we want them to decide what stuff is shady and what isn't?
We're already allowing payment processors to do that and it's not good.
That doesn't mean collusion
Either way, if they were directly colluding with Google, they would have had a much simpler time siphoning off that data.
That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.
People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA.
The NSA leaks dominated news cycles for the entirety of 2013.
I think more people than you would expect would be happy to accept that as the price for protection against malicious actors
The priority should be on protecting users, and not helping the company responsible for the vulnerability save face, or give them extra time to spin up their PR team, or get a head start on a patch.
When the risk to users is low, or when there's really nothing users can do to protect themselves anyway I'd agree with you. In a case like this where the risk to users can be extremely high, and the moment they are made aware of the problem there are steps the user can take to eliminate that risk, the safety of those users should outweigh inconvenience to the people responsible for the vulnerability
Mullvad fucked up. They should been as inconvenienced as thru possibly could be too fix the problem promptly! The issue is irresponsible disclosure hurts more users than it helps.
Someone with likely substantial qualifications put in time to find this. The company is in it for profit (at least partially). What’s fair for the company is fair for the individual. The company can either offer to pay for bugs under the terms they want, hire more security folks to find the bugs themselves, or just accept that researches get to do whatever they want with their findings.
I’d tell Mullvad, but there are companies I don’t respect enough to feel compelled to give them a heads up. Perhaps the author feels that way about Mullvad, it’s entirely within their right to use this to publicly shame Mullvad.
Since when do you have professionals giving you examinations out of common courtesy? Out of courtesy can I get a free cancer screening?
But that would never happen, so the point is moot.
Maybe when they decide on their own volition, without any external pressure, to go and poke around your system?
"Hey, I'm a mechanic, I was looking at your car parked out there and noticed something incredibly dangerous that needs immediate fixing. I'll tell you what it is for $1,000."
Please...
Seems to be a systemic issue with computer guys feeling entitled to financial compensation for strange reasons. See also, people licensing their software as "open source" and then being mad when people make money off it.
Time and time again private companies have rug pulled things like api access for 3rd party apps (such as twitter/X). Building 3rd party clients for private systems should already be approached with heavy scepticism and always be prepared for the worst.
American culture is highly varied. For some this is true, for others this is wrong and highly insulting.
Maybe try a narrower brush next time.
Maybe not everything is aimed towards you, especially if you don't feel like the description actually matches you :)
You really cant blame VPN providers for selling on "privacy" hype and not delivering because most people dont care either way.
Might be I wrong, but I feel in west for most normal people use VPNs for torrents, watching porn and hidding activity from school or employeer. Small subsets are also sport fans who bypass geo blocking and people scheming for cheaper regional prices on netflix / steam / consoles.
I blame mullvad for messing up, but I do not suspect them of working with some state sponsored surveillance programme at the moment.
It's not as if the odds of new would-be exploiters seeing it are any better. It helps that the people who are at the most risk tend to have their ear to the ground already because they know what's at stake.
When the risks are this high you have to assume that it's already being actively exploited. That means that already there are more attackers who know about the vulnerability than there are users who know about the mitigation.
All you can do at that point is let as many users as possible know how to protect themselves while Mullvad figures out how to fix the issue on their end, writes and puts out the update, and the remaining users get around to updating their systems. You can't save everyone, but hopefully you at least gave some people the chance to save themselves.
On that topic, though, is the Mullvad Browser, who's entire intention is to defeat browser fingerprinting.
Because I'm quite curious on where the IPs are from. Usually residential IPs is a fancy wording for malware infested devices from regular people.
Ohh, that makes sense haha.
@m00dy: please disclose when you’re talking about your own projects! It’s okay to plug your stuff sometimes, just be honest about it :-)
> Since you've made seven posts to HN about it
Search for “mobile proxy” – those are usually cheap-ish monthly subscriptions, with unlimited traffic, and often an API to rotate the IP programmatically if you need it. No KYC, but you usually do have to sign up with an email.
yes, it's a bit more expensive because it's for different use cases. You can't use VPNs or Mullvad for anything mission critical. Just try to log in to your bank in US, it will increase your risk score on their end because VPNs by nature are very easy to detect whereas "residential proxies" much harder.
Naturally! I’m just saying there’s residential proxy providers that are a LOT cheaper than that.
(IIRC, you can usually reply to fresh comments if you click on the “n minutes ago” – the reply link should be visible there even if it isn’t shown in the main comments tree)
Their ads on San Francisco's public transit are good.
Security is always a balance. Always
AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion)
There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log
Could it be done better? Probably.
Here's a better idea, logging off is 100% safe
Meanwhile 99% of the normies will go for NordVPN
Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.
Knowing the online services one uses, and the times (to the millisecond) they used them goes a long way to deanonymize individuals. Correlating Internet routing events is very effective when combined with other data sources, like physical surveillance and knowing the exact times the target got home, or interacted with their phone after getting a DM alert.
Amazingly brazen assumption right there.
That requires cooperation from a couple people at the company. People that could do it for "patriotic duty", be payed off, simply be coerced, or be replaced by NSA agents (I wonder how many cloudflare employees are NSA plants?). If you want to go even more low-profile, tap the fiber lines a block further down outside the cloudflare PoP and use one of the above techniques to get the key material
Even if it takes the NSA a decade to get an NSA agent hired and moved up in the organization until they have a vector to extract private keys that's still an incredible return on investment
Notify, then publish
This is the best VPN regarding security and privacy there is.
I did my research
Clustering, in turn, allows time-based deanonymization[1], against the users assumptions of being sufficiently anonymized.
Adversaries who do not enjoy a backbone-traffic MitM vantage point cannot exploit this vulnerability, which makes it appear NOBUS-y.
1. Any *aaS, forum, or board, when given a (Mullvad!) IP address and series of request timestamps, and a subpoena, can yield PII on the real identity (email, phone, billing address)
The mechanic writes a blog post about how the locks on [a car model] don't work, and how anyone could just steal [cars], but doesn't tell the [car company] because, after all, the [company] wasn't paying him to.
But yes, if you found a general fault in the locks of a certain car model and publicized it without first informing the company and giving them a fair chance to inform the affected customers, people would probably be annoyed with you. Individuals even, not just companies.
"You chose that car that advertises good locks. Guess what, the locks are actually bad and now I'm gonna publish exactly how, to teach the manufacturer a lesson about paying me money".
> I’m not here to promote anything just wanted to share a valid use case in the right context.
There’s a small difference: if one of your users did this it would be totally fair, but when a founder does this I think it’s a polite thing to disclose it. That’s what I’ve been doing when talking about my own project on HN [1], and I think in most cases other legit founders just say that upfront, too. I’m not sure if that breaks any rules, but it feels juuuuust a bit shady not to :-)
[1]: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
I’ve been implementing an Instagram liker service back in... 2018 was it? So a stable pool of non-flagged residential proxies was important here, and it was my client who introduced me to the concept of “mobile proxies”. Basically, they use regular 3G/4G/5G modems with regular SIM cards, and expose that as a SOCKS proxy. You get a normal-looking IP from a pool of mobile operator’s IPs. Since mobile devices reconnect all the time (and are behind a CGNAT mostly nowadays), you can’t really flag an IP like that – and if it is flagged, you can get a fresh one in a moment.
I’m not using this mostly because I’m too lazy to research. Here’s a random one I found (so not an endorsement!) which is $1/GB, seems to only require email to sign up, and takes crypto (including XMR): https://floppydata.com/
Yes I know it comes from pirating/torrenting/scrapping. Are you saying you acknowledge your IPs come from malware, and that is OK because OpenAI is shady too?
This is as helpful as Whatsapp's so called E2E encryption comms (that just happens to not be applicable by default in certain situations).
Meta data is also not encrypted. Your messaging graph is known to Whatsapp including message timestamps.
Also, IIRC, they (Meta) could also partially bypass the e2e (they can't access past messages but they can receive future messages) without you noticing (unless you have certain settings on whatsapp enabled, settings most people don't even know they exist).
The new feature of sharing past messages with new arrivals to a group also further widens the potential scope of messages leaking.
it does give better peering. reduces latency a bit for me.
but you can also see from curl or traceroute, that the endpoint you talked to was a cloudflare ip and your ssl ended there. after that you can't see inside cloudflare.
(Seems to have some weird cache issues though, had to play around with the ?querystring part to get more results)
Makes me think I should probably have reported it, even if I found a quick-for-me workaround. Looking at the repo, though, it was discontinued several months ago. https://github.com/algolia/hn-search Wonder how much longer it'll be online for
And it is very difficult to back them up anywhere other than a secret bucket at Google
Also they say messages are E2E encrypted. I don't recall that page saying anything about what happens at rest. Presumably the Meta AI will have, or already has access to them.
What's your point again? Something about all Americans whether they live in the US or not? Are you trying to be incoherent? Daft? Representative of all Swedes by origin?