> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person.
This sounds like how I'd design a VPN if I were an intelligence agency.
Every now and then there are articles like this one about something that Mullvad may or may not be able to do better, and there are always comments about whether they're an intelligence front.
I don't know the answer, but there are two ways to take it:
1. Submarining to destroy confidence in an actually trustworthy, decent VPN company
2. They're an intelligence front.
For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.
Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.
> Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key, which rotates every 1 to 30 days (unless you use a third-party client, in which case it never rotates).
I'm a little confused on this... what is stopping third parties from doing key rotations like the main app clients if it is detailed in the repo how to do it?
Third party clients include e.g. the WireGuard driver in the Linux kernel. It's definitely not the network driver's job to mitigate an attack against one specific commercial service.
The purpose of a VPN does not include anonymizing users with respect to the sites they visit,so it shouldn't be too surprising that Mullvad doesn't enforce unique exit IPs. Users who want anonymity should use networks like Tor.
If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.
Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.
If you are talking about private VPNs.. Mullvad isn't one.
It seems surprising that people would expect a VPN to be comparable to Tor.
It does seem ridiculous once you spell it out like that, and then you have to realize that it’s plausible to de-anonymize even Tor users by controlling exit nodes.
But what privacy do you think majority of people who not doing something badly illegal expect from VPNs?
Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.
It works well enough for this goal. Not everyone needs NSA-proof solution.
PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.
It is privacy with respect to your ISP. A lot of ISPs are pretty shitty. Some will rat out their own customers to copyright mongrels and threaten to disconnect you - which is important when there's a local monopoly.
Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.
I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.
blocked IPs they contain all VPN providers. Often VPN providers seed Geofeeds with wrong data, this is why i use traceroute and ping network to locate their real location.
I have a script that logs IPs for any traffic coming in to my servers on ports that don't accept traffic. I then block those IPs from accessing ports behind which there are services.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
This might be a good idea, but consider banning them for, say, a couple hours at a time. It’s easy to rotate IP, especially if you’re using a residential proxy service, and there’s a good chance you’ll end up blocking real users using the same ISP.
You know that people use VPNs for perfectly legitimate reasons, right?
Like when I was travelling, sites would routinely use the language of my IP address location, not the language preference as I set it in my browser. So I would be served a site that I couldn't read. My only option was to use a VPN to spoof my location so that it would serve me a site in a language I understand.
I use aVPN when I’m traveling and want to order food delivery for my 93 year old mother in NY. UberEats and InstaCart will stop me from ordering when logged in my mom’s NY account if I’m in China, Saudi Arabia, India, Vietnam, etc.
Given that Mullvad is basically a bulletproof VPN host[1], it would be great if site operators could rely on this property to enact bans. Given that the solution is simple (add a pseudorandom seed), Mullvad will likely push out a fix within a couple days.
Reusing the same VPN between multiple identities is a horrible idea regardless. And let's be real. As a forum moderator if you ban a Mullvad user and then a new Mullvad user signs up the next day it is probably the same person. You should be use residential or mobile proxies if you want privacy and blend in to everyone else.
>Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key
What's the point of this? This seems more complicated to implement than mapping exit ips at the server level, so surely they must be doing this for a good reason?
It's simpler to implement because it's more stateless, and it's a better user experience.
If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.
With a static mapping derived from the key, you don't need a table like that.
It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.
I'd guess that this is to ensure one abusive user doesn't get every other user blocked from a large service (say, Google) for botting over the VPN and constantly rotating IPs.
It's a practical measure, but definitely has a privacy cost though.
It's possible that contributes, but to be honest most VPN users are split "privacy seeking" and "abusive". Though I grant you paid users are probably slightly more circumspect than users of Tor, etc.
It seems more likely this is just about load-balancing use against their available nodes.
My guess is deterministic assignment makes load distribution and debugging easier. But for a privacy product, that convenience probably needs to be reconsidered
I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
> I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.
surprising that the mapping may be stable enough to become a user-level signal. and rotating away from deterministic assignment seems like a cheap way to avoid creating an extra fingerprint
This is why VPNs have always been crap. The pool of IPs are backlisted/tainted, so you will run into various roadblocks and cpatchas, in addition to slow speed. If you are serious about privacy and don't want blocks and blacklists, buy high speed private proxies. Don't use a pooled service.
Let's see, short summary of the article, saying nothing new or important. It's not x it's y. Comment history is exactly this type of comment everywhere.
VPNs are not snake oil. They transfer the trust of your internet activity from a place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad, IVPN, or Proton. Among other benefits. If you don't like your ISP creating a profile of you and selling it to target ads to you, you should use a VPN.
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
How is private company (VPN) is more trustworthy than an other private company (ISP) and how do you expect them to protect your identity in face of determined state actors that are afer you?
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
Specifically Mullvad operate completely stateless nodes, which was confirmed several times when law enforcement tried to access their logs. There are no logs. Mullvad are selling their location, with very good connectivity and with laws that strongly protect privacy. They are €5/mo, almost $6/mo, and likely acquire bandwidth very cheaply due to scale and likely peering agreements.
> How is private company (VPN) is more trustworthy than an other private company (ISP)
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
You fundamentally misunderstand what privacy means if you're replying to someone stating using a VPN will help you avoid getting spied on by your ISP for commercial purposes with state actor based worries.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
Making your traffic cross jurisdictional boundaries also adds a level of difficulty for tracking usage.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
Fair point, but I'm not sure if that was ever a boundary they wouldn't cross, but for 'a little while now' I'd say it doesn't matter.
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
This depends on your treat model. If what you worry about is massive collection of Linux ISOs that you download and distribute over P2P then probably shady VPN ISP is what you need.
> place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
You probably won't find direct proof any more than you will find direct proof of any random VPN selling your data, it's just a given that commercial entities are liable to sell financially valuable data, and a list of all traffic, every website you visit and every service you use, tied to a specific identity is certainly financially valuable. Being in the EU doesn't change this; in fact the EU explicitly required that ISPs retain your identifying data with the Data Retention Directive, and though this was struck down after 8 years in court, many individual national governments immediately moved to impose similar requirements. I don't know if Germany was one of them but unless Germany has a specific privacy directive that goes beyond EU law I would see zero reason to place any trust in an ISP. In fact even if there was a law that's still not a reason to trust an ISP, because privacy laws are violated constantly; the most trustworthy source by far is a party acting opposite to the government, who has been investigated by the government and proven not to log the data that the government wants.
What gives you confidence that they aren't? I have confidence my VPN doesn't sell my traffic not because I implicitly trust what they say, but because if they had logs the courts would have found them when trying to seize data themselves. What makes you trust your ISP so much? Faith in the human goodness of businesses to look out for the best interests of their customers, even if it means passing up an opportunity to make a larger profit? Faith in their words, or faith in toothless privacy laws that have been violated time and time again?
Sure, if you want to get crazy with it you put prepaid phone in another location, put it on your Tailscale VPN then proxy all traffic through the prepaid phone with something like: https://github.com/kost/revsocks
Phone doesn't even need data if you have access to wifi wherever you stash it.
Whole idea of "put phone in location X" alone is much harder to implement than to buy 5, 10 or 100 VPN account or servers with crypto and setup how you like.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
Mullvad is a tiny world-famous ISP in Sweden that has zero KYC and explicit zero-log policy, specifically designed that way to enable mild abuses, that also accept PayPal, credit cards, and today I learned, cash in an anonymous envelope for payments. That doesn't scream US three-letter organization at all.
I do all my illegal shit over Mullvad and I've only been raided once.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
I was just talking to a friend who believes that the feds poison privacy communities by spewing nonsense like this. I don't think wg0 is a fed, and my friend didn't have any proof for his claim. My feeling is that it is probably people acting like regular humans. They hear things, they have opinions and they don't provide proof or adhere to community norms. Eternal september or something. Regardless of if it's federal agents disrupting the discussion or human nature, the response should be the same—push back with proof, and demand proof and avoiding logical fallacies.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects
password managers, emails and etc
If people using some tool made my job harder id be vocally against it during off hours. But lets be real any powerful group interested in tracking people would just be working with or running vpn companies. Or perhaps providing free vpn. Either way I think its all moot as for tracking you have to question who you do and do not want to be tracked by and for other purposes vpn works just fine
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
It's a game of cat and mouse. The service keeps banning IP ranges, the user keeps reconnecting to different servers and regions. The server can't know exactly who's who, just that a bunch of users are using mullvad, while the user just need to find one server on one IP range that works.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".
> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person.
This sounds like how I'd design a VPN if I were an intelligence agency.
> This sounds like how I'd design a VPN if I were an intelligence agency.
So does your comment...
Makes you wonder...
Every now and then there are articles like this one about something that Mullvad may or may not be able to do better, and there are always comments about whether they're an intelligence front.
I don't know the answer, but there are two ways to take it:
1. Submarining to destroy confidence in an actually trustworthy, decent VPN company
2. They're an intelligence front.
For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.
Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.
We keep adding layers of encryption and the metadata keeps snitching on us anyway.
> Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key, which rotates every 1 to 30 days (unless you use a third-party client, in which case it never rotates).
I'm a little confused on this... what is stopping third parties from doing key rotations like the main app clients if it is detailed in the repo how to do it?
Third party clients include e.g. the WireGuard driver in the Linux kernel. It's definitely not the network driver's job to mitigate an attack against one specific commercial service.
> what is stopping third parties from doing key rotations
Knowing to do so, primarily.
The purpose of a VPN does not include anonymizing users with respect to the sites they visit,so it shouldn't be too surprising that Mullvad doesn't enforce unique exit IPs. Users who want anonymity should use networks like Tor.
That is exactly the point of public VPNs..
If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.
Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.
If you are talking about private VPNs.. Mullvad isn't one.
Isn't Tor a us government project that has been shown to be deanonymizable?
It seems surprising that people would expect a VPN to be comparable to Tor.
It does seem ridiculous once you spell it out like that, and then you have to realize that it’s plausible to de-anonymize even Tor users by controlling exit nodes.
Most of the big consumer VPNs include "privacy" with an implication of anonymity in their marketing, so it shouldn't really be surprising
But what privacy do you think majority of people who not doing something badly illegal expect from VPNs?
Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.
It works well enough for this goal. Not everyone needs NSA-proof solution.
PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.
It is privacy with respect to your ISP. A lot of ISPs are pretty shitty. Some will rat out their own customers to copyright mongrels and threaten to disconnect you - which is important when there's a local monopoly.
Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.
I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.
"Not knowing who a user is" privacy may still be useful even if you don't have, "not knowing two users are the same user" privacy.
I maintain a list of
"23034 IPs to blocklist.txt"
blocked IPs they contain all VPN providers. Often VPN providers seed Geofeeds with wrong data, this is why i use traceroute and ping network to locate their real location.
I have a script that logs IPs for any traffic coming in to my servers on ports that don't accept traffic. I then block those IPs from accessing ports behind which there are services.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
This might be a good idea, but consider banning them for, say, a couple hours at a time. It’s easy to rotate IP, especially if you’re using a residential proxy service, and there’s a good chance you’ll end up blocking real users using the same ISP.
You know that people use VPNs for perfectly legitimate reasons, right?
Like when I was travelling, sites would routinely use the language of my IP address location, not the language preference as I set it in my browser. So I would be served a site that I couldn't read. My only option was to use a VPN to spoof my location so that it would serve me a site in a language I understand.
By the way, if you’re a webmaster doing this, look at the Accept-Language header instead: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
I use aVPN when I’m traveling and want to order food delivery for my 93 year old mother in NY. UberEats and InstaCart will stop me from ordering when logged in my mom’s NY account if I’m in China, Saudi Arabia, India, Vietnam, etc.
Given that Mullvad is basically a bulletproof VPN host[1], it would be great if site operators could rely on this property to enact bans. Given that the solution is simple (add a pseudorandom seed), Mullvad will likely push out a fix within a couple days.
1. It's the preferred VPN of TeamPCP.
Source? Been googling for this but I don’t see any relevant info
Reusing the same VPN between multiple identities is a horrible idea regardless. And let's be real. As a forum moderator if you ban a Mullvad user and then a new Mullvad user signs up the next day it is probably the same person. You should be use residential or mobile proxies if you want privacy and blend in to everyone else.
>Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key
What's the point of this? This seems more complicated to implement than mapping exit ips at the server level, so surely they must be doing this for a good reason?
It's simpler to implement because it's more stateless, and it's a better user experience.
If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.
With a static mapping derived from the key, you don't need a table like that.
It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.
I'd guess that this is to ensure one abusive user doesn't get every other user blocked from a large service (say, Google) for botting over the VPN and constantly rotating IPs.
It's a practical measure, but definitely has a privacy cost though.
It's possible that contributes, but to be honest most VPN users are split "privacy seeking" and "abusive". Though I grant you paid users are probably slightly more circumspect than users of Tor, etc.
It seems more likely this is just about load-balancing use against their available nodes.
My guess is deterministic assignment makes load distribution and debugging easier. But for a privacy product, that convenience probably needs to be reconsidered
I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
> I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.
surprising that the mapping may be stable enough to become a user-level signal. and rotating away from deterministic assignment seems like a cheap way to avoid creating an extra fingerprint
This is why VPNs have always been crap. The pool of IPs are backlisted/tainted, so you will run into various roadblocks and cpatchas, in addition to slow speed. If you are serious about privacy and don't want blocks and blacklists, buy high speed private proxies. Don't use a pooled service.
A VPN by any other name would smell as sweet.
[flagged]
Let's see, short summary of the article, saying nothing new or important. It's not x it's y. Comment history is exactly this type of comment everywhere.
This is an AI comment from an AI account.
Doesn't matter much as long as it is a pseudonymous identity
It’s also not that difficult to fix, so I expect a fix to roll out soon enough.
VPNs are snake oil. Exit IPs are a public information.
VPNs are not snake oil. They transfer the trust of your internet activity from a place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad, IVPN, or Proton. Among other benefits. If you don't like your ISP creating a profile of you and selling it to target ads to you, you should use a VPN.
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
(https://www.privacyguides.org/en/basics/vpn-overview/)
How is private company (VPN) is more trustworthy than an other private company (ISP) and how do you expect them to protect your identity in face of determined state actors that are afer you?
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
What is that they know and we don't know?
Specifically Mullvad operate completely stateless nodes, which was confirmed several times when law enforcement tried to access their logs. There are no logs. Mullvad are selling their location, with very good connectivity and with laws that strongly protect privacy. They are €5/mo, almost $6/mo, and likely acquire bandwidth very cheaply due to scale and likely peering agreements.
> How is private company (VPN) is more trustworthy than an other private company (ISP)
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
You fundamentally misunderstand what privacy means if you're replying to someone stating using a VPN will help you avoid getting spied on by your ISP for commercial purposes with state actor based worries.
Mullvad vs my ISP.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
Making your traffic cross jurisdictional boundaries also adds a level of difficulty for tracking usage.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
the counterpoint is that making your traffic cross out of the US gives the NSA (by their ass backwards reading) permission to spy on you
Fair point, but I'm not sure if that was ever a boundary they wouldn't cross, but for 'a little while now' I'd say it doesn't matter.
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
Seems a bit optimistic to think they actually care whether they have that permission or not.
Unfortunately, the largest and most well-marketed VPNs are, in fact, less trustworthy than your average ISP.
This depends on your treat model. If what you worry about is massive collection of Linux ISOs that you download and distribute over P2P then probably shady VPN ISP is what you need.
Exactly. Most ISP are subject to local laws at least; where a lot of these ISP are overseas in shady jurisdictions.
> place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
Your ISP farms and sells your data too.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
Deutsche Telekom in Germany/EU farms and sells my data? Any sources?
You probably won't find direct proof any more than you will find direct proof of any random VPN selling your data, it's just a given that commercial entities are liable to sell financially valuable data, and a list of all traffic, every website you visit and every service you use, tied to a specific identity is certainly financially valuable. Being in the EU doesn't change this; in fact the EU explicitly required that ISPs retain your identifying data with the Data Retention Directive, and though this was struck down after 8 years in court, many individual national governments immediately moved to impose similar requirements. I don't know if Germany was one of them but unless Germany has a specific privacy directive that goes beyond EU law I would see zero reason to place any trust in an ISP. In fact even if there was a law that's still not a reason to trust an ISP, because privacy laws are violated constantly; the most trustworthy source by far is a party acting opposite to the government, who has been investigated by the government and proven not to log the data that the government wants.
"EU explicitly required that ISPs retain your identifying data with the Data Retention Directive"
And then sells it?
What gives you confidence that they aren't? I have confidence my VPN doesn't sell my traffic not because I implicitly trust what they say, but because if they had logs the courts would have found them when trying to seize data themselves. What makes you trust your ISP so much? Faith in the human goodness of businesses to look out for the best interests of their customers, even if it means passing up an opportunity to make a larger profit? Faith in their words, or faith in toothless privacy laws that have been violated time and time again?
I can easily pay for a VPN service with crypto anonymously. I can also use a VPN run by a company outside my country of residence and jurisdiction.
Neither of those is possible with my ISP.
prepaid 5g sim cards and 5g modem.
Yes and 5G provider knows your exact location while VPNs can be easily chained.
Sure, if you want to get crazy with it you put prepaid phone in another location, put it on your Tailscale VPN then proxy all traffic through the prepaid phone with something like: https://github.com/kost/revsocks
Phone doesn't even need data if you have access to wifi wherever you stash it.
VPN chaining easier though.
Whole idea of "put phone in location X" alone is much harder to implement than to buy 5, 10 or 100 VPN account or servers with crypto and setup how you like.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
Most ISPs have invested big bucks in Deep Packet Inspection
That just helps them classify the type of traffic. They're not breaking the encryption to see the actual content.
Now try saying that wearing some Russian or Chinese shoes.
My ISP is in a communist country, they sell other products like TV boxes, cameras, clouds and have ads/trackers on all of their products too.
Should I trust my ISP than Mullvad? LMFAO.
Interesting handle to make that comment. I'm assuming you mean commercial VPN providers, and not wireguard (or other such VPN implementations).
Mullvad is a tiny world-famous ISP in Sweden that has zero KYC and explicit zero-log policy, specifically designed that way to enable mild abuses, that also accept PayPal, credit cards, and today I learned, cash in an anonymous envelope for payments. That doesn't scream US three-letter organization at all.
I do all my illegal shit over Mullvad and I've only been raided once.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
> That doesn't scream US three-letter organization at all.
They have their own tools + tor, they do not need mullvad.
I was just talking to a friend who believes that the feds poison privacy communities by spewing nonsense like this. I don't think wg0 is a fed, and my friend didn't have any proof for his claim. My feeling is that it is probably people acting like regular humans. They hear things, they have opinions and they don't provide proof or adhere to community norms. Eternal september or something. Regardless of if it's federal agents disrupting the discussion or human nature, the response should be the same—push back with proof, and demand proof and avoiding logical fallacies.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects password managers, emails and etc
If people using some tool made my job harder id be vocally against it during off hours. But lets be real any powerful group interested in tracking people would just be working with or running vpn companies. Or perhaps providing free vpn. Either way I think its all moot as for tracking you have to question who you do and do not want to be tracked by and for other purposes vpn works just fine
> VPNs are snake oil
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
> Exit IPs are a public information.
Yes, obviously.
> VPNs are snake oil
Huh?
It's a game of cat and mouse. The service keeps banning IP ranges, the user keeps reconnecting to different servers and regions. The server can't know exactly who's who, just that a bunch of users are using mullvad, while the user just need to find one server on one IP range that works.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
> I don't care if they know I use mullvad, I care they don't know I'm me
That's exactly what the article is about, a side channel information leak that de-anonymises users, did you read it?
Can it get my IP?
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".