Mullvad is the only mainstream VPN that doesn't have seriously questionable credibility. Not even Proton VPN is OK - investigations uncovered it's just white-labeled NordVPN. I am grateful Mullvad actively proves their commitment to integrity, because there isn't an alternative
Serious question: how can we trust that any of these are "credible" as you put it? I'm reminded of the recent disclosure that a "private" Swiss software firm providing encryption software was owned by the CIA and had backdoors, and operated this way for nearly 50 years:
Personally, I just don't see how you can possibly trust any assurance offered in the current world? You are implicitly handing your private traffic to a third party black box and hoping it is as "private" as they claim. For 99 percent of customers I'm sure this is fine, but I would not be surprised in the slightest if we find out in the future one of these was run by an intelligence agency. We've already seen them take advantage of fake/compromised encrypted messaging apps.
For some threat models, that would almost be a good thing because if Mulled is a CryptoAG-style front, they aren't going to blow there cover on something trivial like a copyright lawsuit.
And an intelligence agency is not as willing to share their data as an ISP would be, so you pretty much still win over the status quo. Indeed, several ISPs were found to be sharing with intelligence agencies anyway, so by putting your traffic directly through them, you at least remove the ISP from the picture and the 50 other companies they would've also shared with.
>several ISPs were found to be sharing with intelligence agencies
In the US, I would suspect all of them. They ply you with multimillion dollar contracts. If you try to resist, they weaponize whatever they can against you. Consider the case of Qwest. After the CEO refused to work with the NSA, he was brought in on unrelated criminal charges: https://www.foxbusiness.com/features/former-qwest-ceo-joe-na...
I don't think this should convince anyone but I just so happened to go to school with people who are now working there. That, but moreso the absence of bullshit, the experience so far, and the availability of reasonable payment methods makes me a happy customer.
As with anything relying on trust with a third party, one should definitely actively assess their individual threat models and risk profiles. It might be useful for parts of your traffic, not necessarily all
For outgoing, I also heard that proxychaining is a thing (which might not help you if collaborating actors compromised all obv)
I've wondered about other providers. I never used SurfShark, but someone I know did, so I checked it out.
I still haven't gotten any response from SurfShark about why they insist that users install a root SSL certificate and why their service can't be used without it. That alone should be incredibly scary. Installing a cert for negotiation between my computer and my provider's is one thing, but installing a cert that lets my provider spoof any SSL / TLS they want is something else entirely.
Ideally their client would allow for you to accept or even better pre-load a cert they allow.
But some OS's can be finicky about trusting certs that arent loaded into some central trust store that in principle allows you some ability to ensure everything trust IS trustworthy, but also de-facto means a cert trust can be abused.
However thats as true for the google certs, or the Gov certs that are already pre-loaded and updated with OS updates etc as it would be for that service. And rarely are people actually looking at trust chains for the sites/services they use.
That said, i would trust google or even the NSA/gov over some rando vpn provider, if for no other reason than its on literally every install and there are millions of preying eyes watching.
It's a rabbithole, and you might not be personally satisfied with the standard of evidence. Regardless, every other VPN has some evidence of partnering with some combination of state actors, data brokers, ad networks, or unexplained unnecessary compromising requirements etc. Mullvad has no such substantiated allegations against it.
There are many VPN services that begin by reselling white-label VPN solutions, such as provided by NordVPN,[1] because it's cheaper and easier than building your own globally distributed high-capacity, low-latency network. Many suspect Proton VPN did so[2].
Which oddly enough, circle back to a comment chain between a PIA and a Protonvpn employee, here on HN. It's far fetched but it seems like there is some corroborating evidence.
Even though, to me, it seems like a LOT of trouble since tons of services have managed to roll out a VPN product without resorting to white labelling Nordvpn
I’m going to reply in this thread, since I’m probably the employee you’re referring to.
I would like to reiterate that this is completely untrue and borders on disinformation.
ProtonVPN maintains its own VPN infrastructure, and we take our commitment to user privacy very seriously.
It shouldn’t be surprising that the VPN space is a very competitive market, and certain people have a vested interest in defaming certain VPN providers, especially among a technical audience.
Yes, and it's been covered extensively. The Wikipedia page and past discussion here are OK starting points if you find it worthwhile going down that rabbit hole.
I don't see why you'd want anything to do with them or their subsidiaries, unless your only research is googling "best VPN" and accepting the resulting misinformation at face value.
I had some Euros left over from a trip last summer. I put them in an envelope, put my super secret generated code on a piece of paper, and dropped it in the mailbox. A week later, my Mullvad account was credited with the extra time.
I've been a Mullvad customer for a couple of years now.
I actually have a wireguard connection right on my pfsense router, so I can selectively send traffic to the VPN at a network level using firewall rules. It's awesome.
> I had some Euros left over from a trip last summer. I put them in an envelope, put my super secret generated code on a piece of paper, and dropped it in the mailbox.
Oh awesome. I have some EUR left over as well. You can't send cash from the US to Sweden via mail right?
You can. I live in Washington State and I also sent money through the mail a month ago. But it did take about two weeks for them to receive the money and credit my account.
No. I just sent 20 bucks, my code written on a piece of paper, and I had to use 3 of those forever stamps. But technically, you do have to file the customs form.
I think you just didn't look deep enough. It says "Look up your destination country in the Index of Countries and Localities to make sure you’re following their rules." and the rules for Sweden say
> [...] paper money [...] are prohibited in Priority Mail Express International shipments to Sweden.
So don't pay for Priority Mail Express, just First-Class:
> First-Class Mail International is a generic term for mailpieces that are postcard-size, letter-size, or flat-size and weigh less than 16 ounces [...]
I have to imagine it’s one of those charges they can tack onto other criminal charges so that something sticks. Sending €20 won’t be a problem. Sending €20.000 will be.
As long as you're using it for the right things. Most of the people here already know this, but I'll say it anyway: VPNs don't make you more secure necessarily, they just reroute your traffic.
If you don't trust the network you're on, use Mullvad. If you want to appear as though you're in a different location, use Mullvad. If you want to bypass your network's firewall, use Mullvad. If you don't want the service you're using to see your true IP, use Mullvad.
But most people don't need a VPN running all the time. Or even most of the time.
I've recently been describing what a commercial VPN provides to non-technical friends and family as a type of "global virtual Internet cafe" subscription. It's not inherently (i.e. due to technical benefits of underlying technology) any more or less secure than connecting to your home or work wifi/network, and the Internet cafe knows who you are and what websites you're visiting, but your ISP/employer doesn't (since you're "at" the Internet cafe, not on your home/work network).
Of course, your ISP/employer does know that you're visiting the Internet cafe, and in the case of work (and some ISPs) can stop you from doing so.
If you visit a website from an Internet cafe, the website may still be able to figure out who you are, just like they can when you bounce between different networks normally. And of course, if you login to your account on a website or put your shipping address or something in when buying something, you're self identifying (unless you have throwaway accounts or forwarding addresses or whatever). And finally, if someone really wants to figure out who you are to a high degree of confidence, they will.
I find this lands pretty well and is close enough to being technically correct without getting into the details that non-technical people would start glazing over if I got into.
I disagree, I think it would be highly beneficial if everyone ran a VPN exactly for the reasons you describe — websites and services online have no business knowing who I am or where I am. We can hope of a better tomorrow where browser fingerprinting, geo-IP and other such things are a thing of the past. Every step we take in that direction is a step towards a better future. (For that matter, every device I own sits behind Mullvad.)
Sure, but then Mullvad has all your information. And all it takes is a change of leadership for that to go badly. At the moment, Mullvad is a great service with good goals. But every company hits a threshold where they lose their bearing.
And while yes, you don't provide your personal information directly to Mullvad, it wouldn't be very hard to deduce you from your traffic with some amount of effort.
You're missing the core difference which is that I get to choose. Many people live in areas where only one ISP offers a competitive service, they don't get to choose. If there's three ISPs in my area and they all sell my data, I don't get to choose. If all of your social circles use one social network to organize events and you want to be in the loop with them, you don't get to choose. Etc. In all of those cases, you don't have a say in who gets to munch on all of your data. When you use a VPN, you choose who you trust with your data, which also means you can change your mind later if need be. In the other scenario you cannot.
There's always someone in a position to acquire all your information. If it's not a VPN, it's an ISP. And ISPs have much weaker incentives not to step on the needs of the few. Most ISPs get to stay in business no matter how many scandals embroil them.
You'll also get a lot less suspicious login flags if you regularly use a VPN from a certain area. If you only use it when you're on public WiFi, get ready to prove your identity on most of the services you use.
I agree for casual browsing, but just curious for any service that requires providing some other piece of identifiable info (eg a site you have an account with and login to, or buying something online and entering your delivery address), what is a VPN helping with other than hiding that activity from your ISP (which may be what you're going for, but just curious)? Once you identify yourself to a website or online service via typical means, how is the IP anonymity a VPN provides helping?
I'd say it might be even more relevant in those scenarios:
That site is now storing the link between your IP address and that other information. Some of those will be hacked, leaked, aggregated and combined with other datasets at scale.
And several cryptocurrencies. You actually get a discount for paying in crypto. Which is awesome because it allows people with oppressive governments to use it.
I think VPNs give only a potentially dangerous illusion of anonymity given the widespread NSA surveillance and organizations such as Team Cymru collecting flow records from ISP core routers worldwide.
But then you're shifting your trust from your ISP to the VPN provider. So it makes sense only if you have good reasons to not trust your ISP. Personally I only use a VPN when I'm connected to a public WiFi network.
Many ISPs have a track record of e.g. injecting ads in plain text HTML, in the days before ubiquitous TLS.
Meanwhile, Mullvad has no idea who bought that scratchable one-time payment coupon, and we have pretty decent faith in them not logging metadata about your tracking for later study. The Mullvad server I am connecting to is claimed to be operating 100% without persistent storage.
As with most security, it always depends on what you're trying to defend against.
A commercial VPN, even a very good one is probably not good protection if you're being directly targeted by the NSA. It's very good against your ISP selling your browsing habits to advertisers. There's a spectrum between the two and it's likely decent protection for most of that.
Sure, but what if this vpn is just part of the security cascade? Like what if you go through Mullavd, another vpn, Tor, and then maybe a mesh network on top of all of this? Maybe then host another vpn through a prepaid SIM card to top?
In 2018. I think they're no longer parterned, or at the very least Firefox no longer has that popup recommending ProtonVPN to users ever since the new partnership with Mullvad.
In regards to using a VPN for privacy: The important thing about a shared VPN service is that it makes it difficult to distinguish traffic, and by sharing multiple IPs across different countries it becomes even harder to track an individual's activities. This is somewhat of a copy of Tor, but with less security-risk, at the expense of some privacy. Whereas if you run your own VPN, for example, all activity from that IP address gradually becomes more associated with you.
No said you needed to justify a reason but everyone has one. OP was simply curious as to what those reasons might be. No need to get defensive about it.
I don't use a VPN for all things, since it causes various problems - but I do use it when:
- I want to pirate content, which I do infrequently but like to do safely when I do it
- I need to access a region-locked system
Otherwise, I just use iCloud Private Relay in Safari since that blocks IP addresses and prevents against my ISP while not causing as many problems for accessing websites.
Here in Canada, the usual copyright notices that came with a "pay this amount to settle" through your ISP were rightfully deemed to be almost extortionate scare tactics, and thus illegal. So copyright holders quickly moved to just outright suing people, directly through courts. So VPNs are essential, since you can be much more exposed to legal issues now than when "settlement notices" were the worst case scenario.
Well, standard policy for cryptographic keys is to have 256 bits of entropy, with the paranoid number being 512. So if they're using ascii-printable characters, uniform random 48-char passwords have ~315 bits of entropy. That doesn't seem too far off. Basically this means you don't have to trust your key derivation function as much.
Are 512 bit encryption keys even a thing? I thought 256 bits is already for the paranoid, with AES128 being sufficiently secure until quantum computation becomes feasible. I don't even know a symmetric cipher that uses 512 bit keys.
Also, since we are talking about hash functions, keys don't even enter the discussion. Hashing is about making password guessing difficult. The length alone doesn't determine how difficult it is anyway, since there are 48 character passwords in popular wordlists. Just enforce 2fa, use argon2 or similar with a minimum password length of 12 and call it a day.
This applies more to VPN as a tunneling technology rather than an anonymity provider. But I don't want to share my personal IP address with everyone I interact with online. I don't currently care if, say, Hacker News or Reddit knows it, or really any big web platform where I'm not that interesting to them. But everyone and everything else? It could invite attacks, DOS, expose geographical information, social engineering targets, etc. A VPN at least gives you a layer of protection, and ideally one that you can throw away if anyone targets you. Once someone knows your main IP address, it probably can't be changed quickly, may be difficult to change it at all, and may even be impossible in some cases. It's a piece of knowledge you can't take back, so sharing it by default is bad, IMO.
So I guess that's just a security/privacy concern, but the key point is that you should be secure/private before you think you need it.
No, probably not. Your $5 VPS is going to be dedicated to you. The VPS provider is going to provide no privacy guarantees to you and will easily be able to associate requests for your information with your VPS. They will have no issue providing it to whomever asks for it.
In addition, your traffic will be the only thing coming from that VPS, so tying network information to you will be easier.
The key thing to remember about VPNs is that you are re-positioning your trust. Instead of trusting your ISP with your traffic, you are trusting the VPN provider. A hosting provider is about as trustworthy with your traffic as an ISP, and offers the same amount of pseudo-anonymity. It's a lateral move at best.
If you really care about how Mullvad does this, and when, it'd more useful to monitor their blog, or /r/mullvadvpn. The info seems to reach HN a week later...
