Comment by gchamonlive
9 hours ago
It's a game of cat and mouse. The service keeps banning IP ranges, the user keeps reconnecting to different servers and regions. The server can't know exactly who's who, just that a bunch of users are using mullvad, while the user just need to find one server on one IP range that works.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
> I don't care if they know I use mullvad, I care they don't know I'm me
That's exactly what the article is about, a side channel information leak that de-anonymises users, did you read it?
Can it get my IP?
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".
I'm not sure what you're going for, your ISP-assigned IP doesn't tell them your legal name either.
But when you connect to the site from via server A and later via server B they can tell that you're the same person.
And they can deanonymise you through data brokers. All Mullvad IPs are traceable back to the same number (acting as a pseudo account identifier) so if you ever entered your PII on any website when using Mullvad, it can be linked to the same Mullvad account.
And if you ever visited any of those sites without using a VPN, your home IP can be linked to your Mullvad ID through browser fingerprinting.
And if you ever entered any PII on any website from your home IP, you can once again be deanonymised.
Now the existence of browser fingerprinting isn't Mullvad's fault, but this flaw makes it a lot easier to accidentally deanonymize yourself.