Comment by illiac786

11 hours ago

Well there is still the small detail of them not storing any logs.

This is a massive issue in my view, it allows correlation across multiple VPNs exit nodes, but that’s it. It doesn’t allow to identify you automatically. It does significantly lower the bars for identifying you though, but the requirements are still high.

Hopefully they fix this soon.

I can’t believe this type of “let’s make it a hash or something sensitive” still happen, and at mullvad, of all places. Why not randomise it simply?

11 comments

illiac786

overfeed 11 hours ago

> It does significantly lower the bars for identifying you though, but the requirements are still high

If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.

1. https://en.wikipedia.org/wiki/NOBUS

linkregister 10 hours ago
Then why complicate it by being publicly insecure? If Mullvad were wanting to defeat anonymity, they could simply log the traffic metadata while falsely advertising they aren't.
Their ads on San Francisco's public transit are good.
- hackinthebochs 9 hours ago
  
  Good VPNs tout the fact that they had nothing to give in response to a subpoena, or that there was nothing a law enforcement agency to find when they seized a server. For mullvad to be effective as a honey pot it needs to survive these events with its reputation in tact.
  
  3 replies →
- raverbashing 10 hours ago
  
  "public insecure" JFC
  Security is always a balance. Always
  AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion)
  There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log
  Could it be done better? Probably.
  Here's a better idea, logging off is 100% safe
  Meanwhile 99% of the normies will go for NordVPN
illiac786 10 hours ago
You definitely need glasses then.
Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.
- UqWBcuFx6NV4r 10 hours ago
  
  it really isn’t.
  
  2 replies →