Nice. But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples. One of those "standards" that have been a great idea, but lack practical relevance.
When you have tens of thousands, or hundreds of thousands of employees, your organisational culture and policies inevitably change to limit the impact -- good or bad -- of one individual or a small team.
I'd really like some version of E.G. Librewolf configured to spoof the exact SAME information no matter who's using it. Like standard resolution for a 1080p monitor, the same GPU profile, Allow device timing stuff to work but with a fixed profile etc.
Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.
This is already what LibreWolf does for most of its fingerprinting protection, including resolution, which you call out. It already works, LibreWolf is the only browser besides Tor I’ve found that actually defeated fingerprinters in some of my testing. Is there something that’s currently randomized that you think should be binned or homogenous?
It's not going to be an issue for most things which have been properly thought out as they will have proper isolation between servers which should have separate identities. Reusing the same VPN for all servers and relying on an eventual expiry before the IP changes is fundamentally not a great approach to rely on for isolation.
Which you absolutely shouldn't use, because just like Tor Browser before, a vulnerability in the browser can be immediately escalated into decloaking your real IP. Ideally the proxying doesn't even happen on the same machine.
One possible mitigation might be to run your system (or just the browser/certain apps) sandboxed to only communicate with the IP/ports mullvad uses for VPNs.
What threat model should you use Mullvad browser in? What threat model should you avoid Firefox-based browsers?
Please talk in terms of specific threats instead of fearmongering. For people wanting to avoid surveillance capitalism, which is a very common threat, I think Mullvad Browser is a fantastic choice.
For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.
I've always assumed that when I am logged in to a website like Hacker News and I switch VPN endpoints, Hacker News now gets to see that I am a VPN user and track me between the IPs. I mean being logged in to something obviously negates a large amount of anonymity but switching servers while logged in really gives away the VPN usage, right? Or do large web services already keep up to date indecies of all common VPN IPs?
It's very common for people to switch networks many times a day anyway so it's not obviously a VPN user - even when switching countries to some extent.
Can you elaborate? I assume they're talking about switching networks while using the same site, when you have a user fingerprint from cookies or request paths. That does make VPN usage obvious.
I have been confused by this mitigation because switching networks while using the same service is pretty much always a VPN. But maybe I'm not aware of another case where that would happen?
I wish Mullvad would focus on censorship breaking. These days anything that doesn't implement something along the lines of AmneziaWG/Xray/Shadowsocks/Outline feels like a waste of time, sadly.
What makes it a waste of time? A reputable VPN provider that offers a pretty reliable service and has every indication of having a competent security team is worth something in itself; not everyone using Mulled wants to set up / debug potentially complicated systems either.
No, not usually. Few ISPs are willing to risk blacklisting.
Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.
Mullvad in particular has a page that lists the ISPs they use (in a few cases their own servers at a datacenter), although they don't list the datacenters (sometimes you can get this info from the ISPs).
I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).
Some VPN providers don't even have exit nodes in the country they're claiming. Instead they'll have their IPs registered to the respective countries in GeoIP databases.
This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.
And what evidence do you have that this May 14th disclosure has nothing to do with Wyden's March warning? If you remember your history you'll know Wyden tried to shake the Snowden revelations out before the Snowden revelations.
Dismissing Wyden's remarks as "american politics" is near equivalent to dismissing the entire notion of VPN security.
it should probably link to this: https://news.ycombinator.com/item?id=48143880
That blog post is a perfect example of when RFC5737 should be used.
https://datatracker.ietf.org/doc/rfc5737/
Nice. But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples. One of those "standards" that have been a great idea, but lack practical relevance.
3 replies →
On a side note, buttons icons on this page won't load without javascript. I cannot comprehend what would justify such decision.
14 replies →
The post you preferred was submitted before. And had not much new information. The rollout was the news. The link was correct.
The page already contains link to both of these resources
right. but one of those resources contains much more context than the other, making it much more suitable for the submission link.
Maybe it's just me, but I'm incredibly surprised by their prompt reaction to this. As a user, I was already preparing to deal with this myself.
Wow, is this how things were before bureaucratic behemoths took over the tech industry?
When you have tens of thousands, or hundreds of thousands of employees, your organisational culture and policies inevitably change to limit the impact -- good or bad -- of one individual or a small team.
This is just how things work when there’s much less overhead. Which is typically the case for smaller companies.
[flagged]
I'd really like some version of E.G. Librewolf configured to spoof the exact SAME information no matter who's using it. Like standard resolution for a 1080p monitor, the same GPU profile, Allow device timing stuff to work but with a fixed profile etc.
Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.
The Mullbad Browser? https://mullvad.net/en/browser
Or tor browser, where all the features came from. You can also enable it on firefox with privacy.resistFingerprinting enabled.
2 replies →
This is already what LibreWolf does for most of its fingerprinting protection, including resolution, which you call out. It already works, LibreWolf is the only browser besides Tor I’ve found that actually defeated fingerprinters in some of my testing. Is there something that’s currently randomized that you think should be binned or homogenous?
When news broke I was really confused how IPs with thousands of users would suddenly be more identifying than your home IP with one user.
I'm happy that Mullvad actually explains the issue very clearly in https://mullvad.net/en/blog/exit-ip-fingerprinting-between-v...
Original source: https://news.ycombinator.com/item?id=48143880
If you us Mullvad browser, which has built in Mullvad proxies, this isn't an issue because it doesn't use wireguard.
The browser also has a cool feature in the browser extension called Random mode. This gives you a different IP for each site, improving your privacy.
You can probably also use it on regular Firefox.
It's not going to be an issue for most things which have been properly thought out as they will have proper isolation between servers which should have separate identities. Reusing the same VPN for all servers and relying on an eventual expiry before the IP changes is fundamentally not a great approach to rely on for isolation.
Which you absolutely shouldn't use, because just like Tor Browser before, a vulnerability in the browser can be immediately escalated into decloaking your real IP. Ideally the proxying doesn't even happen on the same machine.
"Absolutely shouldn't" is silly.
- Browser vulnerabilities are non-trivial.
- Mullvad browser's proxy feature only works if you're connected at the OS level, which helps mitigate browser level exploits.
Compared to any other off the shelf solution, Mullvad browser provides a good balance of usability & privacy.
Compared to something like you're describing, I agree it's worse.
One possible mitigation might be to run your system (or just the browser/certain apps) sandboxed to only communicate with the IP/ports mullvad uses for VPNs.
1 reply →
What threat model should you use Mullvad browser in? What threat model should you avoid Firefox-based browsers?
Please talk in terms of specific threats instead of fearmongering. For people wanting to avoid surveillance capitalism, which is a very common threat, I think Mullvad Browser is a fantastic choice.
For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.
3 replies →
I've always assumed that when I am logged in to a website like Hacker News and I switch VPN endpoints, Hacker News now gets to see that I am a VPN user and track me between the IPs. I mean being logged in to something obviously negates a large amount of anonymity but switching servers while logged in really gives away the VPN usage, right? Or do large web services already keep up to date indecies of all common VPN IPs?
It's very common for people to switch networks many times a day anyway so it's not obviously a VPN user - even when switching countries to some extent.
Can you elaborate? I assume they're talking about switching networks while using the same site, when you have a user fingerprint from cookies or request paths. That does make VPN usage obvious.
I have been confused by this mitigation because switching networks while using the same service is pretty much always a VPN. But maybe I'm not aware of another case where that would happen?
I wish Mullvad would focus on censorship breaking. These days anything that doesn't implement something along the lines of AmneziaWG/Xray/Shadowsocks/Outline feels like a waste of time, sadly.
What makes it a waste of time? A reputable VPN provider that offers a pretty reliable service and has every indication of having a competent security team is worth something in itself; not everyone using Mulled wants to set up / debug potentially complicated systems either.
They do have Shadowsocks
https://mullvad.net/en/help/connecting-to-mullvad-vpn-from-r...
They've worked quite a bit the past year or two on censorship breaking. But I guess there's always more to be done in a cat and mouse game
Do VPNs pay retail ISPs for exit points?
No, not usually. Few ISPs are willing to risk blacklisting.
Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.
I see DataPacket.com have VPN clients.
Does anyone know if this is any issue for non-vpn users of datapacket.com?
https://www.datapacket.com/case-study/nordvpn
1 reply →
why is this downvoted? I'm not aware of a single ISP that would willingly let VPN providers use their ip blocks for their exit nodes
1 reply →
Mullvad in particular has a page that lists the ISPs they use (in a few cases their own servers at a datacenter), although they don't list the datacenters (sometimes you can get this info from the ISPs).
https://mullvad.net/en/servers
They also have a document that lists some of their practices around the servers, such as not using shared servers:
https://mullvad.net/en/help/server-list
I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).
Some VPN providers don't even have exit nodes in the country they're claiming. Instead they'll have their IPs registered to the respective countries in GeoIP databases.
This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.
Mullvad doesnt do that, but "ExpressVPN" absolutely does
Not retail ISPs, but many extensions and free VPNs route VPN traffic through the connections of those who use them.
This isn’t correct, the residential IPs are a completely separate and vastly more expensive product.
2 replies →
[flagged]
[dead]
[flagged]
[flagged]
This sounds like some LLM to me
Just flag and move on.
[dead]
Is this at all related to Wyden's recent congressional warning? Are any other VPN providers speaking up on this?
https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_g...
it is a direct response to this disclosure: https://tmctmt.com/posts/mullvad-exit-ips-as-a-fingerprintin... and nothing to do with american politics
And what evidence do you have that this May 14th disclosure has nothing to do with Wyden's March warning? If you remember your history you'll know Wyden tried to shake the Snowden revelations out before the Snowden revelations.
Dismissing Wyden's remarks as "american politics" is near equivalent to dismissing the entire notion of VPN security.
https://www.washingtonpost.com/politics/after-years-of-obscu...
7 replies →