>Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key
What's the point of this? This seems more complicated to implement than mapping exit ips at the server level, so surely they must be doing this for a good reason?
arciini•May 15, 2026
I'd guess that this is to ensure one abusive user doesn't get every other user blocked from a large service (say, Google) for botting over the VPN and constantly rotating IPs.
It's a practical measure, but definitely has a privacy cost though.
stevekemp•May 15, 2026
It's possible that contributes, but to be honest most VPN users are split "privacy seeking" and "abusive". Though I grant you paid users are probably slightly more circumspect than users of Tor, etc.
It seems more likely this is just about load-balancing use against their available nodes.
tempest_•May 15, 2026
I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
lmm•May 15, 2026
> I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.
Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.
nly•May 15, 2026
Ironically the CGNAT at my ISP is so broken at peak times the only way I can actually use the internet is via a VPN (presumably because I then only occupy one connection tracking slot on the NAT)
I'm also stuck in a 2 year ISP contract
TheDong•May 15, 2026
It's simpler to implement because it's more stateless, and it's a better user experience.
If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.
With a static mapping derived from the key, you don't need a table like that.
It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.
Riany•May 15, 2026
My guess is deterministic assignment makes load distribution and debugging easier. But for a privacy product, that convenience probably needs to be reconsidered
wg0•May 15, 2026
VPNs are snake oil. Exit IPs are a public information.
avazhi•May 15, 2026
> Exit IPs are a public information.
Yes, obviously.
> VPNs are snake oil
Huh?
Cider9986•May 15, 2026
VPNs are not snake oil. They transfer the trust of your internet activity from a place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad, IVPN, or Proton. Among other benefits. If you don't like your ISP creating a profile of you and selling it to target ads to you, you should use a VPN.
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
> place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
sfdlkj3jk342a•May 15, 2026
I can easily pay for a VPN service with crypto anonymously. I can also use a VPN run by a company outside my country of residence and jurisdiction.
Neither of those is possible with my ISP.
dakolli•May 15, 2026
prepaid 5g sim cards and 5g modem.
SXX•May 15, 2026
Yes and 5G provider knows your exact location while VPNs can be easily chained.
dakolli•May 15, 2026
Sure, if you want to get crazy with it you put prepaid phone in another location, put it on your Tailscale VPN then proxy all traffic through the prepaid phone with something like: https://github.com/kost/revsocks
Phone doesn't even need data if you have access to wifi wherever you stash it.
VPN chaining easier though.
SXX•May 15, 2026
Whole idea of "put phone in location X" alone is much harder to implement than to buy 5, 10 or 100 VPN account or servers with crypto and setup how you like.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
notpushkin•May 15, 2026
Make it a “tourist eSIM” for a good measure. Your phone will be in one country, your exit IP in another (because there usually use roaming).
That said, you might still want to use a VPN on top of that, depending on what you’re doing.
jesterson•May 15, 2026
Paying with crypto does something to deindentify you, but does nothing about your traffic. It's still being watched.
applfanboysbgon•May 15, 2026
Your ISP farms and sells your data too.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
KingOfCoders•May 15, 2026
Deutsche Telekom in Germany/EU farms and sells my data? Any sources?
applfanboysbgon•May 15, 2026
You probably won't find direct proof any more than you will find direct proof of any random VPN selling your data, it's just a given that commercial entities are liable to sell financially valuable data, and a list of all traffic, every website you visit and every service you use, tied to a specific identity is certainly financially valuable. Being in the EU doesn't change this; in fact the EU explicitly required that ISPs retain your identifying data with the Data Retention Directive, and though this was struck down after 8 years in court, many individual national governments immediately moved to impose similar requirements. I don't know if Germany was one of them but unless Germany has a specific privacy directive that goes beyond EU law I would see zero reason to place any trust in an ISP. In fact even if there was a law that's still not a reason to trust an ISP, because privacy laws are violated constantly; the most trustworthy source by far is a party acting opposite to the government, who has been investigated by the government and proven not to log the data that the government wants.
KingOfCoders•May 15, 2026
"EU explicitly required that ISPs retain your identifying data with the Data Retention Directive"
And then sells it?
applfanboysbgon•May 15, 2026
What gives you confidence that they aren't? I have confidence my VPN doesn't sell my traffic not because I implicitly trust what they say, but because if they had logs the courts would have found them when trying to seize data themselves. What makes you trust your ISP so much? Faith in the human goodness of businesses to look out for the best interests of their customers, even if it means passing up an opportunity to make a larger profit? Faith in their words, or faith in toothless privacy laws that have been violated time and time again?
KingOfCoders•May 15, 2026
"What gives you confidence that they aren't?"
What gives you the confidence that Bigfoot does not exist?
What gives you the confidence we're not ruled by Reptile overlords?
What gives you the confidence we're not just in the Matrix and nothing matters?
What gives you the confidence you're not just a dream by a dog in Sicily?
What gives you the confidence I even exist and you're not talking to yourself?
You're entitled to your conspiracy theories and paranoia of course, but it's not an argument.
applfanboysbgon•May 15, 2026
It's a conspiracy theory to observe reality now? It is a known factor that ISPs in general sell data, even if there isn't smoking gun proof for every single individual ISP (...just as there isn't smoking gun proof for every individual VPN). If you want to take the piss, at least get it right -- you're denying the existence of one individual Bigfoot after 100 other specimens of the Bigfeetian species have been found and conclusively proven to exist. Jesus, the complete disregard for common sense and privacy of even the tech-inclined members of the general public never ceases to amaze me.
9753268996433•May 15, 2026
Once again an adherent of the corrupt EU blindly defends the regime.
Doesnt't surprise me that they're counting on gullible, useful idiots defending "Chat Control" and eIDAS.
weezing•May 15, 2026
Even if it farms and only stores your data (which it does) without selling isn't good. YMMV between EU countries but I think even torrenting in Germany is way less safe than eg. in Poland where nobody bats an eye.
jojobas•May 15, 2026
Now try saying that wearing some Russian or Chinese shoes.
faangguyindia•May 15, 2026
Most ISPs have invested big bucks in Deep Packet Inspection
sfdlkj3jk342a•May 15, 2026
That just helps them classify the type of traffic. They're not breaking the encryption to see the actual content.
eipi10_hn•May 15, 2026
My ISP is in a communist country, they sell other products like TV boxes, cameras, clouds and have ads/trackers on all of their products too.
Should I trust my ISP than Mullvad? LMFAO.
cubefox•May 15, 2026
> Almost all commercial VPN services farm and sell your data.
Citation needed.
jesterson•May 15, 2026
I understand it's not up to your (or anyone's) level of belief, but I am in intimately familiar with their modus operandi.
For everyone in the industry it is le secret de Polichinelle.
cubefox•May 15, 2026
I think they don't sell their VPN data, because if that ever came out, that would destroy their business. Selling the data would be far too risky for them.
weezing•May 15, 2026
Could you please provide proof for such findings about eg. Proton and Mullvad?
bilalq•May 15, 2026
Unfortunately, the largest and most well-marketed VPNs are, in fact, less trustworthy than your average ISP.
asdfsa32•May 15, 2026
Exactly. Most ISP are subject to local laws at least; where a lot of these ISP are overseas in shady jurisdictions.
SXX•May 15, 2026
This depends on your treat model. If what you worry about is massive collection of Linux ISOs that you download and distribute over P2P then probably shady VPN ISP is what you need.
Slothrop99•May 15, 2026
I'm a normal person who watches sports streams and maybe 2 years ago I downloaded a torrent of some art movie. My ISP is Comcast. How does your advice apply to me?
wg0•May 15, 2026
How is private company (VPN) is more trustworthy than an other private company (ISP) and how do you expect them to protect your identity in face of determined state actors that are afer you?
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
What is that they know and we don't know?
eipi10_hn•May 15, 2026
Mullvad vs my ISP.
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
pretzel5297•May 15, 2026
You fundamentally misunderstand what privacy means if you're replying to someone stating using a VPN will help you avoid getting spied on by your ISP for commercial purposes with state actor based worries.
nine_k•May 15, 2026
Specifically Mullvad operate completely stateless nodes, which was confirmed several times when law enforcement tried to access their logs. There are no logs. Mullvad are selling their location, with very good connectivity and with laws that strongly protect privacy. They are €5/mo, almost $6/mo, and likely acquire bandwidth very cheaply due to scale and likely peering agreements.
yjftsjthsd-h•May 15, 2026
> How is private company (VPN) is more trustworthy than an other private company (ISP)
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
RandomGerm4n•May 15, 2026
In many countries, a VPN provider can be significantly more trustworthy than an ISP. In Germany, for example, you can have your home searched simply for insulting a politician. The ISP will then immediately hand over the data to the authorities, which most VPN providers do not do. The same goes for torrents. If some random law firm sends a letter to Telekom saying, “Hey, your customer downloaded a movie please give us his data,” they’ll do it right away. Mullvad, ProtonVPN, or even dubious VPN providers like NordVPN don’t do that.
wg0•May 15, 2026
That's very simplistic assumption. If the German state machinery is determined to get you, ISP and VPN provider have a threshold beyond which they'll give up.
Many many examples out there. "We don't keep logs" is not good enough neither realistic because how else a VPN provider is supposed to protect itself if it doesn't keep a log of what's happening inside and through its own systems.
BLKNSLVR•May 15, 2026
Making your traffic cross jurisdictional boundaries also adds a level of difficulty for tracking usage.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
adgjlsfhk1•May 15, 2026
the counterpoint is that making your traffic cross out of the US gives the NSA (by their ass backwards reading) permission to spy on you
vintermann•May 15, 2026
Seems a bit optimistic to think they actually care whether they have that permission or not.
BLKNSLVR•May 15, 2026
Fair point, but I'm not sure if that was ever a boundary they wouldn't cross, but for 'a little while now' I'd say it doesn't matter.
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
kyboren•May 15, 2026
> my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does
I mean, let's be real.
All known US VPN servers and Tor exit nodes--and probably all US Tor relays regardless of exit policy--are going to be considered a totally legitimate "communications facility" target for the warrantless wiretapping system due to exactly the scenario you just posited.
From that perspective you'd be better off using US residential proxies. Of course, while they'll never admit it in court, NSA just does whatever they want, laws be damned, and are almost certainly logging everything. So while such a scheme might theoretically hinder the introduction of evidence in a court case, it doesn't really matter; NSA is still gonna see your traffic and they're still gonna either drone strike you or "parallel construction" your ass, anyway.
linkregister•May 15, 2026
> NSA just does whatever they want, laws be damned, and are almost certainly logging everything
When you share the evidence for this, it will be international news.
u8080•May 15, 2026
Did you miss Snowden or something?
linkregister•May 15, 2026
Marcus Hitchens (security researcher who blackholed the WannaCry ransomware domain) made a post on LinkedIn today comparing VPNs to snake oil. With regard to the way they're advertised in internet ads, they are. VPNs will not protect ordinary users from ad tracking or commercial data mining. They're marketed as a privacy tool when their privacy value is very limited.
VPNs are useful for the reasons you mentioned.
pixelesque•May 15, 2026
> 4. Allowing you to bypass geo-restrictions on certain content.
In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.
Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).
Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.
(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).
ThePowerOfFuet•May 15, 2026
>Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise
Rotating your VPN endpoint will resolve the issue. It might take two or three tries.
dewey•May 15, 2026
> VPNs are snake oil
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
Cider9986•May 15, 2026
I was just talking to a friend who believes that the feds poison privacy communities by spewing nonsense like this. I don't think wg0 is a fed, and my friend didn't have any proof for his claim. My feeling is that it is probably people acting like regular humans. They hear things, they have opinions and they don't provide proof or adhere to community norms. Eternal september or something. Regardless of if it's federal agents disrupting the discussion or human nature, the response should be the same—push back with proof, and demand proof and avoiding logical fallacies.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects
password managers, emails and etc
kalium-xyz•May 15, 2026
If people using some tool made my job harder id be vocally against it during off hours. But lets be real any powerful group interested in tracking people would just be working with or running vpn companies. Or perhaps providing free vpn. Either way I think its all moot as for tracking you have to question who you do and do not want to be tracked by and for other purposes vpn works just fine
roncesvalles•May 15, 2026
VPNs as marketed to "normies" is absolutely snake oil. It won't improve anyone's "privacy" in any meaningful way to simply proxy all their regular traffic through a VPN.
VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.
numpad0•May 15, 2026
Mullvad is a tiny world-famous ISP in Sweden that has zero KYC and explicit zero-log policy, specifically designed that way to enable mild abuses, that also accept PayPal, credit cards, and today I learned, cash in an anonymous envelope for payments. That doesn't scream US three-letter organization at all.
BLKNSLVR•May 15, 2026
I do all my illegal shit over Mullvad and I've only been raided once.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
esseph•May 15, 2026
> That doesn't scream US three-letter organization at all.
They have their own tools + tor, they do not need mullvad.
BLKNSLVR•May 15, 2026
Interesting handle to make that comment. I'm assuming you mean commercial VPN providers, and not wireguard (or other such VPN implementations).
linkregister•May 15, 2026
Given that Mullvad is basically a bulletproof VPN host[1], it would be great if site operators could rely on this property to enact bans. Given that the solution is simple (add a pseudorandom seed), Mullvad will likely push out a fix within a couple days.
1. It's the preferred VPN of TeamPCP.
fastily•May 15, 2026
Source? Been googling for this but I don’t see any relevant info
watchful_moose•May 15, 2026
oopsie, has someone burned their proprietary intel for internet points?
VoidWhisperer•May 15, 2026
> Surprisingly, the exit IP you are given is not randomized each time you connect to the server, but deterministically picked based on your WireGuard key, which rotates every 1 to 30 days (unless you use a third-party client, in which case it never rotates).
I'm a little confused on this... what is stopping third parties from doing key rotations like the main app clients if it is detailed in the repo how to do it?
nvme0n1p1•May 15, 2026
Third party clients include e.g. the WireGuard driver in the Linux kernel. It's definitely not the network driver's job to mitigate an attack against one specific commercial service.
DANmode•May 15, 2026
> what is stopping third parties from doing key rotations
Knowing to do so, primarily.
lorenzohess•May 15, 2026
The purpose of a VPN does not include anonymizing users with respect to the sites they visit,so it shouldn't be too surprising that Mullvad doesn't enforce unique exit IPs. Users who want anonymity should use networks like Tor.
jorvi•May 15, 2026
That is exactly the point of public VPNs..
If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.
Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.
If you are talking about private VPNs.. Mullvad isn't one.
charcircuit•May 15, 2026
I think you are misreading his comment. He is saying that on a VPN it is standard behavior that if you visit site A and site B they will both see you connecting from the same IP and can infer you are potentially the same person.
fragmede•May 15, 2026
Site A and B have to collude in order to make that inference. Outside of Cloudflare, no one is colluding at that level.
antonvs•May 15, 2026
That would only be true if there were no ad networks.
But today’s internet is essentially a giant ad network.
camgunz•May 15, 2026
Plenty of people own more than one website. You're also forgetting about random site assets like web fonts, CSS, JavaScript CDNs, etc. etc.
DrBenCarson•May 15, 2026
Public VPNs only protect you from your ISP
DaSHacka•May 15, 2026
And, arguably more importantly, from the service you're using.
colordrops•May 15, 2026
Isn't Tor a us government project that has been shown to be deanonymizable?
SirHumphrey•May 15, 2026
Sort of. There are a bunch of timing attacks bug in general it still works fairly well.
overfeed•May 15, 2026
Also, a buch of conspiring entry-/exit-nodes will do the trick, if you have a budget for enough of them.
breppp•May 15, 2026
and so is ARPANET
mike_hock•May 15, 2026
It has been successfully deanonymized, and resistance to NSA-level capabilities is explicitly not a stated goal.
DaSHacka•May 15, 2026
Do you have a source for this?
mike_hock•May 15, 2026
No, because I don't keep a list of every article I've read over the past decade or so, but there were multiple busts where a regular law enforcement agency (FBI and their international counterparts) were able to prove the identity of a user simply by timing attacks.
The fact that Tor does not intend to tackle the timing problem is plainly stated on the Tor website.
illiac786•May 15, 2026
Why not? Why can’t it be the purpose of a given VPN service?
PhilipRoman•May 15, 2026
If you use the VPN for the Web, browser fingerprinting is a major threat outside of specialized scenarios
mort96•May 15, 2026
In other words: a VPN service can't by itself solve all problems which potentially lead to deanonymization, it can only provide anonymous networking.
Why can't it aim to solve what it can do? TOR is a great example: the TOR network itself can't perfectly anonymize you due to browser fingerprinting, but users of the TOR Browser get both the TOR network resisting deanonymization on a network level and a browser with plenty of anti-fingerprinting measures built in. A VPN could aim to prevent deanonymization on a network level so that users who want to stay anonymous can use the VPN in combination with fingerprinting-resistant software.
Riany•May 15, 2026
surprising that the mapping may be stable enough to become a user-level signal. and rotating away from deterministic assignment seems like a cheap way to avoid creating an extra fingerprint
solenoid0937•May 15, 2026
> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person.
This sounds like how I'd design a VPN if I were an intelligence agency.
asdff•May 15, 2026
Makes you wonder...
BLKNSLVR•May 15, 2026
Every now and then there are articles like this one about something that Mullvad may or may not be able to do better, and there are always comments about whether they're an intelligence front.
I don't know the answer, but there are two ways to take it:
1. Submarining to destroy confidence in an actually trustworthy, decent VPN company
2. They're an intelligence front.
For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.
Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.
linkregister•May 15, 2026
You'll find comments accusing anything of being an intelligence front on internet message boards. I agree with you that public evidence is overwhelmingly in favor that Mullvad is earnestly trying to protect privacy.
tommica•May 15, 2026
> This sounds like how I'd design a VPN if I were an intelligence agency.
So does your comment...
tanh•May 15, 2026
Yeah I'm sure one day it will transpire Cloudflare is affliated with intelligence agencies too. The solution to a "sudden DDoS" is to put their website behind Cloudflare. Wonder who can do those sudden attacks?
hammock•May 15, 2026
I don’t see how they couldn’t be. Either on purpose, secretly my coercion, or secretly without their own knowledge. It’s so valuable
dewey•May 15, 2026
> Wonder who can do those sudden attacks?
Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire.
overfeed•May 15, 2026
You are right, they don't have to do it themselves, but guess who's protecting the booters from other booters?
l23k4•May 15, 2026
Primarily specialist bulletproof ddos protection services like ddos-guard.ru, not "Cloudflare" as is the popular meme among clueless commenters.
linkregister•May 15, 2026
Most modern booters are not maintaining public websites that could be the object of DDoS attacks. They're renting residential IP addresses from free VPN users.
sph•May 15, 2026
That’s been my pet theory from day 1, and not because of DDoS. Simply because they are the SSL terminator for most of the internet and can see anything going on in cleartext (and I’ve seen them protecting some shady stuff)
I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”
If NSA aren’t installed at Cloudflare, I wonder what they are even doing.
breppp•May 15, 2026
That slide was about the NSA sitting inside Google data centers without Google's knowledge.
That doesn't mean collusion
xorcist•May 15, 2026
That's the thing though: We can't know that.
DaSHacka•May 15, 2026
Well, we kind of can, given that "SSL added and removed here :-)" was a pretty explicit workaround to the issue of encrypted communications in Google's infrastructure, just not between sites (IIRC).
Either way, if they were directly colluding with Google, they would have had a much simpler time siphoning off that data.
linkregister•May 15, 2026
It's within the realm of possibility that NSA is collecting data with Cloudflare's consent. It seems unlikely that Cloudflare would jeopardize their entire business model over it. Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers. Their entire value proposition is being an unobtrusive traffic intermediary.
sph•May 15, 2026
> Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers
People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA.
linkregister•May 15, 2026
All the companies involved in PRISM made public statements saying they ceased participation. Google undertook a costly initiative to add encrypted connections over their datacenter circuits. The NSA leaks were a forcing function that led to a massive uptake of encryption. Up until that point it was common for websites to support only HTTP.
The NSA leaks dominated news cycles for the entirety of 2013.
lukewarm707•May 15, 2026
my llm api traffic terminates tcp at cloudflare in lovely plain text :/
it does give better peering. reduces latency a bit for me.
my-next-account•May 15, 2026
I had no idea that this was a thing. How can you figure out where SSL turns into plain text on its route to the destination?
netdevphoenix•May 15, 2026
> All the companies involved in PRISM made public statements saying they ceased participation. Google undertook a costly initiative to add encrypted connections over their datacenter circuits
This is as helpful as Whatsapp's so called E2E encryption comms (that just happens to not be applicable by default in certain situations).
fph•May 15, 2026
Within the realm of possibility? Let's be honest, if you are a top NSA executive and you couldn't find a way to get your hands on Cloudflare's private keys (bribing or threatening the right person), you are not getting your Christmas bonus.
nly•May 15, 2026
It is of course inconceivable that the NSA do not have the private keys for dozens of browser trusted certificate authorities
That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.
RealityVoid•May 15, 2026
My understanding is that they tapped communication nodes before. I would be surprised if they can't tap the pipes to cloudflare.
linkregister•May 15, 2026
Is this information derived from Enemy of the State starring Will Smith and Gene Hackman? It was a great movie and the first DVD I ever bought.
philipallstar•May 15, 2026
Do people in government get bonuses linked to performance?
sph•May 15, 2026
Government agencies get budgets linked to performance.
netdevphoenix•May 15, 2026
> Cloudflare would face a near-total loss of customer
I think more people than you would expect would be happy to accept that as the price for protection against malicious actors
tanh•May 15, 2026
DDoS is just one of the impetuses for a service provider be MiTM'd
Hmm do we want them to decide what stuff is shady and what isn't?
We're already allowing payment processors to do that and it's not good.
kdheiwns•May 15, 2026
Yeah, their origin is a story of absolute incredible luck. Cloudflare came out of nowhere and suddenly massive sites with huge user bases around the world, including places like 4chan, were getting DDoSed. Then they immediately announce that they transitioned to Cloudflare. Hell of a lucky time to make a company that the entire internet suddenly became absolutely dependent on.
The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said.
UqWBcuFx6NV4r•May 15, 2026
Am i the only one that actually remembers this time period? It wasn’t that long ago. The confidence of your assertion is completely misplaced. I remember exactly where i was when I first read about CF, on launch day. DDoS attacks were CERTAINLY a big issue before Cloudflare came along. A whole lot of script kiddie energy was poured into them. LHC? Slowloris? IRC C2? This wasn’t niche stuff. That’s why I remember the CF launch, because I and everyone else knew that it was a big deal, given what the landscape had been for quite some time. Sorry if you personally didn’t have your finger on the pulse for whatever reason, but this was far from a niche issue, even for big sites / usual targets like 4chan.
kdheiwns•May 15, 2026
I was there and recalled there being occasional script kiddy DDoS attacks here and there. But the uptime when being attacked was still much, much better than the first 1-2 years of actually using Cloudflare.
Imustaskforhelp•May 15, 2026
> as the late great HN commenter Terry Davis would've said.
"I wrote all the code from scratch, including a 20,000 line of code compiler that makes x86_64 machine code from HolyC or Asm and operates AOT and JIT.
My JIT mode is not interpreted. It optimizes and compiles to x86_64 machine code.
I was chosen by God because I am the best programmer on the planet and God boosted my IQ with divine intellect." -Terry A Davis.
illiac786•May 15, 2026
Well there is still the small detail of them not storing any logs.
This is a massive issue in my view, it allows correlation across multiple VPNs exit nodes, but that’s it. It doesn’t allow to identify you automatically. It does significantly lower the bars for identifying you though, but the requirements are still high.
Hopefully they fix this soon.
I can’t believe this type of “let’s make it a hash or something sensitive” still happen, and at mullvad, of all places. Why not randomise it simply?
overfeed•May 15, 2026
> It does significantly lower the bars for identifying you though, but the requirements are still high
If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.
Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.
UqWBcuFx6NV4r•May 15, 2026
it really isn’t.
illiac786•May 15, 2026
Examples?
overfeed•May 15, 2026
IP addresses are metadata - and don't require search warrants, meaning they are fair game for dragnet surveillance. Tapping into a backbone, a la Room 641A, can be used to cross-reference timestamped public posts on an anonymous message board to other data sources (e.g. subpoena Netflix for payer based of Netflix's access logs from VPN exit IPs)
linkregister•May 15, 2026
Then why complicate it by being publicly insecure? If Mullvad were wanting to defeat anonymity, they could simply log the traffic metadata while falsely advertising they aren't.
Their ads on San Francisco's public transit are good.
raverbashing•May 15, 2026
"public insecure" JFC
Security is always a balance. Always
AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion)
There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log
Could it be done better? Probably.
Here's a better idea, logging off is 100% safe
Meanwhile 99% of the normies will go for NordVPN
hackinthebochs•May 15, 2026
Good VPNs tout the fact that they had nothing to give in response to a subpoena, or that there was nothing a law enforcement agency to find when they seized a server. For mullvad to be effective as a honey pot it needs to survive these events with its reputation in tact.
MuteXR•May 15, 2026
If it were a true honeypot by a state agency, they'd be able to just lie about having nothing too.
hackinthebochs•May 15, 2026
Not when people get arrested and the investigative techniques, sources, etc are made public. They would have to intervene in the legal process to make sure mullvad's role was kept secret. Presumably this isn't always feasible across jurisdictions.
cycomanic•May 15, 2026
Why? If I was an intelligence agency and designing a VPN I would simply log all the IPs connecting to my VPN and not rely on statistics on exit nodes to identify the users, even more so because they rely on the users to pick different servers.
faangguyindia•May 15, 2026
How would you claim it's a no log VPN?
LordAtlas•May 15, 2026
I could just...lie.
haakon•May 15, 2026
You really think someone would do that?
fragmede•May 15, 2026
What, just go on the Internet and tell lies? Who would do such a thing‽
ZeWaka•May 15, 2026
*gasp
im3w1l•May 15, 2026
One person can tell a lie, but a company consists of many people. You must ensure that only few people know of the logging or there will be a risk of a leak.
arcfour•May 15, 2026
An intelligence agency already consists of more people than you need to run a VPN service.
im3w1l•May 15, 2026
Still I think it's easier to avoid the need for more people than necessary. "Just lie" sounds like the easiest solution but on closer inspection maybe it is not?
arcfour•May 15, 2026
Because if you lie you get infinitely more data than if you don't lie. And if you lie you can do it completely in secret whereas if you don't lie you get articles like the OP exposing the teeny amount of data you're trying to collect. It makes no sense.
nkrisc•May 15, 2026
Lying is almost always the most cost-efficient answer to anything, if you’re not concerned about your trustworthiness, morality, ethics, etc.
xboxnolifes•May 15, 2026
Intelligence agencies... are generally pretty good at that.
michaelt•May 15, 2026
Well, there should only be a few people with the access needed to discover logging is happening. Just put the logging configuration in whatever secure configuration management tool is storing your TLS keys and suchlike.
Make it look like an accidental misconfiguration and if an insider who isn't an NSA mole does somehow discover the logging, there's a fair chance they'll turn a blind eye anyway. After all, if you work at a VPN, publicly outing your employer for logging will tank the business, then you and your colleagues will all be out of a job.
ekianjo•May 15, 2026
Companies can lie at large too. Enron, theranos, and many others come to mind.
zahma•May 15, 2026
Their 3rd party audit didn’t catch this…
I guess we’ll see how they respond.
traceroute66•May 15, 2026
> How would you claim it's a no log VPN?
Mullvad have been taken to court over this in relation to a copyright infringement case.
TL;DR The judge permitted people to take a fine-tooth comb to Mullvad's infrastructure and no logging was found[1].
In this particular case I'm quite sure it's not the case. Good arguments in the other comments (why not just log more if that's the case), but I also happen to know a little bit about the workings of Mullvad (I live in Gothenburg where they're from...)
arcfour•May 15, 2026
Mullvad predates the Snowden leaks by several years and was not mentioned anywhere in them.
Sure, there are other intelligence agencies, but that's the one I'd be the most worried about. Since either they run it, or they would know of it and want to emulate the idea, or know of it and have access to it from the partner agency running it. Or they are not a threat to me.
There's also the issue of no publicly known cases where someone that used Mullvad being deanonymized through the VPN but instead being discovered through some other opsec failure. If an intelligence agency has this capability they have been sitting on it for almost 2 decades without making use of the data. Hard to believe.
codethief•May 15, 2026
> Mullvad predates the Snowden leaks by several years and was not mentioned anywhere in them.
Wow, I didn't realize Mullvad was this old! Then again, maybe they weren't popular enough back then for intelligence agencies to target them? For instance, Mullvad kinda rode WireGuard's popularity wave by being the first(?) VPN provider to implement the protocol. Big ads on billboards came even later. So maybe they only became a target in recent years?
traceroute66•May 15, 2026
> how I'd design a VPN if I were an intelligence agency
I think its safe to assume that intelligence agencies have other options available to them, such as country-wide timing attacks.
gchamonlive•May 15, 2026
It's a game of cat and mouse. The service keeps banning IP ranges, the user keeps reconnecting to different servers and regions. The server can't know exactly who's who, just that a bunch of users are using mullvad, while the user just need to find one server on one IP range that works.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
dns_snek•May 15, 2026
> I don't care if they know I use mullvad, I care they don't know I'm me
That's exactly what the article is about, a side channel information leak that de-anonymises users, did you read it?
gchamonlive•May 15, 2026
Can it get my IP?
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".
dns_snek•May 15, 2026
I'm not sure what you're going for, your ISP-assigned IP doesn't tell them your legal name either.
But when you connect to the site from via server A and later via server B they can tell that you're the same person.
And they can deanonymise you through data brokers. All Mullvad IPs are traceable back to the same number (acting as a pseudo account identifier) so if you ever entered your PII on any website when using Mullvad, it can be linked to the same Mullvad account.
And if you ever visited any of those sites without using a VPN, your home IP can be linked to your Mullvad ID through browser fingerprinting.
And if you ever entered any PII on any website from your home IP, you can once again be deanonymised.
Now the existence of browser fingerprinting isn't Mullvad's fault, but this flaw makes it a lot easier to accidentally deanonymize yourself.
fooker•May 15, 2026
It seems surprising that people would expect a VPN to be comparable to Tor.
It does seem ridiculous once you spell it out like that, and then you have to realize that it’s plausible to de-anonymize even Tor users by controlling exit nodes.
curtisf•May 15, 2026
Most of the big consumer VPNs include "privacy" with an implication of anonymity in their marketing, so it shouldn't really be surprising
vintermann•May 15, 2026
"Not knowing who a user is" privacy may still be useful even if you don't have, "not knowing two users are the same user" privacy.
unselect5917•May 15, 2026
It is privacy with respect to your ISP. A lot of ISPs are pretty shitty. Some will rat out their own customers to copyright mongrels and threaten to disconnect you - which is important when there's a local monopoly.
Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.
I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.
SXX•May 15, 2026
But what privacy do you think majority of people who not doing something badly illegal expect from VPNs?
Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.
It works well enough for this goal. Not everyone needs NSA-proof solution.
PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.
illiac786•May 15, 2026
Source? Why not “I don’t want to get profiled”?
hdgvhicv•May 15, 2026
The mass surveillance industry doesn’t rely on ips or even cookies to track you.
illiac786•May 15, 2026
That seems like a huge bet. I don’t bet on this, I am careful about cookies and my source IPs.
Do you have any facts? I know they really on _additional_ stuff, but do you have sources showing that they never use cookies or source IPs?
schubidubiduba•May 15, 2026
He said they don't rely on it. They can use fingerprinting. Obviously they'll still use any other data you give them, including IP addresses or cookies.
illiac786•May 15, 2026
Ok, what was his point then? “They don’t rely on it, so it’s useless to obfuscate it”, or “but you should keep obfuscating it” or something else? I am missing the relation to my original comment then.
fragmede•May 15, 2026
That's a different claim though. Obviously they'd use cookies and source IPs when they're available, because why not use all of the information available to you. That browser fingerprinting is good enough that neither of those sources are necessary is for you to decide on whom to believe.
On that topic, though, is the Mullvad Browser, who's entire intention is to defeat browser fingerprinting.
illiac786•May 15, 2026
I need to test it, that reminds me, thanks. So many browsers. Does it support multiaccount containers?
SXX•May 15, 2026
We're talking on website with one of highest concentration of tech savvy IT professionals, programmers, cyber security experts, etc.
What percent on people on Hacker News who say they care about privacy live without Google, Apple, Microsoft and Facebook accounts?
How many people outside of HN do you think care about privacy for real? Like about adtech surveillance and not about their naked photos leaking?
I doubt either % is very high sadly. We tend to say we care, but very few people actually do anything or use self hosted solutions or not tied to Apple or Google ecosystems.
illiac786•May 15, 2026
I mean, there’s a lot of products out there marketed around privacy. I really doubt the HN readers are the sole source of income for all these products… I do agree, it’s a minority, but within the VPN using population, I don’t think it’s a minority. Average Joe watching porn doesn’t give a shit about someone knowing about this (except, and that’s new, if you’re lucky enough to live in a place where VPN has become mandatory for this).
SXX•May 15, 2026
VPN market is huge, but in my opinion majority of people who buy it "for privacy" dont really care about privacy and just use the same Google services or other accounts registered using a mobile phone number.
You really cant blame VPN providers for selling on "privacy" hype and not delivering because most people dont care either way.
Might be I wrong, but I feel in west for most normal people use VPNs for torrents, watching porn and hidding activity from school or employeer. Small subsets are also sport fans who bypass geo blocking and people scheming for cheaper regional prices on netflix / steam / consoles.
illiac786•May 15, 2026
I would definitely blame a VPN provider if:
1. Only a minority of users care about privacy
2. VPN provider still advertise for “privacy”, even though it only target a minority of users that care about it
3. VPN provider doesn’t deliver on said privacy.
I blame mullvad for messing up, but I do not suspect them of working with some state sponsored surveillance programme at the moment.
paulpauper•May 15, 2026
This is why VPNs have always been crap. The pool of IPs are backlisted/tainted, so you will run into various roadblocks and cpatchas, in addition to slow speed. If you are serious about privacy and don't want blocks and blacklists, buy high speed private proxies. Don't use a pooled service.
BLKNSLVR•May 15, 2026
A VPN by any other name would smell as sweet.
faangguyindia•May 15, 2026
I maintain a list of
"23034 IPs to blocklist.txt"
blocked IPs they contain all VPN providers. Often VPN providers seed Geofeeds with wrong data, this is why i use traceroute and ping network to locate their real location.
BLKNSLVR•May 15, 2026
I have a script that logs IPs for any traffic coming in to my servers on ports that don't accept traffic. I then block those IPs from accessing ports behind which there are services.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
notpushkin•May 15, 2026
This might be a good idea, but consider banning them for, say, a couple hours at a time. It’s easy to rotate IP, especially if you’re using a residential proxy service, and there’s a good chance you’ll end up blocking real users using the same ISP.
m00dy•May 15, 2026
yeah, I'm using https://proxybase.xyz for this. It's like Mullvad but for proxies. No kyc, no email but supports xmr.
notpushkin•May 15, 2026
I like the API-centric nature of it. $10/GB seems a bit steep though, especially compared to Mullvad’s 5 €/mo.
Search for “mobile proxy” – those are usually cheap-ish monthly subscriptions, with unlimited traffic, and often an API to rotate the IP programmatically if you need it. No KYC, but you usually do have to sign up with an email.
m00dy•May 15, 2026
@ notpushkin,
yes, it's a bit more expensive because it's for different use cases. You can't use VPNs or Mullvad for anything mission critical. Just try to log in to your bank in US, it will increase your risk score on their end because VPNs by nature are very easy to detect whereas "residential proxies" much harder.
notpushkin•May 15, 2026
> You can't use VPNs or Mullvad for anything mission critical. Just try to log in to your bank in US, it will increase your risk score on their end because VPNs by nature is very easy to detect whereas "residential proxies" much harder.
Naturally! I’m just saying there’s residential proxy providers that are a LOT cheaper than that.
(IIRC, you can usually reply to fresh comments if you click on the “n minutes ago” – the reply link should be visible there even if it isn’t shown in the main comments tree)
m00dy•May 15, 2026
I think when it comes to privacy or XMR, money is not really that important. Just give me a few names that support XMR payments + no KYC and providing mostly non-flagged residential IPs that you can use them for mission critical stuff.
notpushkin•May 15, 2026
That’s a good question! I haven’t been in this scene for a long long time now, so can’t say for sure.
I’ve been implementing an Instagram liker service back in... 2018 was it? So a stable pool of non-flagged residential proxies was important here, and it was my client who introduced me to the concept of “mobile proxies”. Basically, they use regular 3G/4G/5G modems with regular SIM cards, and expose that as a SOCKS proxy. You get a normal-looking IP from a pool of mobile operator’s IPs. Since mobile devices reconnect all the time (and are behind a CGNAT mostly nowadays), you can’t really flag an IP like that – and if it is flagged, you can get a fresh one in a moment.
I’m not using this mostly because I’m too lazy to research. Here’s a random one I found (so not an endorsement!) which is $1/GB, seems to only require email to sign up, and takes crypto (including XMR): https://floppydata.com/
KolmogorovComp•May 15, 2026
Do they say how do they have access to those IPs? Most residential IPs are malware-infected devices.
m00dy•May 15, 2026
That’s part of our value proposition. It’s same as when you go to a bank and ask where the yield comes for your account or asking OpenAI where they get data to train their models.
KolmogorovComp•May 15, 2026
> or asking OpenAI where they get data to train their models
Yes I know it comes from pirating/torrenting/scrapping. Are you saying you acknowledge your IPs come from malware, and that is OK because OpenAI is shady too?
m00dy•May 15, 2026
For the context, I have the right not to tell you anything about how we operate our business but we're not shady, we don't take any action without user consent. The other thing is that we don't use "source" keyword in our business context. I think when you use that essentially you inherently accept some part of your business is shady as hell. Instead, we use "providers". That's a lot better.
CallMeMarc•May 15, 2026
Is this your service? Since you've made seven posts to HN about it and also your username shows up in the commits on their GitHub.
Because I'm quite curious on where the IPs are from. Usually residential IPs is a fancy wording for malware infested devices from regular people.
notpushkin•May 15, 2026
> Is this your service? Since you've made seven posts to HN about it and also your username shows up in the commits on their GitHub.
Ohh, that makes sense haha.
@m00dy: please disclose when you’re talking about your own projects! It’s okay to plug your stuff sometimes, just be honest about it :-)
m00dy•May 15, 2026
I’m not hiding anything :-)
notpushkin•May 15, 2026
No, but you weren’t upfront about it either. I’ve suspected it looked like your own project but checked your comments in the profile and didn’t see any other, so I didn’t dig any deeper.
> I’m not here to promote anything just wanted to share a valid use case in the right context.
There’s a small difference: if one of your users did this it would be totally fair, but when a founder does this I think it’s a polite thing to disclose it. That’s what I’ve been doing when talking about my own project on HN [1], and I think in most cases other legit founders just say that upfront, too. I’m not sure if that breaks any rules, but it feels juuuuust a bit shady not to :-)
(Seems to have some weird cache issues though, had to play around with the ?querystring part to get more results)
throwaway2037•May 15, 2026
You should put your business (https://proxybase.xyz) in your HN profile. It might help to find more customers.
m00dy•May 15, 2026
I’m not here to promote anything just wanted to share a valid use case in the right context.
illiac786•May 15, 2026
That’s nice, I need to implement this.
hypeatei•May 15, 2026
Closed ports are not "locked doors", and open ports are not "unlocked doors"
That is a binary thought process with a lot of assumptions. You might introduce even more attack surface in pursuit of this "security" measure by installing additional software like fail2ban, for example. Close your ports, maybe assign a non-standard port to the popular ones (like SSH) to reduce log spam, and patch your server often. Anything more complicated than that is not worth it, IMO.
marcus_holmes•May 15, 2026
You know that people use VPNs for perfectly legitimate reasons, right?
Like when I was travelling, sites would routinely use the language of my IP address location, not the language preference as I set it in my browser. So I would be served a site that I couldn't read. My only option was to use a VPN to spoof my location so that it would serve me a site in a language I understand.
fortran77•May 15, 2026
I use aVPN when I’m traveling and want to order food delivery for my 93 year old mother in NY. UberEats and InstaCart will stop me from ordering when logged in my mom’s NY account if I’m in China, Saudi Arabia, India, Vietnam, etc.
Reusing the same VPN between multiple identities is a horrible idea regardless. And let's be real. As a forum moderator if you ban a Mullvad user and then a new Mullvad user signs up the next day it is probably the same person. You should be using residential or mobile proxies if you want privacy and to blend in to everyone else.
arian_•May 15, 2026
We keep adding layers of encryption and the metadata keeps snitching on us anyway.
connorboyle•May 15, 2026
> As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person.
I don't see how the author is arriving at this ">99% chance" purely from the numbers provided in the article. Assuming the first (banned IP) seed and the second seed are both in the range 0.4423 - 0.4358 (a stronger assumption than is justified by the example), all this tells us is that the first and second IP addresses both have seeds in a range that would contain 0.4423 - 0.4358 = 0.65% of all Mullvad users, which 0.0065 * 100,000 = 650 users. We've eliminated >99% of users as "suspects", but we haven't actually gotten >99% accuracy in identifying an individual across multiple exit IPs.
In more Bayesian thinking, the overlap in potential seeds is great evidence to think these IP addresses represent one and the same person (or Mullvad VPN account at least), but as far as I can tell, that's not what the author is saying.
grey-area•May 15, 2026
Say your forum is a big one and has 1000 active users, with 1 joining every day. Most will be a lot smaller/less active.
What are the chances that someone uses this vpn, joins your forum the day after someone was banned, and has an ip in a similar range?
For most small websites this would be strong evidence.
47282847•May 15, 2026
Missing from the story: did they reach out to Mullvad? Would have been interesting to see how their security team responded.
kfreds•May 15, 2026
As far as I can tell they did not, and I've asked both our operations and support teams. I will update this post if I am mistaken.
Edit: In hindsight I regret making this comment. It was unnecessary, but removing it now would look weird.
Havoc•May 15, 2026
Seems fine. You didn’t exactly demand a 90 day embargo or something.
haunter•May 15, 2026
I just use it to watch iPlayer outside of the UK lol
tschumacher•May 15, 2026
Great find by the author and I have no trouble believing this is an oversight by Mullvad. Kind of shocking that something this simple slips by them but I could see myself missing it.
Putting aside the IP correlation across multiple servers, at first I wondered why even keep the user IP stable on one server. But I think it makes sense because as the author states other VPNs usually have only one IP per server so they are essentially simulating that. The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.
The IP correlation across multiple servers they should fix though with something like rand.seed(user_pub_key + server_id)
lxgr•May 15, 2026
> The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.
On the flip side, if they’re getting banned by a service because of a noisy neighbor on the same IP, they’d have no way to work around that, no?
TurdF3rguson•May 15, 2026
You mean if the neighbor somehow burned every VPN location?
lxgr•May 15, 2026
Doesn’t even need to be every location. Some services are only accessible from a single country, and Mullvad has at most a handful of locations per country.
All things considered, there are just an incredibly small number of IPs shared among all users, no matter the allocation strategy.
kfreds•May 15, 2026
I work at Mullvad. (co-CEO, co-founder)
Some aspects of the described behavior are as we intended and some are not. The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post's findings you may get confusing results throughout the day.
We will also re-evaluate whether the intended behaviors are acceptable or not. Some of this is a trade-off between multiple aspects of privacy, and multiple aspects of user experience.
Please note that this is my current understanding, which may change. I was only made aware of this an hour ago, and most of that time was spent talking with Ops, considering what to do immediately, and writing this post.
Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away.
ignoramous•May 15, 2026
> Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings
How to report a bug or vulnerability
... we (currently) have no bug bounty program ... send an email to support@mullvadvpn.net
I'm not sure what you mean by "Oof". We don't have a dedicated security team because security and privacy are integral to all aspects of our service. It doesn't make sense to centralise it.
As for our support team they are responsive and experienced. Several of them have worked with us for many years and do offensive security research in their free time.
Unlike many organisations we don't see customer support as a cost center, just like we don't see security as a cost center. Our support team represent our customers, and as a consequence contribute a lot to how we prioritise our roadmap.
traceroute66•May 15, 2026
> I'm not sure what you mean by "Oof".
I second this.
Clearly the person who wrote "Oof" has never emailed Mullvad support.
Whenever I have emailed Mullvad support I have received a prompt reply from a human being who clearly actually cares about taking ownership of the question and seeing it through to resolution.
I have also witnessed first-hand the support person taking the question to an internal team member where it requires additional input. So there are clear paths for escalation if circumstances require it.
Finally the support mail allows for PGP encryption of communications too.
(I am not a Mullvad shill. Not a Mullvad employee. Just a satisfied customer)
fragmede•May 15, 2026
Human psychology is weird and some things are just cultural. If you have the ops team make the security@ email alias just forward to support, you could avoid having to go into all that.
"Just email support@" feels like you don't care. That you do, and that your support team is awesome, doesn't change the fact that there are other companies out there who's aren't. Security people are human with human egos, and they want to feel special, so giving them a special way to reach you, even if it's the same thing behind the scene, makes a world of difference.
nananana9•May 15, 2026
It still probably makes sense to alias it to security@mullvadvpn.net for privacy/security concerns.
I'm not familiar with how you run your company -- without the context you gave most people would hesitate emailing support@ for security issues.
dust-jacket•May 15, 2026
Not having a bug bounty or dedicated email address does not make it OK to go public immediately
mvdtnz•May 15, 2026
Yes it does actually.
dust-jacket•May 15, 2026
I don't feel like its hard to come up with examples where (I would say) its ethically wrong to disclose immediately. If you spotted a company's mistake that might endanger their user's lives or safety, would you put those users at risk simply because there was no obvious financial reward?
If so, I guess we just have different opinions on the ethics involved here.
autoexec•May 15, 2026
Discovering a bug that could put people's lives and/or freedom at risk if they don't do something about it makes it okay to go public immediately. That said, by all means notify the maintainer/vendor as well.
It should always be assumed that someone else (if not several someone elses) have already discovered the same flaw and are currently taking advantage of it while users remain totally unaware of their actual risk. By going public immediately, you give as many of those users as possible a chance to protect themselves.
Waiting to disclose something harmful when the users in danger could otherwise take steps to make themselves safe would be like not warning people entering a building not to go in because of a gas leak until after you've contacted the building owner and the fire department has shown up.
hmry•May 15, 2026
> Expecting people to hold off on disclosure of something harmful
That's not what they said though. They said "please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away" (emphasis mine)
autoexec•May 15, 2026
I do think hitting "send" on the email to the responsible party immediately before publishing (or at least notifying them as quickly as you can afterwards) is a smart thing to do. I mean, why wouldn't you? My concern was more about the "Not having a bug bounty or dedicated email address does not make it OK to go public immediately" comment. It can sometimes be difficult to track down the right person to notify and so whichever one you can accomplish the soonest is probably where I'd start.
dust-jacket•May 15, 2026
> Discovering a bug that could put people's lives and/or freedom at risk if they don't do something about it makes it okay to go public immediately
The flipside of course is ... does your disclosure increase the risk?
> aiting to disclose something harmful when the users in danger could otherwise take steps to make themselves safe would be like not warning people entering a building not to go in because of a gas leak until after you've contacted the building owner and the fire department has shown up
I don't think it's like this at all. The risk of a gas leak is not increased by telling people about it and can't be prevented after its occurred. To stretch your analogy, I'd say its more like you've found the gas leak and instead of turning off the gas supply are instead running around outside the building shouting about how there's a gas leak.
autoexec•May 15, 2026
> The flipside of course is ... does your disclosure increase the risk?
When you've got that much on the line you have to assume that the risk is already present for all users. It's true that there's always a chance that some users won't find your disclosure in time and a would-be attacker who wasn't aware of it already will start taking advantage of the flaw, but the alternative is that nobody at risk will be safe.
> The risk of a gas leak is not increased by telling people about it and can't be prevented after its occurred.
It's true that warning people not to enter wouldn't make the gas more dangerous, but what can be prevented after the leak starts is more people entering the building and walking into a death trap. There's no way to shut off the gas supply when you can't control what's already running on people's devices and more people are downloading and running the buggy code all the time. It's really not a perfect analogy. The point is that immediate action will save some people, while waiting around means that nobody has a chance of being saved.
azalemeth•May 15, 2026
You really do provide a reassuring, good service -- thank you.
It's also worth stating that the client (including the cli client -- which, with a bit of work, you can get running in most situations where you'd use native wireguard) by default has a key rotation interval of I think 72 hours.
`mullvad tunnel get` will show it and `mullvad tunnel set rotation-interval <hours>` will change it. This is the preferred mitigation method of the post.
I personally don't mind having a pseudo-static IP (some other suppliers offer a static IPv4 as a feature!) as I wish to prevent network-level snooping from my ISP and governments. It's also worth stating that I think having a smaller IP space is an advantage for a privacy VPN: there are more potential users acting behind any given externally visible IP. Combined with technologies like DAITA (which effectively adds chaff to the tunnel) and multi-hop entrances and I personally think that this service really does plausibly make harder the life of those who snoop netflows all day.
lionkor•May 15, 2026
I just want to say I absolutely love Mullvad! You guys did a fantastic job at designing a genuinely good and trustworthy (as much as possible) VPN vendor. You communicating here is just another data point towards this.
reincoder•May 15, 2026
I work for IPinfo. Even though we are in the VPN detection business, I will give Mullvad the benefit of the doubt, to be honest. They were one of the three VPN providers we found that did not attempt to submit inaccurate geolocation information to IP geolocation providers like us. I am sure they will fix the issue.
Melatonic•May 15, 2026
Who else ?
camgunz•May 15, 2026
"identifying" is the wrong word here--that's only possible if Mullvad stores a mapping between IP addresses and people, which according to them, a 3rd party audit, and a law enforcement raid they do not. It's also worth saying it's possible to use Mullvad entirely anonymously by mailing them cash, which I do.
Also if the threat model you're addressing w/ VPN usage is anything other than "I don't want my ISP to know what I'm doing" you need to use/do something else.
20 Comments
What's the point of this? This seems more complicated to implement than mapping exit ips at the server level, so surely they must be doing this for a good reason?
It's a practical measure, but definitely has a privacy cost though.
It seems more likely this is just about load-balancing use against their available nodes.
Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.
I'm also stuck in a 2 year ISP contract
If you get a new exit IP each time you connect, you need something like a NAT table to look up "key 0xabc exits ip 1.2.3.4", and that grows to be the size of the number of users you have active, and you need to save it forever so that when the NSA asks who used the IP for what duration you can tell them.
With a static mapping derived from the key, you don't need a table like that.
It's also better UX since it means reconnecting your VPN software (say you switch wifi hotspots) doesn't give you a different IP address, so things like SSH sessions can resume, which wouldn't be possible if it were a different public IP each time.
Yes, obviously.
> VPNs are snake oil
Huh?
>Should I use a VPN?
Yes, almost certainly. A VPN has many advantages, including:
1. Hiding your traffic from only your Internet Service Provider.
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
4. Allowing you to bypass geo-restrictions on certain content.
(https://www.privacyguides.org/en/basics/vpn-overview/)
This is highly subjective statement.
Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.
Neither of those is possible with my ISP.
Phone doesn't even need data if you have access to wifi wherever you stash it.
VPN chaining easier though.
Like you need to physically be there, need ability to connect phone it to electricity and somehow maintain if it e.g reboots. And stay anonymous while doing so? I'd say that Hollywood kind of solution.
That said, you might still want to use a VPN on top of that, depending on what you’re doing.
Most VPNs are untrustworthy, but unlike ISPs, you can choose from any VPN provider in the world, not just the two or three that are local to you. And there are VPN providers in the world that have been proven not to retain data by audits + actual court cases where the court determined that the VPN provider did not have the data authorities were seeking. Do your research and choose a court-proven VPN, it's that simple.
And then sells it?
Doesnt't surprise me that they're counting on gullible, useful idiots defending "Chat Control" and eIDAS.
Should I trust my ISP than Mullvad? LMFAO.
Citation needed.
For everyone in the industry it is le secret de Polichinelle.
What power is in $2.99/month that it offers so much security?
Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?
What is that they know and we don't know?
One at least has open source software clients, and publishes audits from other 3rd-party audit organizations.
The other open source... nothing. Their client apps have dozens of trackers inside. And it's a dream to see any of the ISPs in my county publish any 3rd-party audits. Their other products (going with the service) have trackers and personalized targeting ads inside.
Yeah, in my 1 million alternate universes should I trust my ISP more.
Well, my ISP sent me a nice letter saying they intend to monetize my metadata, and mullvad has demonstrated in court that they don't have user data to give up.
> and how do you expect them to protect your identity in face of determined state actors that are afer you?
That's moving the goalposts; your parent comment didn't say anything about determined state actors. And defending against commercial actors is useful even if it doesn't help against state actors. I tend to assume the NSA can compromise anything. I'd like to ensure only the NSA can compromise my stuff.
Many many examples out there. "We don't keep logs" is not good enough neither realistic because how else a VPN provider is supposed to protect itself if it doesn't keep a log of what's happening inside and through its own systems.
Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.
(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).
From outside the US I should be using a VPN end-point within the US, so that my browsing traffic doesn't hit the NSA - only my encrypted VPN traffic does.
I mean, let's be real.
All known US VPN servers and Tor exit nodes--and probably all US Tor relays regardless of exit policy--are going to be considered a totally legitimate "communications facility" target for the warrantless wiretapping system due to exactly the scenario you just posited.
From that perspective you'd be better off using US residential proxies. Of course, while they'll never admit it in court, NSA just does whatever they want, laws be damned, and are almost certainly logging everything. So while such a scheme might theoretically hinder the introduction of evidence in a court case, it doesn't really matter; NSA is still gonna see your traffic and they're still gonna either drone strike you or "parallel construction" your ass, anyway.
When you share the evidence for this, it will be international news.
VPNs are useful for the reasons you mentioned.
In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.
Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).
Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.
(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).
Rotating your VPN endpoint will resolve the issue. It might take two or three tries.
The most generous way of reading that would be the fact that every YouTube pushing for a VPN as an essential tool just to use the internet outside of your house without getting hacked is a big exaggeration or fear mongering but there's good reasons for using a VPN for a lot of reasons and it's not snake oil.
>Also. This is how they ruined any meaningful talks about privacy
There is so much noise
"Use braive. Don't use braive. Use vpn. Don't use vpn"
Then the debate spreads to all other aspects password managers, emails and etc
VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.
(yes, I've been raided)
(I started using Mullvad after - because of - that)
(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)
They have their own tools + tor, they do not need mullvad.
1. It's the preferred VPN of TeamPCP.
I'm a little confused on this... what is stopping third parties from doing key rotations like the main app clients if it is detailed in the repo how to do it?
Knowing to do so, primarily.
If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.
Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.
If you are talking about private VPNs.. Mullvad isn't one.
But today’s internet is essentially a giant ad network.
The fact that Tor does not intend to tackle the timing problem is plainly stated on the Tor website.
Why can't it aim to solve what it can do? TOR is a great example: the TOR network itself can't perfectly anonymize you due to browser fingerprinting, but users of the TOR Browser get both the TOR network resisting deanonymization on a network level and a browser with plenty of anti-fingerprinting measures built in. A VPN could aim to prevent deanonymization on a network level so that users who want to stay anonymous can use the VPN in combination with fingerprinting-resistant software.
This sounds like how I'd design a VPN if I were an intelligence agency.
I don't know the answer, but there are two ways to take it:
1. Submarining to destroy confidence in an actually trustworthy, decent VPN company
2. They're an intelligence front.
For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.
Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.
So does your comment...
Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire.
I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”
If NSA aren’t installed at Cloudflare, I wonder what they are even doing.
That doesn't mean collusion
Either way, if they were directly colluding with Google, they would have had a much simpler time siphoning off that data.
People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA.
The NSA leaks dominated news cycles for the entirety of 2013.
it does give better peering. reduces latency a bit for me.
This is as helpful as Whatsapp's so called E2E encryption comms (that just happens to not be applicable by default in certain situations).
That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.
I think more people than you would expect would be happy to accept that as the price for protection against malicious actors
Hmm do we want them to decide what stuff is shady and what isn't?
We're already allowing payment processors to do that and it's not good.
The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said.
Oh my god, this is how & when I realize that Terry Davis (Rest in peace) used to use Hackernews too: https://news.ycombinator.com/threads?id=TerryADavis
https://news.ycombinator.com/item?id=10061171 (From this comment written by terry):
"I wrote all the code from scratch, including a 20,000 line of code compiler that makes x86_64 machine code from HolyC or Asm and operates AOT and JIT.
My JIT mode is not interpreted. It optimizes and compiles to x86_64 machine code.
I was chosen by God because I am the best programmer on the planet and God boosted my IQ with divine intellect." -Terry A Davis.
This is a massive issue in my view, it allows correlation across multiple VPNs exit nodes, but that’s it. It doesn’t allow to identify you automatically. It does significantly lower the bars for identifying you though, but the requirements are still high.
Hopefully they fix this soon.
I can’t believe this type of “let’s make it a hash or something sensitive” still happen, and at mullvad, of all places. Why not randomise it simply?
If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.
1. https://en.wikipedia.org/wiki/NOBUS
Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.
Their ads on San Francisco's public transit are good.
Security is always a balance. Always
AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion)
There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log
Could it be done better? Probably.
Here's a better idea, logging off is 100% safe
Meanwhile 99% of the normies will go for NordVPN
Make it look like an accidental misconfiguration and if an insider who isn't an NSA mole does somehow discover the logging, there's a fair chance they'll turn a blind eye anyway. After all, if you work at a VPN, publicly outing your employer for logging will tank the business, then you and your colleagues will all be out of a job.
I guess we’ll see how they respond.
Mullvad have been taken to court over this in relation to a copyright infringement case.
TL;DR The judge permitted people to take a fine-tooth comb to Mullvad's infrastructure and no logging was found[1].
[1] https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-sea...
Sure, there are other intelligence agencies, but that's the one I'd be the most worried about. Since either they run it, or they would know of it and want to emulate the idea, or know of it and have access to it from the partner agency running it. Or they are not a threat to me.
There's also the issue of no publicly known cases where someone that used Mullvad being deanonymized through the VPN but instead being discovered through some other opsec failure. If an intelligence agency has this capability they have been sitting on it for almost 2 decades without making use of the data. Hard to believe.
Wow, I didn't realize Mullvad was this old! Then again, maybe they weren't popular enough back then for intelligence agencies to target them? For instance, Mullvad kinda rode WireGuard's popularity wave by being the first(?) VPN provider to implement the protocol. Big ads on billboards came even later. So maybe they only became a target in recent years?
I think its safe to assume that intelligence agencies have other options available to them, such as country-wide timing attacks.
Seems like a good deal to me. I don't care if they know I use mullvad, I care they don't know I'm me, and that's not something mullvad will easily disclose.
That's exactly what the article is about, a side channel information leak that de-anonymises users, did you read it?
I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".
But when you connect to the site from via server A and later via server B they can tell that you're the same person.
And they can deanonymise you through data brokers. All Mullvad IPs are traceable back to the same number (acting as a pseudo account identifier) so if you ever entered your PII on any website when using Mullvad, it can be linked to the same Mullvad account.
And if you ever visited any of those sites without using a VPN, your home IP can be linked to your Mullvad ID through browser fingerprinting.
And if you ever entered any PII on any website from your home IP, you can once again be deanonymised.
Now the existence of browser fingerprinting isn't Mullvad's fault, but this flaw makes it a lot easier to accidentally deanonymize yourself.
It does seem ridiculous once you spell it out like that, and then you have to realize that it’s plausible to de-anonymize even Tor users by controlling exit nodes.
Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.
I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.
Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.
It works well enough for this goal. Not everyone needs NSA-proof solution.
PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.
Do you have any facts? I know they really on _additional_ stuff, but do you have sources showing that they never use cookies or source IPs?
On that topic, though, is the Mullvad Browser, who's entire intention is to defeat browser fingerprinting.
What percent on people on Hacker News who say they care about privacy live without Google, Apple, Microsoft and Facebook accounts?
How many people outside of HN do you think care about privacy for real? Like about adtech surveillance and not about their naked photos leaking?
I doubt either % is very high sadly. We tend to say we care, but very few people actually do anything or use self hosted solutions or not tied to Apple or Google ecosystems.
You really cant blame VPN providers for selling on "privacy" hype and not delivering because most people dont care either way.
Might be I wrong, but I feel in west for most normal people use VPNs for torrents, watching porn and hidding activity from school or employeer. Small subsets are also sport fans who bypass geo blocking and people scheming for cheaper regional prices on netflix / steam / consoles.
I blame mullvad for messing up, but I do not suspect them of working with some state sponsored surveillance programme at the moment.
"23034 IPs to blocklist.txt"
blocked IPs they contain all VPN providers. Often VPN providers seed Geofeeds with wrong data, this is why i use traceroute and ping network to locate their real location.
If they're checking my locked doors, I don't want them coming in my unlocked doors.
Search for “mobile proxy” – those are usually cheap-ish monthly subscriptions, with unlimited traffic, and often an API to rotate the IP programmatically if you need it. No KYC, but you usually do have to sign up with an email.
yes, it's a bit more expensive because it's for different use cases. You can't use VPNs or Mullvad for anything mission critical. Just try to log in to your bank in US, it will increase your risk score on their end because VPNs by nature are very easy to detect whereas "residential proxies" much harder.
Naturally! I’m just saying there’s residential proxy providers that are a LOT cheaper than that.
(IIRC, you can usually reply to fresh comments if you click on the “n minutes ago” – the reply link should be visible there even if it isn’t shown in the main comments tree)
I’ve been implementing an Instagram liker service back in... 2018 was it? So a stable pool of non-flagged residential proxies was important here, and it was my client who introduced me to the concept of “mobile proxies”. Basically, they use regular 3G/4G/5G modems with regular SIM cards, and expose that as a SOCKS proxy. You get a normal-looking IP from a pool of mobile operator’s IPs. Since mobile devices reconnect all the time (and are behind a CGNAT mostly nowadays), you can’t really flag an IP like that – and if it is flagged, you can get a fresh one in a moment.
I’m not using this mostly because I’m too lazy to research. Here’s a random one I found (so not an endorsement!) which is $1/GB, seems to only require email to sign up, and takes crypto (including XMR): https://floppydata.com/
Yes I know it comes from pirating/torrenting/scrapping. Are you saying you acknowledge your IPs come from malware, and that is OK because OpenAI is shady too?
Because I'm quite curious on where the IPs are from. Usually residential IPs is a fancy wording for malware infested devices from regular people.
Ohh, that makes sense haha.
@m00dy: please disclose when you’re talking about your own projects! It’s okay to plug your stuff sometimes, just be honest about it :-)
> I’m not here to promote anything just wanted to share a valid use case in the right context.
There’s a small difference: if one of your users did this it would be totally fair, but when a founder does this I think it’s a polite thing to disclose it. That’s what I’ve been doing when talking about my own project on HN [1], and I think in most cases other legit founders just say that upfront, too. I’m not sure if that breaks any rules, but it feels juuuuust a bit shady not to :-)
[1]: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
(Seems to have some weird cache issues though, had to play around with the ?querystring part to get more results)
That is a binary thought process with a lot of assumptions. You might introduce even more attack surface in pursuit of this "security" measure by installing additional software like fail2ban, for example. Close your ports, maybe assign a non-standard port to the popular ones (like SSH) to reduce log spam, and patch your server often. Anything more complicated than that is not worth it, IMO.
Like when I was travelling, sites would routinely use the language of my IP address location, not the language preference as I set it in my browser. So I would be served a site that I couldn't read. My only option was to use a VPN to spoof my location so that it would serve me a site in a language I understand.
I don't see how the author is arriving at this ">99% chance" purely from the numbers provided in the article. Assuming the first (banned IP) seed and the second seed are both in the range 0.4423 - 0.4358 (a stronger assumption than is justified by the example), all this tells us is that the first and second IP addresses both have seeds in a range that would contain 0.4423 - 0.4358 = 0.65% of all Mullvad users, which 0.0065 * 100,000 = 650 users. We've eliminated >99% of users as "suspects", but we haven't actually gotten >99% accuracy in identifying an individual across multiple exit IPs.
In more Bayesian thinking, the overlap in potential seeds is great evidence to think these IP addresses represent one and the same person (or Mullvad VPN account at least), but as far as I can tell, that's not what the author is saying.
What are the chances that someone uses this vpn, joins your forum the day after someone was banned, and has an ip in a similar range?
For most small websites this would be strong evidence.
Edit: In hindsight I regret making this comment. It was unnecessary, but removing it now would look weird.
Putting aside the IP correlation across multiple servers, at first I wondered why even keep the user IP stable on one server. But I think it makes sense because as the author states other VPNs usually have only one IP per server so they are essentially simulating that. The advantages for the user are, if they find a server that works for accessing some service they can connect to that server again and it will work again because they get the same IP.
The IP correlation across multiple servers they should fix though with something like rand.seed(user_pub_key + server_id)
On the flip side, if they’re getting banned by a service because of a noisy neighbor on the same IP, they’d have no way to work around that, no?
All things considered, there are just an incredibly small number of IPs shared among all users, no matter the allocation strategy.
Some aspects of the described behavior are as we intended and some are not. The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post's findings you may get confusing results throughout the day.
We will also re-evaluate whether the intended behaviors are acceptable or not. Some of this is a trade-off between multiple aspects of privacy, and multiple aspects of user experience.
Please note that this is my current understanding, which may change. I was only made aware of this an hour ago, and most of that time was spent talking with Ops, considering what to do immediately, and writing this post.
Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away.
As for our support team they are responsive and experienced. Several of them have worked with us for many years and do offensive security research in their free time.
Unlike many organisations we don't see customer support as a cost center, just like we don't see security as a cost center. Our support team represent our customers, and as a consequence contribute a lot to how we prioritise our roadmap.
I second this.
Clearly the person who wrote "Oof" has never emailed Mullvad support.
Whenever I have emailed Mullvad support I have received a prompt reply from a human being who clearly actually cares about taking ownership of the question and seeing it through to resolution.
I have also witnessed first-hand the support person taking the question to an internal team member where it requires additional input. So there are clear paths for escalation if circumstances require it.
Finally the support mail allows for PGP encryption of communications too.
(I am not a Mullvad shill. Not a Mullvad employee. Just a satisfied customer)
"Just email support@" feels like you don't care. That you do, and that your support team is awesome, doesn't change the fact that there are other companies out there who's aren't. Security people are human with human egos, and they want to feel special, so giving them a special way to reach you, even if it's the same thing behind the scene, makes a world of difference.
I'm not familiar with how you run your company -- without the context you gave most people would hesitate emailing support@ for security issues.
If so, I guess we just have different opinions on the ethics involved here.
It should always be assumed that someone else (if not several someone elses) have already discovered the same flaw and are currently taking advantage of it while users remain totally unaware of their actual risk. By going public immediately, you give as many of those users as possible a chance to protect themselves.
Waiting to disclose something harmful when the users in danger could otherwise take steps to make themselves safe would be like not warning people entering a building not to go in because of a gas leak until after you've contacted the building owner and the fire department has shown up.
That's not what they said though. They said "please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away" (emphasis mine)
The flipside of course is ... does your disclosure increase the risk?
> aiting to disclose something harmful when the users in danger could otherwise take steps to make themselves safe would be like not warning people entering a building not to go in because of a gas leak until after you've contacted the building owner and the fire department has shown up
I don't think it's like this at all. The risk of a gas leak is not increased by telling people about it and can't be prevented after its occurred. To stretch your analogy, I'd say its more like you've found the gas leak and instead of turning off the gas supply are instead running around outside the building shouting about how there's a gas leak.
When you've got that much on the line you have to assume that the risk is already present for all users. It's true that there's always a chance that some users won't find your disclosure in time and a would-be attacker who wasn't aware of it already will start taking advantage of the flaw, but the alternative is that nobody at risk will be safe.
> The risk of a gas leak is not increased by telling people about it and can't be prevented after its occurred.
It's true that warning people not to enter wouldn't make the gas more dangerous, but what can be prevented after the leak starts is more people entering the building and walking into a death trap. There's no way to shut off the gas supply when you can't control what's already running on people's devices and more people are downloading and running the buggy code all the time. It's really not a perfect analogy. The point is that immediate action will save some people, while waiting around means that nobody has a chance of being saved.
It's also worth stating that the client (including the cli client -- which, with a bit of work, you can get running in most situations where you'd use native wireguard) by default has a key rotation interval of I think 72 hours.
`mullvad tunnel get` will show it and `mullvad tunnel set rotation-interval <hours>` will change it. This is the preferred mitigation method of the post.
I personally don't mind having a pseudo-static IP (some other suppliers offer a static IPv4 as a feature!) as I wish to prevent network-level snooping from my ISP and governments. It's also worth stating that I think having a smaller IP space is an advantage for a privacy VPN: there are more potential users acting behind any given externally visible IP. Combined with technologies like DAITA (which effectively adds chaff to the tunnel) and multi-hop entrances and I personally think that this service really does plausibly make harder the life of those who snoop netflows all day.
Also if the threat model you're addressing w/ VPN usage is anything other than "I don't want my ISP to know what I'm doing" you need to use/do something else.