
Mozilla VPN - caution
https://blog.mozilla.org/futurereleases/2020/06/18/introducing-firefox-private-network-vpns-official-product-the-mozilla-vpn/
======
haunter
Every single time I start researching VPN services I end up more confused and
with more questions than before because basically every vouched service has
the same amount of negative comments too. Like feels like the whole sector is
a honeypot (lol) of shady stuff and also they figthing against each other (or
not?). So I just wait until when turns out Mullvad is also one of the bad
guys.

~~~
Jonnax
Ask yourself why you want a VPN.

Is it to avoid your ISP collecting browsing data off you and selling it?

Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good enough.

Is it to watch geo region blocked videos?

Then pretty much any service will work for you. Except that video streaming
sites have caught on and blocked hosting provider IP blocks. So that might
require you to shop around.

Do you want the most privacy or want to get around blocking?

Then get a VM from a provider and configure a VPN to it. Wireguard works fine.

Want to do something illegal?

Don't expect a VPN to save you.

~~~
badRNG
>Want to do something illegal? Don't expect a VPN to save you.

I'm not condoning piracy, but VPNs are generally a foolproof way to avoid DMCA
letters from your ISP. Privacy means something different to every individual,
everyone's threat model is different. And many models can benefit from a VPN;
journalists, activists, and many others might find benefit from using a VPN.

~~~
Jonnax
Are DMCA letters still a thing?

It seems like Torrenting died out significantly over the last 5 years.

~~~
TulliusCicero
I moved to Germany and apparently they're still very much a thing here.
Torrenting popular shows sans VPN is -- at least according to Germans on
reddit -- an easy way to get sued, and forced to pay hundreds of euros.

Obviously, I have no interest in testing this out myself, so I take their word
for it.

~~~
laingc
I lived in Germany for years, and this is absolutely the case. Don’t mess with
torrents in Germany without a VPN.

Except for those Linux ISOs, of course.

------
kfreds
Every time the VPN service industry is discussed on HN there is a barrage of
comments that use keywords like “honeypot”, “snake oil”, and “shady”. I’m not
denying that the industry has problems, but in this thread I’d like to focus
on how we can improve it.

Please tell me - What makes a VPN provider trustworthy, and how do you _know_?

Personally I believe a trustworthy provider is _characterized_ by consistent
actions that show transparency, honesty, and conscientiousness. Nevertheless,
such consistent action doesn’t actually prove trustworthiness.

A good VPN honeypot, or reseller of your network traffic, is publicly
indistinguishable from a trustworthy one. So what can the users do? What
tools, technology, process, or ecosystem do they need to tell honest and
dishonest apart? What do we need to build?

We all recognize that VPN providers are in a great position of power over
their users. How do we tilt the scales in the users’ favor? What are _strong_
signals of trustworthiness?

Disclosure: I co-founded Mullvad.

~~~
vpnwire
Thank you for being here and starting this conversation.

I've joined several popular VPN services this year in my work on VPN Wire, and
Mullvad's signup flow was by far the most enjoyable. Not only because there's
no email required (a little disorienting, but very refreshing), but also
because, unlike the experience on many of your competitors' sites, I didn't
feel pressured to buy/commit every step of the way. User-friendly site design,
in other words, is a positive signal.

I personally regard audits and pentests as strong positive signals. For
example, PwC's audit of NordVPN's no logs policy was a positive for me. As
someone in the industry, I'm curious if you feel the same.

Open source software and public APIs are very nice to see.

> What tools, technology, process, or ecosystem do they need to tell honest
> and dishonest apart?

Other than audits, I don't have a good answer to this one. I would love to
hear some technical solutions, and hope other people reply!

And as an aside, kudos on running a very speedy network :)
[https://vpnwire.co](https://vpnwire.co)

~~~
kfreds
Hi! Thanks for the feedback. That’s great to hear.

Audits are good and definitely have a place. There’s much more that can be
done. I agree open source is also an important one.

We’ve tried to identify strong signals of trustworthiness together with a few
other services here: [https://mullvad.net/blog/2018/10/17/signals-trustworthy-
vpns...](https://mullvad.net/blog/2018/10/17/signals-trustworthy-vpns/)

A technical solution Mullvad is working on is something we call System
Transparency. You can read more about that here:
[https://mullvad.net/blog/2019/6/3/system-transparency-
future...](https://mullvad.net/blog/2019/6/3/system-transparency-future/)

------
DCKing
Come on Mozilla, hurry up! I want to give you money for goods and services (I
also donate monthly [1]), but I'm not that interested in a VPN (I can and do
also pay Mullvad).

Give me that real internet stuff - email, calendar, file sync, chat(?) - give
me Firefox Premium. Bundle in the Lockwise password manager. I'd pay good
money to see a company fill the void of paid, privacy first essential internet
services and I think Mozilla is one of the foremost existing players to pull
it off. They've started talking about Firefox Premium a while ago now [2] and
it's obviously not easy to build all of this in a lean way, but I'll happily
pitch in. If only to help make Firefox development less dependant on Google or
Yahoo.

[1]: [https://donate.mozilla.org/](https://donate.mozilla.org/)

[2]: [https://www.theverge.com/2019/6/10/18660344/firefox-
subscrip...](https://www.theverge.com/2019/6/10/18660344/firefox-subscription-
paid-service-vpn-cloud-storage-release-date)

~~~
j1elo
I was just about to change to something different from LastPass, pretty much
convinced about Bitwarden from previous HN mentions, until you mentioned
Lockwise :-) care to share some pros and cons or comparison between these two?

~~~
Hawxy
I personally use 1Password due to it being better polished than Bitwarden and
the support being excellent. I'm using it with Windows/Edge and haven't
encountered any problems.

~~~
dastx
I moved away from it because they still don't have a fully featured Linux
client, and their 1PasswordX client is missing some features, and seems to be
in general quite lot slower than Bitwarden.

Having said that, Bitwarden is a big pain in the ass. I still can't open the
main window when I'm in private browsing window.

------
jrockway
I am surprised at how much money exists in the VPN industry. Whenever I watch
even a mildly-popular YouTube video, it always has an advertisement for the
latest VPN provider. As far as I can tell, there is only one reason there is
this much money in the field -- to subscribe to US-based video streaming
services from outside the US. But they never ever say that that's the reason,
they always say things like "work from home securely" or "avoid being
tracked". But, of course, your IT department already has a secure VPN for
working from home, and that Facebook cookie works regardless of what your IP
address is. In general, the sell of "you can't trust your network provider, so
pay for an additional network provider that doesn't keep logs and only accepts
payment in Bitcoins," doesn't seem particularly strong to me. Of course you
can't trust the network layer. Nobody trusts the network layer. That is why we
have TLS. (Anyone remember "wired equivalent privacy" when WiFi was a cool and
new thing? Turns out wires don't offer much privacy.)

So why people are buying this service confuses me.

I am also confused at why people can run these services so cheaply. I looked
into doing it myself (I had some ideas for actual value add), and the
economics didn't seem that good. There is a lot of software between "ifup wg0"
and "collect money from people that want a VPN". It seems expensive to write
all that, unless a "yolo" strategy of starting up openvpn and setting up a
couple NAT rules actually scales. (At the very least, you need to be able to
distribute keys to pre-built clients, and if you want to make it smooth, you
are looking at writing your own Windows/Mac/Android/iOS clients. Then you need
all the business management software on top of that -- didn't get the Bitcoins
so delete their private key, etc.) It seems like quite a bit of work that is
quite expensive.

But these things exist left and right and have huge advertising budgets. So
obviously I am misunderstanding something.

~~~
laughinghan
No, your premise is wrong, all major browsers have committed to removing
third-party cookies, or have already done so. And after third-party cookies,
your IP address is the next-easiest way to track you across sites.

 _that Facebook cookie works regardless of what your IP address is_

Firefox has been blocking third-party cookies by known trackers, including
Facebook, since last year [1]. Safari started blocking all third-party cookies
(not just known trackers) in March [2], and Chrome committed in January to
work towards removing third-party cookies [3].

And of course, all major browsers have provided the option to block third-
party cookies since before IE6. I use this option, it rarely breaks things,
and it's only getting rarer—and I don't use a VPN, so this would make me
measurably harder to track across sites.

[1]: [https://blog.mozilla.org/blog/2019/09/03/todays-firefox-
bloc...](https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-
party-tracking-cookies-and-cryptomining-by-default/) [2]:
[https://webkit.org/blog/10218/full-third-party-cookie-
blocki...](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-
more/) [3]: [https://blog.chromium.org/2020/01/building-more-private-
web-...](https://blog.chromium.org/2020/01/building-more-private-web-path-
towards.html)

~~~
dannyw
Keep in mind that Chrome also sends a high-entropy identifier that is
certainly sufficient to identify you in combination with an IP address, to
every Google property, including DoubleClick, on every request (first or third
party).

------
r3trohack3r
Every time someone mentions a VPN provider in my techie social circles, the "A
VPN doesn't protect you" crowd piles in, usually with links to something like:
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

I don't understand this argument, but would like to.

I run [https://everytwoyears.org](https://everytwoyears.org), a political non-
profit focused on ending the warrantless metadata collection of U.S. citizens'
communications. From everything I know about these programs, they are
_explicitly_ not collecting content of communications. These programs only
collect the metadata about a communication. As citizens, we don't get to have
a clear definition of "metadata" (that is classified!) but we can assume
anything that isn't the message itself is at risk of being considered
metadata, especially if it was shared with a service provider in the normal
course of conducting business (i.e. routing a request).

For HTTP requests, I assume the body of the request would require a warrant
before it can be persisted on a government server. The HTTP headers, if
unencrypted, _might_ be considered metadata but I would be surprised. The IPV4
headers are more than likely metadata. DNS queries are more than likely
metadata.

If you are trying to avoid _active_ surveillance, where your government has a
warrant, a VPN isn't going to help you. If you are trying to avoid _active_
surveillance where your adversary doesn't need/want a warrant to search you, a
VPN isn't going to help you. But if you are trying to avoid having your
internet activity ending up, de-anonymized, in a metadata database that your
government does bulk analysis on, a VPN does seem like it would help. It seems
like it would help a lot.

~~~
closeparen
A VPN is just a tunnel from one point to another. You'd have to establish why
the remote end is more trustworthy than the local end. Being located in a
hostile jurisdiction may be somewhat protective, but it would also seem likely
that compromising foreign VPN services is within the NSA's wheelhouse.

~~~
wongarsu
Unless I set up my own VPN I'll share a VPN server and IP with other people.
That makes my traffic inherently more anonymous once it has left the VPN
server, since you can't correlate traffic to a single person anymore. So even
if traffic in the data center is analyzed, that's better than my ISP analyzing
traffic.

Thus we only have to establish that the VPN provider is at least as
trustworthy as my ISP. That's a pretty low bar to clear in many places. I have
no doubt some VPNs are operated by nefarious actors (no better way to collect
high quality data), but I don't think that's a concern with Mozilla.

~~~
closeparen
You should expect that the government can compel a VPN provider to correlate
traffic to subscriber information exactly the same way it does with a
residential ISP.

~~~
wongarsu
Sure, but the set of governments that can compel my ISP might be different
from the set of governments that can compel my VPN. I don't care about all
governments equally, and my own government has a disproportional impact on me
compared to most other governments.

------
surround
> At Mozilla, we are working hard to build products to help you control of
> your privacy and stay safe online.

> We know that we are on the right path to building a VPN that makes your
> online experience safer

Commercial VPNs are good for censorship circumvention or location spoofing. It
is irresponsible to market VPNs as something which “protects” you online. In
reality, they do _nothing_ to improve security, and very little to improve
privacy.

You do not need a VPN.

[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

[https://schub.io/blog/2019/04/08/very-precarious-
narrative.h...](https://schub.io/blog/2019/04/08/very-precarious-
narrative.html)

~~~
r3trohack3r
I see this take a lot. Serious question: doesn't the U.S. government
surveillance program focus on collecting communication metadata for U.S.
citizens? While it isn't clear what that metadata includes, we do have
examples of past programs that have leaked (and the legal theory used to
justify them) to guide us.

Given what we publicly know about these surveillance programs I could see FISC
approving bulk metadata collection for the IPv4 header content, insecure HTTP
header content, and DNS queries.

Wouldn't using a VPN, DNS over HTTPS, and HTTPS everywhere shield you from
these bulk metadata collection programs? I run
[https://everytwoyears.org](https://everytwoyears.org), a political non-profit
focused on ending these programs, and I view VPNs as a key technical piece of
preventing these metadata collection programs from functioning; if the
security community doesn't believe they are effective, I would really like to
know!

Another way of saying this: collecting _content_ of a communication requires a
warrant (and our mass surveillance programs respect that from what we publicly
know). Most people that I know aren't trying to avoid active (we have a
warrant to search you) monitoring with a VPN, but trying to avoid passive
warrantless monitoring. Obscuring communication metadata through encryption
and tunneling seems to be an effective way of doing this.

~~~
PureParadigm
If I were a government trying to gather metadata about web usage, the first
thing I'd do is set up or acquire my own VPN company (and make it look
convincing, of course).

~~~
notriddle
I wouldn't.

What percent of the public do you think uses a VPN? And do you think VPN users
are a representative sample of the general public?

~~~
PureParadigm
VPN (and tor) users are the ones you'd be most interested in as a government.
So it doesn't matter how much of the general population uses your VPN as long
as you convince the ones you're interested in to use one.

And for all of those not using a VPN, just ask the ISPs.

------
RandomBacon
It uses Mullvad, and is the same price as Mullvad. I am assuming Mozilla gets
a cut. When my current Mullvad subscription expires, I will switch over.

~~~
vpnwire
I’ve been speedtesting a few VPN networks, and the biggest surprise has been
how fast Mullvad + Wireguard are. I need to try NordLynx (NordVPN’s flavor of
Wireguard) for more of an apples-to-apples comparison, but at least on the
speed metric, it looks like Mozilla chose a good partner.

Making deeper data exploration possible is a work in progress, but you can see
what I have so far here: [https://vpnwire.co](https://vpnwire.co)

~~~
Dahoon
How close is Mullvad to your max bandwidth? In other words how much loss of
bandwidth do you see?

~~~
vpnwire
Max bandwidth is about 7 Gbps

------
e12e
What an odd choice from Mozilla and Mullvad to segment this based on
geography. Can you use it while traveling outside the US? Why not simply have
a wait list? Mullvad already operates globally - what is the reason for the
geofence? Is Mozilla not able to accept payment outside the US? (maybe not
able to pay taxes?)

------
AdmiralAsshat
Forget the VPN--I already have a VPN provider and I have no interest in
changing. Offer a paid e-mail service, on the other hand, and I'd sign on up
Day 1.

~~~
numbsafari
This right here. And a hosted suite of productivity tools that have
documented, public formats that contain all of your data (and not just a link
to the cloud-hosted copies).

Amazing that GSuite's only real competitor in 2020 in Office365.

~~~
j_koreth
Would a Nextcloud instance work?

~~~
cecida
I've checked out Nextcloud a few times, but it really needs a sizeable and
trustworthy brand that would host it for you, allow you to point a custom
domain at it, and provide zero config email/calendering out of the box.

I'd trust Mozilla.

------
Skunkleton
When you connect to a VPN you advertise the fact that you are connected to a
VPN to your local network, and hide your tunneled traffic. The tunneled
traffic emerges elsewhere, with the extra encryption removed and proceeds as
normal. Basically all a VPN provides is a mechanism to pretend that your butt
is in a different seat. You hide your traffic from one network and expose it
on another.

If you are on public wifi somewhere and are concerned about traffic that isn't
otherwise encrypted (DNS comes to mind), or if your connection is in some way
restricted (govt, shitty isp, etc), then a VPN can address these issues. But
you have to keep in mind that your new network is similarly untrustworthy.

You might argue that by hiding behind your VPN provider, you are gaining
anonymity. This might be true under the best circumstances, but this can
_very_ easily break down. For example, the moment you load tracking_pixel.png
then you are de-anonymized. That is saying nothing about the shady practices
of the VPN providers themselves, or the governments that regulate them.

When people connect to a VPN, especially lay-people, there is this feeling
that the VPN is providing security, and privacy. This is largely marketing BS
designed to sell more subscriptions. When I connect to a VPN I might be able
to obscure my activity from state actors, or avoid some coffee shops bogus DNS
server. What I can't do with a VPN is avoid literally every other form of
tracking. And of course if I connect to a VPN, then I should be ok with those
same bad-actors knowing I am connecting to a VPN. And I should be OK with the
VPN provider being able to monitor my unencrypted traffic. And I should be ok
aggregating all of my encrypted traffic into one easy to watch place.

So what is a VPN providing the average consumer? If you want privacy install
ad block software, https everywhere, enable DoH, don't log into social media
sites, and clear your browser's cache frequently. If you want to avoid a state
actor, then your best hope is probably something like Tor Browser.

------
lawnchair_larry
As a security person, I am somewhat baffled by the popularity of VPNs. I have
no idea why anyone would use them for general internet usage, and I suspect
the majority of VPN service users are misinformed about what they think they
are gaining.

Any VPN subscribers want to fill me in? The only thing I can think of is
hiding the source of pirated media being shared via bittorrent.

~~~
pomokhtari
A lot of countries block access to websites. US and EU are not the whole
world! VPN helps people to circumvent censorship.

I use a VPN daily because without it, there is no
Twitter/HackerNews/Reddit/Youtube/... .

~~~
lawnchair_larry
Totally understood for those countries, but it’s still hugely popular in the
US. That’s what I’m wondering about.

~~~
aryonoco
Many ISPs in the US perform DPI, sell anonymized data to marketing companies,
slowdown YouTube/Netflix when the backend pipes are congested, etc. If you
want your ISP to provide you with a dumb pipe and not interfere with your
traffic, a VPN is an easy solution.

~~~
lawnchair_larry
In practice, you’re almost certainly not getting faster netflix or youtube by
adding an extra VPN into the congestion path. There are some weird edge cases
where particular peering agreements and anycast routing quirks leave some
exceptions to that, but I highly doubt a non-negligible amount of users are
actually seeing a consistent speed increase on a VPN, and the vast majority
would definitely see a decrease. That VPN is doing more to interfere with
traffic than an ISP is.

As for tracking you and selling your data, I trust my ISP to behave better in
that regard than I do some shady VPN provider. And I don’t even trust my IP
that much.

------
ptx
> over 70% of early Beta-testers say that the VPN helps them feel empowered,
> safe, and independent

Well, _does_ it make people empowered, safe and independent? Never mind what
people _feel_ \- the users don't know the details of the implementation, so
their belief could be mistaken.

------
kennystone
Really smart from Mozilla; they leverage trust in their brand with a product
for which trust is the most important feature. Making a VPN is a non-trivial
technology project, but it's pretty straightforward how to do it well.

------
mulmen
This is a hard pass from me.

Mozilla controls my browser. I have no interest in giving them control over
any other part of my online life.

I like how Mozilla is run and hope other organizations emulate them to provide
these other essential services.

~~~
pixxel
Couldn’t agree more. Often I see people wishing for Mozilla to add more
services. Please just do one complicated thing really well, Mozilla!

I guess all these additional services help lure more users to Firefox, so
there’s that.

Maybe Mozilla can eventually generate enough revenue to stop nuzzling on
Google’s money teat.

I think I just convinced myself that additional services are good overall for
Mozilla. But yes, I’m firmly in the spread your online presence wide camp.

------
wiether
Since they are using the infrastructure of Mullvad, what's the point of using
Mozilla's software instead of using directly Mullvad's ?

Price related I'm paying 5€/month for Mullvad and Mozilla's VPN is at
$4.99/month so when it will be available in Europe I expect it to be 4.99€.

If they where offering something more, I'll see the point, but here by them
developping their own software to use someone else infrastructure seems to be
a huge waste. If they wanted to put their Mozilla logo, they should have gone
for a white-label product with Mullvad no ?

------
cameronperot
A little late in the game, but they're a brand I would hold in higher regard
than 99% of the other providers out there. I believe that a lot of people
misunderstand what exactly a VPN is and what scenarios it offers benefits of
use in. I personally host my own VPN on a lowendspirit server [1] for when I'm
on an untrusted WiFi network or I need to have an IP in the US (it comes in
handy as a US citizen living abroad). I also use a VPN sometimes when I have a
dev server (hosted on the server itself) that I'm developing/testing on since
being on the same network as the server makes things easier, e.g. having a
container with an API bound to the VPN network so that I can access it easily
and without it being public facing.

Of course there's also the shady side of VPN use. If you're doing that it
might be beneficial to use the VPN within a VM with strict firewall rules,
i.e. only allow incoming/outgoing to/from the VPN. Doing so allows you to only
send the traffic you want to over the VPN, thus reducing your exposure to any
nefarious data collection that the provider might be doing.

[1] [https://lowendspirit.com/](https://lowendspirit.com/)

------
acd
I also want to subscribe to Mozilla. For viewing Mozilla as a foundation that
does the right thing. Thankful for many of the Internet standards Mozilla
helped develop.

Please help making Internet decentralized and private again.

* Support for paying content creators without advertising * Decentralized CDN and compute * fast privacy

------
saltedonion
Given the high ethical standard of Mozilla I’m not sure how popular this will
be.

For example, a while back there were research showing nord was setting up
users as proxies, there by making it impossible for Netflix to block these
residential ips.

I don’t think Mozilla will do this.

~~~
Semaphor
Well, they use mullvad.net (I’m a customer), and they seem pretty trustworthy
while Nord was always the opposite of trustworthy.

------
devwastaken
How do we know this is safe from bad actors? If it's in the U.S. is it safe
from discovery? For example Watchtower tried to use 'copyright Infringement'
to force reddit to give a usernames IP and account information.
[https://m.youtube.com/playlist?list=PLkdgWccrJAy53-jeBxM3Pk_...](https://m.youtube.com/playlist?list=PLkdgWccrJAy53-jeBxM3Pk_kcwz7Q9NR5)

VPN's are the only way of protecting what should be protected speech. You have
to not keep logs or anything that allows a court to find the identity of a
user.

~~~
Youden
> How do we know this is safe from bad actors?

You don't. You never will. This is the case not just for Mozilla but for all
VPN services.

Until there's some kind of hardware-level attestation that verifies a server
is running a particular software installation, that's going to remain the
case.

> VPN's are the only way of protecting what should be protected speech.

No, if you want safety, a VPN is not the solution. VPN providers have invested
a lot of marketing in trying to tell you otherwise but it's simply not true.

All a VPN does is move what little trust you're forced to have in your ISP to
a different, often less-regulated ISP.

The solution if you want privacy and/or anonymity is a technology built for
that purpose, like Tor or I2P.

~~~
nybble41
> to a different, often less-regulated ISP

"Less-regulated" is usually the entire point of using a VPN. Regulations force
your local ISP to keep detailed logs and reveal who was using a certain IP
address at a certain time to various entities based on sketchy circumstantial
evidence. If you go through a VPN then anyone trying to track back the IP
address has to go through the VPN provider first—who probably doesn't keep
such detailed access logs, and may well be in a completely different
jurisdiction—before they can even begin to approach your local ISP. You
certainly shouldn't rely on it exclusively, but it's an important part of
defense-in-depth.

------
pbhjpbhj
>guided by our Data Privacy Principles //

A cunning way of not starting any rules used for the VPN.

Then they can say "well we were _guided_ by our policy when we secretly kept
all your connection details and gave them to a marketing company".

How about being guided by your policies on openness and state precisely and
fully how data is used/stored/shared.

Isn't privacy the/a principle feature of a VPN?

The irony of only being able to sign up from outside the USA of you use a VPN
is not lost on me.

------
flyGuyOnTheSly
What is the main benefit of using a VPN?

I download music, movie, tv, etc files via torrent using my Canadian IP
address and I have never seen anything more than an email from my ISP saying
essentially "so and so company thinks you downloaded their material, don't do
that ok?".

Is the general public so afraid of getting the odd email that paying $5/$10
month to make them disappear is a good deal for them?

Why wouldn't people just use TOR for free? It was extremely fast the last I
checked.

~~~
flatiron
tor begs you not to use their service for torrenting. it would also be a lot
slower than a VPN

i use a VPN (to Montreal since it supports port forwarding) because i work
from home and i don't want my IP that VPNs to work for a major company also
being part of a torrent swarm.

------
Dahoon
I'll live without a VPN as long as it is crazy expensive to find one fast
enough to not throttle my connection (so 1gbps) with unlimited data and
support for encryption at a level that is okayish secure yet still fast enough
to not kill my server or router. I've tried a few that said they could
deliver, but none of them could. I have no interest in paying my ISP for
bandwidth and then strangle it with a VPN.

------
techntoke
How do you call yourself a company that prides itself on open source but you
always put support for Linux on the back burner?

------
bigiain
<snark>"This is why we built the Firefox Private Network VPN Network which you
can use with your Personal PIN Identification Number! Please get some cash out
at the Automatic ATM Machine and donate today!"

Naming things: one of the truly hard things in computer science... (But come
on, you don't have to fail _that_ hard Mozilla, surely?)

:sigh:

------
mikedilger
I don't use a VPN as I'm pretty sure my traffic identifies me once it pops out
the other end. But I do tunnel DNS with a server I trust so that my ISP only
ends up seeing encrypted traffic (DNS over ssh, and HTTPS). I don't do DoH
because there are only a few providers and so those are hotspots for
espionage.

------
dikaio
I would switch ALL my paid for services to Mozilla in a heart beat if they
would just hire a damn UI guy/girl.

------
koolba
Who is the target market for this in the markets it actually operates (US)?

The only people I know that uses VPNs do so to download torrents and evade
DMCA notices. And in that case it only really works if the VPN provider is
itself located outside of US jurisdiction and collects little to no
information about you the user.

------
kawsper
I wish Mozilla would also offer a DNS-over-TLS service instead of just
offloading it to Cloudflare or NextDNS.

------
ss3000
I love Mozilla and Mullvad, but 5 simultaneous connections just isn't enough
for me. I know they can't allow unlimited devices due to the potential for
abuse, but is something like 20-30 connections so I can use it for all my
devices/VMs isn't too much to ask for?

------
merge
an alternative is also the [https://librem.one/](https://librem.one/) services
run by Purism. VPN, Email and more. All server and client code is at
source.puri.sm and it's mostly only rebranded "standard tools".

------
jsomedon
After firefox introduced that megabar UI with no option to turn that off, I
started considering switching back to chrome. It's very questionable if they
still care about their users, and if that's the case, firefox has ZERO
advantage over chrome.

------
pgt
If Mozilla launched Momail or Firemail, I'd pay for it before paying for HEY
or Fastmail.

------
jchw
Please take notes from Mullvad and give some basic transparency about the data
centers and whether the servers are rented or owned and etc. Stuff like that
goes a long way for people who are genuinely serious about privacy.

------
memexy
I currently run a wireguard vpn on digital ocean and it works really well.

What is the reason for developers to pay for this service when they can set
one up in less than 5 minutes and automate the whole thing with user-init
scripts.

------
fnord77
I would love a VPN that would use a different IP address for each site I
visit.

Just to prevent the backend IP address correlation between sites that trackers
use.

Technically I know this is probably impossible without tons of virtual NICs

------
loughnane
I really like Mozilla, and I like to see them bring some competition for my
dollars that are currently going to the proton suite of services.

------
n1try
Is it a general-purpose VPN service or can it only be used from within
Firefox? Because that would make it only half as useful.

------
satoshivpn
What good is a VPN if you have to reveal all of your personally identifiable
information to the vendor?

You're better off using Mullvad directly--it looks like they don't require you
to fork over personal information to use their service.

Shameless plug: SatoshiVPN ([https://satoshivpn.com](https://satoshivpn.com))
gives you access to your own private and anonymous VPN server with Outline
pre-installed, no questions asked. Payments in Bitcoin only.

~~~
dewey
> What good is a VPN if you have to reveal all of your personally identifiable
> information to the vendor?

Because most peoples threat model doesn't include actors that can force a VPN
provider to give up their data. They just use it because it's making it easier
to not get data stolen in a coffee shop and watch US Netflix.

~~~
satoshivpn
If you have two equally great user experiences and in one case you have to
share your personal information, and in another you don't, which would you
choose?

~~~
dewey
The one where the company behind has a good reputation and seems trustworthy.
Like Mullvad where their real address, developers, history and open source
projects are available on the website ([https://mullvad.net/en/help/no-
logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/))
and they have been around for a while without any scandals that I'm aware of.

If there's a new provider out with no name, company address, audits or history
and tells me they are not sharing personal information I just have to take
their word for it. So it's not much better than the alternative if I can't
verify it.

------
champagnepapi
"Mullvad respects your privacy and has committed to not keep logs of any
kind." How sure can we be here?

------
cyphar
It's disheartening that Mozilla is continuing to actively avoid partnering
with the Tor project for problems like this, despite the fact that the Tor
project has contributed to Firefox for many years (mostly related to
fingerprint resistance). I get that Mozilla needs to make money, but the fact
that they still haven't made "private browsing mode" actually private by
making it use Tor is a real shame.

~~~
nerdbaggy
The amount of exit nodes would be insane. And I don’t think Mozilla would want
the liability of running them.

~~~
cyphar
I'm not sure how you got "Mozilla should run all the Tor exit nodes" from my
comment.

------
badrabbit
So long as it will never have anything to do with Firefox. Using it for work
would be risky if they did that.

------
Havoc
Can you select the region of exit node? Cloudflare VPN and lastpass geolocking
was a bad combo...

------
pythonbase
And there are countries that force users to get their VPNs registered.

[https://www.pta.gov.pk/en/media-center/single-
media/public-n...](https://www.pta.gov.pk/en/media-center/single-media/public-
notice---get-your-vpn-registered-080620)

------
xvilka
They should fix their reliance [1] on Python 2 first. They had more than a
decade to migrate, but still Python 2 EOL came as a surprise for them.

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1496527](https://bugzilla.mozilla.org/show_bug.cgi?id=1496527)

------
jokowueu
What type of VPN software are they using ? Hope it has some obfustication

------
classics2
I stopped using Firefox when they discontinued RSS support saying “it’s too
hard and old and lame! Oh but here’s Pocket (tm) which costs money and has
nothing at all to do with cutting RSS support”

I wouldn’t expect much different here.

------
JDDunn9
Opera already has a free VPN built into their browser.

------
MattGaiser
Isn’t $4.99 pricey for a VPN? I pay about 3 for Nord.

~~~
robrtsql
It is a bit pricey compared to the competition (lots of VPNs out there that
cost ~$3/month) but apparently Mullvad is the VPN provider for this offering,
and they cost $5 a month because they are considered one of the 'best' VPNs in
terms of privacy (for example, they will accept cash payments:
[https://en.wikipedia.org/wiki/Mullvad#Privacy](https://en.wikipedia.org/wiki/Mullvad#Privacy)
).

~~~
TurkishPoptart
Is it at all slow? I've found a lot of VPNs actually slow down my connection
which makes me less willing to try them.

------
gver10
> Although there are a lot of VPNs out there, we felt like you deserve a VPN
> with the Mozilla name behind it.

------
sequoia
"For example, over 70% of early Beta-testers say that the VPN helps them feel
empowered, safe, and independent while being online."

What have these "feelings" got to do with anything? This is a measure of
successful marketing and has nothing to do with the product or its efficacy.

Personally I use Windscribe and I really like it (I've used PIA & Mullvad in
the past). I use it for watching US Netflix and to make it _slightly_ less
easy to track me on the net (I know there are many other ways). I also like
the idea of not having my IP or the gov't spy on me _as easily_.

~~~
nprateem
People buy on emotions

~~~
bredren
What was the 500 startup guys phrase?

A product has to get you “Made, Paid or Laid“

Where Made was like a sense of positive promotion like a made-man in the mob I
think.

Emotion is everything. If a product doesn’t make you feel good you’ll only buy
it because you have to.

------
ryanmarsh
If it’s terminating at a host you don’t control _it ain’t private_.

------
dx87
Can't wait for this. The PIA extension stopped working in Firefox months ago,
and PIA said they have no ETA for a fix.

~~~
notRobot
PIA was also acquired by a malware company:
[https://news.ycombinator.com/item?id=21679682](https://news.ycombinator.com/item?id=21679682)

------
romanovcode
> You can only subscribe to the VPN from the United States

How is this a "launch"? And also, this makes it a bit fishy if you ask me.

------
userbinator
This is what they should've done _instead_ of that user-hostile DoH thing
(which is already itself a sort of VPN but for DNS traffic only.)

------
ayoisaiah
I won't be switching to this. I've been paying €4.99 monthly for Blokada VPN
on Android. It's pretty reliable and offers ad blocking as well. Also supports
up to 5 devices.

~~~
nix23
Nice, witch shady Marketing-Firm are you working for?

Any point's for 'Blokada' being more trustworthy than AT&T ;)

~~~
ayoisaiah
Just a happy user :)

Blokada is pretty popular for Ad blocking on Android. And it's open source
too:
[https://github.com/blokadaorg/blokada](https://github.com/blokadaorg/blokada)

~~~
nix23
Nice...sorry for the aggressive tone, sounded like a advertisement, have fun
;)

------
solarkraft
It's a rebranding of Mullvad. I'm happy with Mullvad itself, and while I think
Firefox is the most important browser I'm not very happy about Mozilla
arguably destroying its brand and seemingly pivoting away from maintaining it.
I'd directly pay for the development of FF, but not Mozilla's "btw, we now
sell $completely_unrelated_product_without_even_an_ethical_business_model".

They seem to be relatively safe from forking though, because apparently the
code base is too much of a mess. Yay.

~~~
orra
You say that, but not enough people _do_ directly pay for the development of
Firefox. Of course, you are welcome to donate to the Mozilla Foundation.

Also, your complaint about an ethical business model seems unfounded,
especially in this instance.

~~~
wasmitnetzen
> you are welcome to donate to the Mozilla Foundation.

Which does not pay for the development of Firefox.

~~~
orra
The Mozilla Foundation annual financial statement include its subsidiary
Mozilla Corporation. And most of the Foundation's expenditure is staff costs,
for the Firefox project.

If that doesn't satisfy you, note that targetted donations are also a thing.

~~~
RandomBacon
Unless everyone does targeted donations, it's pointless. It's like adding
water to one end of a pool and expecting the water level at only that end to
rise. If only a small percentage of donators ear mark their donation to
Project A, then the less money will come out of the general fund for Project A
and more from the general fund will go to Project B. The money you just
donated didn't increase the budget for Project A, instead the organization
just increased the budget for project B.

In other words, targeted donations are not a targeted budget increase.

