
Mozilla Announces Experimental Partnership with ProtonVPN - vabmit
https://blog.mozilla.org/futurereleases/2018/10/22/testing-new-ways-to-keep-you-safe-online/
======
preinheimer
(disclaimer I guess I own a company that offers VPN services, it's like ~1% of
revenue though).

I think this seems like a bit much. I'd love Firefox to double down on
building a great browser, rather than getting into Pocket, VPN, a Phone, IOT,
etc.

Sure, a VPN can be really helpful when you're on sketchy open wifi, or other
adversarial network conditions. But you're still trusting someone to handle
your connections reliably and fairly. Several ISPs have proven themselves to
be sketchy: injecting ads, adding tracking headers, etc. But do we really
expect VPN providers to not crunch the same numbers and come to the same
conclusions?

Note that despite _my_ thinking, it does fit in well with their agenda:

> Mozilla has identified five key issues that are critical to build the open
> Internet we want:
    
    
        Privacy and Security
        Open Innovation
        Decentralization
        Web Literacy
        Digital Inclusion

~~~
intopieces
>But do we really expect VPN providers to not crunch the same numbers and come
to the same conclusions?

Yes, because those numbers are different -- there's actual competition among
the providers, which is not so for ISPs. I agree it's still a gamble, and
still requires trust, but if/when that trust is broken, there's someone else
ready to fill that void.

~~~
ryanlol
"competition" doesn't work super well here given the information asymmetry
between users and providers.

There's simply no way for customers to tell if their VPN provider is selling
them out.

~~~
jopsen
Isn't that why you want Mozilla?

By siding with you they can certainly pave over the asymmetry in the
relationship between provider and users.

I trust Mozilla, not ProtonVPN, and I trust Mozilla vetted them and will
continue to look them over the shoulder.

That's more than I can say for my current VPN provider.

~~~
acct1771
I currently would trust them right up until the point where they receive a
subpoena from the government because I said something they deem icky.

~~~
jopsen
Having worked at Mozilla I can honestly say that I'm confident Mozilla can't
keep a neferious secret :)

There is a lot of passionate privacy activists at Mozilla. Many of whom to
would leak an NSL at the risk of persecution. (In fact I dare say the lineup
would be long)

------
dstaley
This seems like another attempt to acquire a new revenue stream for Mozilla.
I'm glad it's through something like providing a user-focused VPN as opposed
to increased ads and tracking, but I still feel a bit bummed that Mozilla
feels the need to do this.

The other day I came to the realization that Firefox is the only portal to the
web that's not affiliated with a tech giant. Microsoft has Edge, Google has
Chrome, and Apple has Safari. It's so strange that the web is such a huge,
important part of our lives, and we only have four ways[1] to access it, three
of which are driven by profit-seeking organizations.

[1] I'm not counting forks since those are largely still the same as the
original code base, and none of them have gained a significant amount of
traction. I'm also not counting experimental browsers since I'm not aware of
any that are both largely-compatible with current web platform features and
not based on a fork of one of the primary browser engines.

~~~
Skunkleton
Just to be a pain in the ass, I fired up elinks to type this response.

~~~
Fnoord
Just to be a pain in the ass, ELinks has known vulnerabilities. The last
stable release was from 2009, and the last pre-release from 2012 [1]. At the
very, very least it has vulnerabilities in SpiderMonkey.

If you need a console browser with picture, JS, color, and table support,
consider Browsh [2] instead: "Browsh is a fully-modern text-based browser. It
renders anything that a modern browser can; HTML5, CSS3, JS, video and even
WebGL."

[1] [http://www.elinks.cz/](http://www.elinks.cz/)

[2] [https://www.brow.sh/](https://www.brow.sh/)

~~~
Skunkleton
You are a pain in the ass! Thanks. I will look at updating my text-based
browsing habits :)

Edit: I've been snookered! This is just a text rendering front end for
firefox. This invalidates the point I was trying to make. I am sad now.

------
jacekm
I have mixed feelings about this move. On one hand I like that Mozilla gets
additional source of income to support their mission. Plus people will
certainly benefit from using a vpn service. On the other hand though this will
redirect people to a particular provider that may not necessarily meet their
needs. Proton VPN offers a decent service, but not sure if the best one. I'd
be much more comfortable with this if they were suggesting multiple different
providers.

And let's not forget that this is also a jump into the abyss of in-browser ads
that may be difficult to block even with an add-on. From the screenshots it
seems that FF analyzes your behavior (connection to an unprotected network)
and displays the ad based on that. I fear what's going to happen when Chrome
team picks this idea (e.g. "we see that you are logging into a bank X, how
about you try bank Y?")

~~~
svrtknst
> I'd be much more comfortable with this if they were suggesting multiple
> different providers.

I don't see anything saying that they won't. They might only offer ProtonVPN
for all of time, but I could also see them adding additional providers down
the line. In any case, I'm imagining that the vetting process is relatively
costly to perform and keep up, and I'd trust Mozilla more than myself to do
it.

------
IngoBlechschmid
Honest question: Why not bundle Tor, instead of relying on a proprietary VPN
service? It seems that Tor satisfies the advertised use case ("insecure public
WiFi") just as well.

~~~
intopieces
Is Tor still super slow?

~~~
megous
Slower, but not super slow. Latency is significantly higher, if you're used to
~10ms ping from your home to your data center.

Grabbing a page from my website over tor and over normal network:

    
    
        curl http://mywebsite
        curl https://mywebsite
        curl --proxy socks://127.0.0.1:9050 http://mywebsite
        curl --proxy socks://127.0.0.1:9050 https://mywebsite
    

Results in these times (tor times depend on selected circuit):

    
    
        0.028s / http
        0.063s / https
        0.394s / tor http
        1.079s / tor https
    

If I killall -HUP tor (force changes circuit):

    
    
        0.302s / tor http
        0.598s / tor https

------
tom4000
Why Proton VPN and not something privacy friendly? As ProtonVPN like NordVPN
is run by Tesonet is has the same issues.

Why does Mozilla trust in Tesonet and why should their users do?

[http://vpnscam.com/heres-why-you-cant-trust-nordvpn-and-
prot...](http://vpnscam.com/heres-why-you-cant-trust-nordvpn-and-protonvpn-
protonmail/)

~~~
Kaveren
ProtonVPN is simply the best choice for a VPN if your goal includes anonymity
/ privacy; I place zero stock in this.

1\. No other VPN that I'm aware of has any of its own data center
infrastructure.

2\. Even though ProtonVPN (and essentially all VPNs) works with untrustworthy
companies like Leaseweb to provide many of their servers, SecureCore allows
you to route traffic through their own data center infrastructure to another
exit node server.

3\. Public-facing CEO who has a verifiable history. You know his name, his
face, he's given a talk. This helps with accountability.

I've said it before on HN and I'll say it again, their reply to this situation
satisfied me completely, and nobody has said anything against this reply:
[https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...](https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/e21tfqw/)

There is simply not a better option than ProtonVPN.

Yes, I sound like a shill, but the facts are still the facts.

~~~
tom4000
Thank you for pointing on the post.

------
vvilliam0
ProtonVPN is the same company as ProtonMail. The company has had a good rep,
reminds me of Lavabit.

~~~
bigiain
Isn't there at least some controversy about that (perhaps it's only a
disgruntled competitor who jumps on every second post I see mentioning them,
but I'm 99% sure I've seen a few questions/accusations levelled at them...)

Having said that - seeing them vouched for by the Mozilla Foundation seems to
be a significantly better indicator of their trustworthiness than this post
from a day or two ago:
[https://news.ycombinator.com/item?id=18260920](https://news.ycombinator.com/item?id=18260920)
\- I _mostly_ trust Mozilla to not be guided just by whoever offers them
money, and hopefully to have learnt from their dumb Mr Robot fuckup...

~~~
jorvi
I take it you mean
[https://news.ycombinator.com/item?id=17258203](https://news.ycombinator.com/item?id=17258203)?

I fully agree that ProtonVPN seems like a poor choice, considering all the
controversy around them, especially when its backed up by that much evidence.
Mullvad, Private Internet Access, TorGuard etc. would have been a better
choice, but perhaps Mozilla didn't want to look like it was picking sides
among 'established' VPNs..

~~~
mackrevinack
Stay away from PIA. One of their employees was caught red handed spreading
false information about other VPNs a few months back. The guy's google profile
picture was in one of the screenshots. It was half covered by another window
but it was enough to figure out who he was

~~~
dsissitka
My Google-fu is failing me. Source?

------
p1necone
Is Mozilla _very_ short on cash? Why is the supposed steward of an open
internet suddenly partnering with all these proprietary services?

~~~
kiriakasis
because Mozilla appears to be more focused on user-centric features than
political statements.

~~~
p1necone
One mans "political statement" is another mans "user-centric feature".

------
mido22
i would not have minded if mozilla had offered their own vpn service, trusting
some third party sounds like a bad idea.

~~~
jvehent
would you have purchased it?

~~~
sakisv
I think many people, myself included.

For better or worse, Mozilla managed to brand itself as the equivalent of the
open internet and an organisation that would put the users first.

This is quite important in today's world that's full of Googles, Facebooks,
Microsofts etc.

That doesn't mean that Mozilla has done nothing wrong. I'm just saying that I
would feel much better having a VPN service run by Mozilla as opposed to a VPN
being run by Facebook.

------
wtmt
There doesn't seem to be a way to sign up for this directly. If one _wants to
support Mozilla through this,_ it looks like one has to be in the U.S. (or
fake being in the U.S. with a free account of ProtonVPN) and hope to be picked
up by random for this experiment.

Anyone from Mozilla or ProtonVPN reading this and can confirm that this
understanding is correct?

------
sys_64738
Opera offer a built in VPN client for free. Just mentioning this.

~~~
kiriakasis
and also is owned by a Chinese corporation.

------
clusmore
This is a little vague on the technicals, but it sounds like you would be
downloading and installing the full VPN service as if you had obtained it
directly from ProtonVPN? i.e. this isn't a browser plugin? It'd be interesting
if there were some tie-ins with the browser, like perhaps separate VPN
connections per container (not sure this is possible, I'm no expert).

~~~
Fnoord
I'd prefer it if it used some kind of way to proxy traffic through WireGuard
instead (which ProtonVPN does not yet support while they should if not just
for performance reasons alone [1])

[1]
[https://www.wireguard.com/performance/](https://www.wireguard.com/performance/)

~~~
bartbutler
It is something we'd like to do, but it's still a little experimental and it
hasn't gotten to the top of our priority list yet.

~~~
Fnoord
If you need a beta tester, let me know. I already am a paid subscriber, but I
am considering quitting ProtonVPN because this feature is lacking and more and
more competitors are catching up on it.

------
buzzy_hacker
Why is the price $10/month when you can buy the same service directly from
ProtonVPN for $8/month?

~~~
jvehent
$8/month is the yearly price. Monthly is also $10/month.

~~~
buzzy_hacker
Ah, I see. That explains it, thanks

------
berbec
Mozilla's blog, so not a dupe of the other one, which is ProtonVPN's.

~~~
Fnoord
Here is ProtonVPNs blog announcement [1].

I haven't completely read it but I did spot one difference:

"These subscriptions will be billed directly by Mozilla and the majority of
the revenue from these subscriptions will go to Mozilla, directly supporting
Mozilla’s mission."

Mozilla was less clear about how it'd be distributed.

[1] [https://protonvpn.com/blog/mozilla-
partnership/](https://protonvpn.com/blog/mozilla-partnership/)

