[quote]On which level and for what purposes do external parties have access to rented servers?
Hosting providers do the initial operating system installations (most often through the remote management software), after that we remove their access from the server. After this they may have access to the remote management software of the servers, so that they may aid in rebooting and reinstalling faulty servers, but they have no direct access to the operating system or the software running on the server itself.[/quote]
If its a PiKVM, they can configure on the OS something like usbguard to reject the KVM keyboard (while still allowing access to the reset and power buttons via jumper). However, if its iLO, then its a BMC and I believe it has full access to the host regardless.
If the objective of using a VPN is to dodge GCHQ or NSA, then that person is likely not properly accounting for the capability of those organizations. I imagine those two have the ability to tap just about any traffic irrespective of the parent organization's infrastructure. Would Mullvad be wise to consider this in their expansion efforts? Sure, but I have to assume that the vast majority of their market is not in the habit of getting on the NSA's target list. I use Mullvad because they have sound business practices, good performance, and don't conduct the same invasive privacy practices that I'm trying to stymie across the web.
> M247 is extremely popular with VPN providers. A pro-privacy VPN provider should know to avoid upstream’s known for hosting large amounts of VPN traffic. Passing user traffic though M247 is like painting a target on their back to be more heavily spied by security services, such as GCHQ and NSA.
Of course the exact same goes for servers hosted by mullvad themselves.
A VPN provider of their scale just doesn't fly under the radar.
Considering the threat model for most users this is fine. It's good enough for avoiding copyright lawsuits after torrenting. If you're on the radar of state actors, Tor and i2p are a better bet (but I'm sure their exit nodes are heavily monitored too!)
This isn't Mullvad's fault -- it's a challenge with the VPNs-as-a-privacy-service architecture generally, something we wrote about here: https://invisv.com/articles/relay.html
VPNs are great when the network you're on is less trustworthy than any other network you have no visibility into, such as in places where the network is heavily censored or otherwise restricted. They're also widely used for evading country-level streaming restrictions. But VPNs aren't really the right architecture for privacy more generally.
Another really important aspect everyone is forgetting is the location privacy problem with being "naked" on a residential IP address. The best reason to relay your traffic through a provider like Mullvad is so that some random forum admin who disliked your posts doesn't GeoIP you down to your city district.
> However, Mullvad is by default a single-hop service (Double-hop optionally available).
This can be addressed by using tunnels to create multiple hops.
See for example: Tunneling tunnels within tunnels (inside of tunnels) — https://cryptostorm DOT is/blog/multitun (I broke the url because otherwise HN is incorrectly marking the comment as [dead])
It would be great if Mullvad adds multi-hop support (>2) based on something like that.
Another possibility is to create a VPN on top of a Mixnet like Nym: https://nymtech.net/.
Multi hop makes traffic analysis harder, but I wouldn't use the VPN provider's multi-hop feature, instead I do my own. So the first hop would be Mullvad, then the second hop would be ProtonVPN. There is a small performance penalty for doing this, but it's tolerable.
Can someone with more networking expertise than me explain whether this sort of risk applies only to rented DC servers? Or is it an ISP risk that can also impact Mullvad's owned servers[1]?
[1] Mullvad owns 159 servers in 9 countries (https://mullvad.net/en/servers/), so not quite sure why you wouldn't just choose to use one of those instead if concerned about this
I don't have more networking experience either. Anyways, I'd think a provider could also plug a logging box in front of any owned server. The more important point might be the high percentage of servers hosted by M247, making it a more attractive target.
The article says: "The problem of aiming to be a privacy focused service means a high level of scrutiny is required. We are not talking about meme providers like NordVPN here; we are talking about a company who needs to do better."
So he's claiming that Mullvad gets things right that other providers get wrong, but they're still missing a critical step.
At the end: "All in all, Mullvad VPN appears to have put expanding the number of locations over user privacy. That points to a bigger problem in the VPN industry. That is a lack of a perfect provider. Mullvad VPN has multiple hops available but AzireVPN chooses their upstream carefully, runs everything from RAM and uses a custom made TPM-Level Rootkit that blocks common network monitoring features in Linux but does not offer real Multi-hop (Only though Socks5 proxy)."
So every problem has a solution, but no VPN is offering all of them. But I suspect that's because VPNs are mainly for downloading movies and shitposting on the internet.
>VPNs are mainly for downloading movies and shitposting on the internet.
or not giving your ISP a list of which websites you visited when in a situation where you could only get internet by agreeing to allow the ISP to analyze your traffic and sell the result
or to avoid regional legal restrictions which are not on the level of "if you are found out you have major problems" like non GDPR compliant US sites blocking EU users and you are from the US on holiday in the EU (most such sites are very US-local specific)
or to avoid doggy price differences depending on from where you buy something
The whole article is theoretical in nature (and light in substance). This is probably just who the author wanted to sign up for, then they discovered the common caveat of all VPN providers.
> All it takes is a few black-boxes and the privacy of Mullvad uses (connected to a M247 location) is worse-off than not bothering with a VPN.
In my country they log everything if they did setup black boxes to analyse timing in an attempt to de-anonymise then they could potentially log everything which is what they definitely do without a VPN, how am I worse off?
Matthew is not upfront with their readers about these risks.
What I like about it, however, traffic-inspection and pattern analysis aside, is that Mullvad allows to sign up by mail (money by postal letter) or Bitcoin as far as I remember. I appreciate this it's-okay-to-be-anonymous approach as it'll probably be the part that gets them the most heat (if not now, then eventually, for sure).
I did however notice that a lot of the geo-located services have stopped working on Mullvad endpoints, as those VPNs (like many) have been blacklisted widely now.
I work with a fintech company where we have had to completely block M247 IPs due to continuous attempted fraud. We generally allow access through VPNs otherwise. We are very receptive to customer feedback, but there have been no customer complaints despite having M247 blocked for months.
There was an Ask HN from 2 years ago that was also suspicious of M247 [0] -- verging on paranoia -- which provides only weak evidence, but it does not encourage us to unblock M247 anytime soon.
As another data point a smallish community that I do moderation for (roughly 6k messages a day) has very large amounts of blatant trolling come from M247-hosted VPNs. Walls of slurs, regurgitated Russian propaganda about Ukraine, rape & death threats, etc. Most of these don't seem to be Mullvad VPN hosts. It's to the point that we've talked about blocking M247, but it doesn't seem feasible.
I always thought VPN companies like Mullvad, iVPN, ProtonVPN, etc rent out servers in the Point-of-Presence itself and rent servers that happen to be based in that area, rather than centralize everything on two providers.
I guess this is the price we pay for having such VPN services relatively cheap ($5.00/mo). If they rented servers of specific server providers in an area, that gets expensive, fast.
I’ve been using DataPacket.com for months, it’s probably the most reliable providers outside the big clouds. They carefully watch their upstreams and support is top notch.
I know it's not really related to the topic ( which I find pretty weak, of course VPNs are bad for privacy... ).
I've been using Datapacket for a year for my e-commerce company. Amazing performance, stability and service. Best dedicated hosting I've experienced in a long time.
I think it's pretty clear which servers are owned and which are rented.
https://mullvad.net/en/blog/2019/10/25/server-list-updated-p...