Obscura VPN and Mullvad Partnership. American juridisdiction.

Sofiewazhere

Any of you guys hear about obscuravpn and mullvad partnering up? Essentially obscura vpn will be the entry node and will exit to mullvads exit nodes so obscura will only see your connecting IP and nothing else. Where mullvad will see what sites you connect to but not your identity. What's concerning is that Obscura VPN is in United States juridisiction which means they can be gag ordered and forced to log at any time. Even if they can't see what sites you are connecting to, they can still do traffic analysis and collude with malicious parties like the end server/website being connected to. So they can skip the mullvad node completely in order to deanonymize you. Think about it like a tor entry node and exit node colluding. They don't even need the help of the middle node to complete this attack. In this case, Obscura VPNs entry node can collude with the web server itself and then skip over the mullvad exit node in order to deanonymize you in the same way.

I believe a user especially a GOS user who needs to multihop between VPN providers would be better off using something like rethinkdns. And multi hoping between two already known and trustworthy VPN providers like Mullvad and IVPN or Mullvad and ProtonVPN.

Your guys thoughts?

ryrona

I agree with your analysis.

Still I think it is really interesting to see a growing interest among VPN providers to move more and more towards onion-like multihop routing, and that they are recognizing that the nodes mustn't be from the same "family", ie mustn't be from the same operator or company.

But generally speaking, the first hop should be selected as trusted as possible, to minimize the risk of correlation attacks like you describe. Even the Tor project recommends to pin the entry node to one you trust, if you know the fingerprint to a node operated by an organization you trust. The further away from you in the chain the node is, the less trusted it can be. Often you don't consider the destination websites trusted at all.

Either way, you are still doing best in combining VPNs yourself. And one mustn't forget that whatever VPN one use, ones ISP will always be the very first hop.

router99

ryrona combining VPNs yourself. And one mustn't forget that whatever VPN one use, ones ISP will always be the very first hop

I don't think that's a good way to put it. If the traffic is routed to a VPN server, that's the only destination they see and nothing else.

H7oUt

Exit node owner is more important and Mullvad provides its own DoH service along with DAITA that makes analysis very difficult.

The re-routing part does worry me. If entrance node has your WireGuard keys, then it can re-route you anywhere. Does Obscura get your WireGuard keys?

ryrona

H7oUt The re-routing part does worry me. If entrance node has your WireGuard keys, then it can re-route you anywhere. Does Obscura get your WireGuard keys?

They cannot change your route because they know your keys. For each hop, you would be authenticating against that node's key, and I certainly hope Mullvad has not shared the private parts of their keys with Obscura or anyone else. You are authenticating each node, that they are who you expect them to be. That guarantees your data will take the right hops, and that no hop can affect this. As long as you use a third-party wireguard app, you would see in your configuration file whether it really is Mullvad's VPN node that is the second hop, and then you will be certain that hop is taken, at that point in the chain.

Your keys are only used to prove to the VPN provider that you have paid for the service, and I certainly hope you only have to prove this to Obscura in their setup, and that Mullvad accept your connection based solely that it comes from an Obscura VPN node.

H7oUt

In that case I do not see a problem. Mullvad's main issues is the damn account ID, speed, and WireGuard IP management.

Anyone who sees your ID can log off your device from their device.
Speeds are lower than those of ProtonVPN and NordVPN
Virtual Adapter IP changes all the time, making it hard to manage on PC, where firewall rules can be created as kill switches when Virtual Adapter IP is static.

area51

this is my observation of the partnership

Mullvad based in Sweden and able to serve Europe with quick internet, but not USA.
Obscura based in USA able to serve USA with quick internet but not Europe.
However they make it work the goal is to have quick speeds for both either side of the Atlantic.

My problem is I placed my "trust" in one of these companies, not both.
So when my subscription runs out, adios VPN.
When I say trust, I mean utter blind faith that the company I choose will do the right thing etc, I in reality have absolutely no idea the people providing the services are who they say they are, after all I have never met them face to face.

ryrona

area51 You don't have to use Obscura, if that is what you mean. You can still use just Mullvad, like today. Mullvad as a service will not change at all because of this. The partnership is just that Obscura is allowed to use Mullvad servers for the second hop. Mullvad is changing nothing.

router99

area51 My problem is I placed my "trust" in one of these companies, not both.
So when my subscription runs out, adios VPN

So you're giving up on VPN because of this and going to trust the ISP you are connecting to instead?

area51

ryrona Mullvad is changing nothing.

apart from allowing another company to use their infrastructure etc, that's not nothing, thats quite something!..

angela

ryrona this isn't true

Mullvad can't be subject to a gag order

Obscura can be subject to a gag order. They could already be subject to control by government entities. And any data about Mullvad systems that Obscura has access to may now be in control of those government entities.

Why would a privacy respecting service partner with a company that can instantly and unknowably become zombified like a host's brain controlled by a parasite?

The partnership with Mozilla was bad enough but Mozilla just resold and rebranded, not impacting non-Mozilla users.

ryrona

area51 apart from allowing another company to use their infrastructure etc, that's not nothing, thats quite something!..

Well, anyone can use their infrastructure if they sign up for a Mullvad account. All users of the Mullvad nodes are fundamentally untrusted from their perspective, Obscura being no different.

angela

area51 it's not just about the risk, it's about the disregard of the risk by them.

I am someone who likes organic food and healthy living. I am going to create my organic farm next to the site of Chernobyl. Is something wrong?

I am someone who cares about privacy. I am going to incorporate my privacy company in a country with gag rules and laws extremely hostile to privacy. Is something wrong?

There are some who say such concerns are misinformation or lack proof. I recall privacyguides.com made an argument like that about Skiff.

I agree with you

ryrona

angela And any data about Mullvad systems that Obscura has access to may now be in control of those government entities.

What data about Mullvad systems is it that you think Obscura might have been given access to, that isn't already public knowledge? I didn't understand it as them having been given any specific access at all, and that this partnership was mostly just a PR stunt to advertise Obscura VPN.

angela The partnership with Mozilla was bad enough but Mozilla just resold and rebranded, not impacting non-Mozilla users.

What partnership are you referring to? I only know about Mullvad partnering with Tor Project to create the Mullvad Browser, not any partnership with Mozilla.

angela

ryrona Mozilla resold mullvad under a different brand name

I don't know what systems Mullvad has that Obscura may or may not have access to but why would someone want to have to even consider it? If it's really zero trust then it's not a partnership, it's just publicity, but not seeing info on it. I still don't care. A privacy company with US jurisdiction is the same as an organic garden in radioactive polluted soil. It's strange and rotten and it taints anything it touches.

ryrona

angela Mozilla resold mullvad under a different brand name

Oh, I didn't knew that. I didn't even knew Mozilla had a VPN service.

angela I still don't care. A privacy company with US jurisdiction is the same as an organic garden in radioactive polluted soil.

I won't argue against that analogy. I agree. I would never trust Obscura with my privacy, for sure.

I guess it is just that we understood this announcement of partnership differently. Mullvad wouldn't need to do any changes to their infrastructure other than to allow all connections coming from Obscura VPN IP addresses, and I wouldn't expect them to do anything more than that. But I don't know either what they have or haven't done. I just assume with good faith, as Mullvad already has a very good reputation.

dhhdjbd

on their website https://mullvad.net/en/help/partnerships-and-resellers
it says Tailscale uses their the vpn as exit nodes since 2023 already?

i dont know how someone basically just using their servers, as a vpn, should be able to compromise the secruity of other users? can someone explain please

H7oUt

At least you can pick which 3rd party partners you want to trust when using Mullvad VPN. You can select not to trust/use Obscura when generating WireGuard profiles or using Mullvad VPN app. Other VPN providers do not let you make such choices.

angela

H7oUt But Obscura must have some access to their internal systems to do all these things, right? With Tailscale and Mozilla they just seemed like rebranding/reseller partnerships, while Obscura is it's own US-based VPN interlinking with them now.

area51

I have already decided, mullvad has been deleted,

DeletedUser237

angela Why do you think they need access to their infra? all they need is to be connected as nodes via (separate non internal mullvad ones) wireguard keys.

I think you're blowing it out of proportion without having any evidence to backup what you're claiming here.

angela

DeletedUser237 You could be right. They may have zero knowledge and it could be a valid. Any US-based VPN still makes me uncomfortable, like police slowly driving by if I'm just walking my dog. I'm not doing anything wrong, but it still makes me less calm.

DeletedUser237

angela I mean I get your concerns about US based provider when it comes to services like VPN but Mullvad does not move their jurisdiction to US because of this partnership and it would not affect EU based customers.

This is also different from say Mozilla selling their services as their own (Mozilla) VPN. but even then I doubt they'd have any access to Mullvad infra, they simply had a system that was a frontend to create accounts in Mullvad systems.