Obscura VPN and Mullvad Partnership. American juridisdiction.

angela

ryrona this isn't true

Mullvad can't be subject to a gag order

Obscura can be subject to a gag order. They could already be subject to control by government entities. And any data about Mullvad systems that Obscura has access to may now be in control of those government entities.

Why would a privacy respecting service partner with a company that can instantly and unknowably become zombified like a host's brain controlled by a parasite?

The partnership with Mozilla was bad enough but Mozilla just resold and rebranded, not impacting non-Mozilla users.

ryrona

angela And any data about Mullvad systems that Obscura has access to may now be in control of those government entities.

What data about Mullvad systems is it that you think Obscura might have been given access to, that isn't already public knowledge? I didn't understand it as them having been given any specific access at all, and that this partnership was mostly just a PR stunt to advertise Obscura VPN.

angela The partnership with Mozilla was bad enough but Mozilla just resold and rebranded, not impacting non-Mozilla users.

What partnership are you referring to? I only know about Mullvad partnering with Tor Project to create the Mullvad Browser, not any partnership with Mozilla.

angela

DeletedUser203 it's not just about the risk, it's about the disregard of the risk by them.

I am someone who likes organic food and healthy living. I am going to create my organic farm next to the site of Chernobyl. Is something wrong?

I am someone who cares about privacy. I am going to incorporate my privacy company in a country with gag rules and laws extremely hostile to privacy. Is something wrong?

There are some who say such concerns are misinformation or lack proof. I recall privacyguides.com made an argument like that about Skiff.

I agree with you

angela

ryrona Mozilla resold mullvad under a different brand name

I don't know what systems Mullvad has that Obscura may or may not have access to but why would someone want to have to even consider it? If it's really zero trust then it's not a partnership, it's just publicity, but not seeing info on it. I still don't care. A privacy company with US jurisdiction is the same as an organic garden in radioactive polluted soil. It's strange and rotten and it taints anything it touches.

ryrona

angela Mozilla resold mullvad under a different brand name

Oh, I didn't knew that. I didn't even knew Mozilla had a VPN service.

angela I still don't care. A privacy company with US jurisdiction is the same as an organic garden in radioactive polluted soil.

I won't argue against that analogy. I agree. I would never trust Obscura with my privacy, for sure.

I guess it is just that we understood this announcement of partnership differently. Mullvad wouldn't need to do any changes to their infrastructure other than to allow all connections coming from Obscura VPN IP addresses, and I wouldn't expect them to do anything more than that. But I don't know either what they have or haven't done. I just assume with good faith, as Mullvad already has a very good reputation.

dhhdjbd

on their website https://mullvad.net/en/help/partnerships-and-resellers
it says Tailscale uses their the vpn as exit nodes since 2023 already?

i dont know how someone basically just using their servers, as a vpn, should be able to compromise the secruity of other users? can someone explain please

H7oUt

At least you can pick which 3rd party partners you want to trust when using Mullvad VPN. You can select not to trust/use Obscura when generating WireGuard profiles or using Mullvad VPN app. Other VPN providers do not let you make such choices.

angela

H7oUt But Obscura must have some access to their internal systems to do all these things, right? With Tailscale and Mozilla they just seemed like rebranding/reseller partnerships, while Obscura is it's own US-based VPN interlinking with them now.

DeletedUser203

I have already decided, mullvad has been deleted,

DeletedUser237

angela Why do you think they need access to their infra? all they need is to be connected as nodes via (separate non internal mullvad ones) wireguard keys.

I think you're blowing it out of proportion without having any evidence to backup what you're claiming here.

angela

DeletedUser237 You could be right. They may have zero knowledge and it could be a valid. Any US-based VPN still makes me uncomfortable, like police slowly driving by if I'm just walking my dog. I'm not doing anything wrong, but it still makes me less calm.

DeletedUser237

angela I mean I get your concerns about US based provider when it comes to services like VPN but Mullvad does not move their jurisdiction to US because of this partnership and it would not affect EU based customers.

This is also different from say Mozilla selling their services as their own (Mozilla) VPN. but even then I doubt they'd have any access to Mullvad infra, they simply had a system that was a frontend to create accounts in Mullvad systems.

router99

ryrona combining VPNs yourself. And one mustn't forget that whatever VPN one use, ones ISP will always be the very first hop

I don't think that's a good way to put it. If the traffic is routed to a VPN server, that's the only destination they see and nothing else.

ryrona

router99 I don't think that's a good way to put it. If the traffic is routed to a VPN server, that's the only destination they see and nothing else.

Wrong. Very wrong.

Even if you use a VPN, your ISP will see 1) how large the file you download or upload is, and file sizes alone is often enough to know what file it is, 2) the exact point in time the upload or download was made, which might be correlated to when a peer or file appears in a swarm or on a site, 3) the speed at which you transferred the file, including ups and downs, this is something ISPs log at 5 second resolution and that can be used to correlate your activity, even years later, 4) when you send small amounts of data, which if they have enough samples can be used to correlate with when a certain anonymous online identity makes public posts, thus deanonymizing you, 5) when you receive small amounts of data, which can be correlated with log entries in server logs.

And this is only the passive attacks your ISP can do. Here comes the scary active one: Your ISP can cooperate with the exit node or destination server to introduce specific patterns in your transfer data, such as changing upload and download speed, to completely correlate and deanonymize your connection. This is the one that is the reason everyone says the first hop must be as trusted as possible, to minimize the risk an attacker is in a position where they can monitor your entry into the network.

router99

DeletedUser203 My problem is I placed my "trust" in one of these companies, not both.
So when my subscription runs out, adios VPN

So you're giving up on VPN because of this and going to trust the ISP you are connecting to instead?

DeletedUser203

Didn't wait for the subscription to end, binned the VPN already...

dhhdjbd

Here https://discuss.privacyguides.net/t/mullvad-has-partnered-with-obscura-vpn/24860/37

Carl from Obscura(?) says:

One more comment on key rotations/ inter-connection correlation: Jonah notes (correct me here if I’m mis-summarizing) that Obscura only decorrelates connections temporally (via key rotation) but not in a fine-grain way (per-connection). By choosing to tunnel vanilla WireGuard packets (over QUIC), we were able to easily integrate with Mullvad’s existing WireGuard infrastructure, but lost the ability to potentially do per-connection key rotation if we had made more customizations to the protocol.

However, I do think we gain a little something from that (staying with WireGuard) though because users can verify that the WireGuard pubkeys they’re encrypting their connection against are the same ones that are on Mullvad’s server website Servers. Otherwise, it would have been much more unclear what goes on behind the scenes and who has the keys and whatnot.

KleinesSinchen

While not having been concerned myself after getting aware of this partnership, I decided to contact Mullvad support because of this thread.
They gave very quick and friendly answer stating that ObscuraVPN has no access to "(private) keys, encryption passphrases or anything at all" on the Mullvad servers.
From the description of this partnership it sounds very plausible. With my (admittedly limited) technical knowledge about networking in general and VPN in particular I don't see any reason for Obscura to even need any of these sensitive information. It should have no impact on existing Mullvad VPN customers.

DeletedUser370

KleinesSinchen Thanks for contacting Mullvad support. I was surprised that people here didn't do this before starting to discuss the topic. I was also surprised at the limited information Mullvad gave on the partnership in their announcement of it. I'll try contacting them and get a comment on what they think about Obscura's jurisdiction.

H7oUt

ryrona

Yeah, traffic analysis goes way past encryption, which is why I like Mullvad's DAITA. It makes traffic very dense. It is also why it is a good idea to keep your network busy when behind VPN. If you torrent 50 files at once, analysis as to exact files you share is going to be more difficult than if you were to use torrent to download one movie and quit.

router99

ryrona and file sizes alone is often enough to know what file it is

Now that's reaching. Of all possible files that can be downloaded across the entirety of the internet, while using a VPN, an ISP isn't going to know fuck all what file it is specifically.
As to the rest of your post, I appreciate your concern for privacy, and while it is probably plausible, it seems a bit hyperbolic. My impression of your post is that one might as well not use a VPN at all. I don't agree with that sentiment in the slightest.

DeletedUser237

H7oUt While obviously true as to how advanced analytics may be especially now with the "advencement" of AI do you really think someone is wasting all this CPU power to look at some random's torrenting habits?

« Previous Page