Obscura VPN and Mullvad Partnership. American juridisdiction.

DeletedUser237

angela I mean I get your concerns about US based provider when it comes to services like VPN but Mullvad does not move their jurisdiction to US because of this partnership and it would not affect EU based customers.

This is also different from say Mozilla selling their services as their own (Mozilla) VPN. but even then I doubt they'd have any access to Mullvad infra, they simply had a system that was a frontend to create accounts in Mullvad systems.

router99

ryrona combining VPNs yourself. And one mustn't forget that whatever VPN one use, ones ISP will always be the very first hop

I don't think that's a good way to put it. If the traffic is routed to a VPN server, that's the only destination they see and nothing else.

ryrona

router99 I don't think that's a good way to put it. If the traffic is routed to a VPN server, that's the only destination they see and nothing else.

Wrong. Very wrong.

Even if you use a VPN, your ISP will see 1) how large the file you download or upload is, and file sizes alone is often enough to know what file it is, 2) the exact point in time the upload or download was made, which might be correlated to when a peer or file appears in a swarm or on a site, 3) the speed at which you transferred the file, including ups and downs, this is something ISPs log at 5 second resolution and that can be used to correlate your activity, even years later, 4) when you send small amounts of data, which if they have enough samples can be used to correlate with when a certain anonymous online identity makes public posts, thus deanonymizing you, 5) when you receive small amounts of data, which can be correlated with log entries in server logs.

And this is only the passive attacks your ISP can do. Here comes the scary active one: Your ISP can cooperate with the exit node or destination server to introduce specific patterns in your transfer data, such as changing upload and download speed, to completely correlate and deanonymize your connection. This is the one that is the reason everyone says the first hop must be as trusted as possible, to minimize the risk an attacker is in a position where they can monitor your entry into the network.

router99

DeletedUser203 My problem is I placed my "trust" in one of these companies, not both.
So when my subscription runs out, adios VPN

So you're giving up on VPN because of this and going to trust the ISP you are connecting to instead?

DeletedUser203

Didn't wait for the subscription to end, binned the VPN already...

dhhdjbd

Here https://discuss.privacyguides.net/t/mullvad-has-partnered-with-obscura-vpn/24860/37

Carl from Obscura(?) says:

One more comment on key rotations/ inter-connection correlation: Jonah notes (correct me here if I’m mis-summarizing) that Obscura only decorrelates connections temporally (via key rotation) but not in a fine-grain way (per-connection). By choosing to tunnel vanilla WireGuard packets (over QUIC), we were able to easily integrate with Mullvad’s existing WireGuard infrastructure, but lost the ability to potentially do per-connection key rotation if we had made more customizations to the protocol.

However, I do think we gain a little something from that (staying with WireGuard) though because users can verify that the WireGuard pubkeys they’re encrypting their connection against are the same ones that are on Mullvad’s server website Servers. Otherwise, it would have been much more unclear what goes on behind the scenes and who has the keys and whatnot.

KleinesSinchen

While not having been concerned myself after getting aware of this partnership, I decided to contact Mullvad support because of this thread.
They gave very quick and friendly answer stating that ObscuraVPN has no access to "(private) keys, encryption passphrases or anything at all" on the Mullvad servers.
From the description of this partnership it sounds very plausible. With my (admittedly limited) technical knowledge about networking in general and VPN in particular I don't see any reason for Obscura to even need any of these sensitive information. It should have no impact on existing Mullvad VPN customers.

DeletedUser370

KleinesSinchen Thanks for contacting Mullvad support. I was surprised that people here didn't do this before starting to discuss the topic. I was also surprised at the limited information Mullvad gave on the partnership in their announcement of it. I'll try contacting them and get a comment on what they think about Obscura's jurisdiction.

H7oUt

ryrona

Yeah, traffic analysis goes way past encryption, which is why I like Mullvad's DAITA. It makes traffic very dense. It is also why it is a good idea to keep your network busy when behind VPN. If you torrent 50 files at once, analysis as to exact files you share is going to be more difficult than if you were to use torrent to download one movie and quit.

router99

ryrona and file sizes alone is often enough to know what file it is

Now that's reaching. Of all possible files that can be downloaded across the entirety of the internet, while using a VPN, an ISP isn't going to know fuck all what file it is specifically.
As to the rest of your post, I appreciate your concern for privacy, and while it is probably plausible, it seems a bit hyperbolic. My impression of your post is that one might as well not use a VPN at all. I don't agree with that sentiment in the slightest.

DeletedUser237

H7oUt While obviously true as to how advanced analytics may be especially now with the "advencement" of AI do you really think someone is wasting all this CPU power to look at some random's torrenting habits?

ryrona

DeletedUser237 do you really think someone is wasting all this CPU power to look at some random's torrenting habits?

ISPs are already logging amount of transferred data up and down to/from your VPN per 5 second interval. They already have this information in their logs. That is why everyone have panicked and want to add at least some small amount of traffic padding. But it won't mask individual file downloads or file uploads. Adding enough padding to mask that would be akin to what @H7oUt says about saturating the link with independent downloads, and that does not play nice with metered internet connections, so no one really wants to add such padding.

router99

ryrona ISPs are already logging amount of transferred data up and down to/from your VPN per 5 second interval. They already have this information in their logs. That is why everyone have panicked

News flash: ISP's have been logging all kinds of data literally for decades (have you not noticed that they track how much data you transfer and then include that information in your monthly bill?), VPN or bare ass.
To say "everyone have panicked" is, again, hyperbole.
The likelihood that they have cracked the encryption of your connection with the VPN server you connect to or are covertly working with your specific VPN provider are unlikely in the extreme.

ryrona

router99 Of all possible files that can be downloaded across the entirety of the internet, while using a VPN, an ISP isn't going to know fuck all what file it is specifically.

Actually, yes. Especially if you have a pattern of downloading a very specific kind of files. They can just have built up a database with all publicly known "files of interest" and their file sizes ahead of time, and if they see a pattern of a user only downloading files those file sizes matches entries in that database, it is extremely likely, over 99% likely, they are in fact downloading those files. This is enough to even get a search warrant. These statistical attacks and similar ones have been used in practice to detect and arrest people downloading and sharing CSAM for example. Even a small amount of random padding, such as 1% padding, can conceal the file identities though.

router99 My impression of your post is that one might as well not use a VPN at all.

No, not at all. I am just saying that the nodes closest to you should be the most trusted ones, because they are in the position to perform the most advanced correlation attacks against you. Especially the active ones are scary. I rather argue for the opposite of what you say, that a single VPN is not enough, you should have more hops.

router99 To say "everyone have panicked" is, again, hyperbole.

Well, it came as a surprise at least to the Tor project just how detailed per time unit the logging ISPs do is. It is a few years ago, but they rushed to implement padding specifically to prevent such logs from being useful.

router99

ryrona . They can just have built up a database with all publicly known "files of interest" and their file sizes ahead of time, and if they see a pattern of a user only downloading files those file sizes matches entries in that database, it is extremely likely, over 99% likely, they are in fact downloading those files.

Link to any court case at all where this specifically was implemented. This is so far fetched that, while vaguely plausible in theory, it sounds like science fiction more than reality.

ryrona

router99 Link to any court case at all where this specifically was implemented. This is so far fetched that, while vaguely plausible in theory, it sounds like science fiction more than reality.

DM me on Matrix if you want to discuss more. You find me in the GrapheneOS development and alpha testing rooms, just start a new DM chat with me.

« Previous Page