56 comments

[ 1.9 ms ] story [ 143 ms ] thread
> ProtonVPN, whose app uses customers’ email addresses for advertising

Wow, didn't expect that from Proton... or maybe I did... one more reason to move away from them.

Well, that sucks. I moved away to Mullvad about 6 months back (super happy so far). It didn’t make good sense to have one provider for email, calendar, cloud storage and VPN. We know where that road can lead…
Source for that? First I've heard of it, but admittedly not a user!
Happy Mullvad user here. The fact that they do zero advertising and provide no offers or discounts etc is the number one reason I went with them. They don’t even collect your email. You have an account number that’s all. You can even pay for that account in cash by sending that money to the company’s PO box anonymously.
I like your criterion there. How well does it do for geofencing? NordVPN has been okay except for the BBC which seems to smart for any of that.
Nord uses "residential IP addresses". There was some discussion around its cagey ownership as well.
That sounds excellent. Is that even legal for them to do though? Aren't there "know your customer" laws all over the world now?
Hi! Yes, it is legal. Your average corner shop has no requirements to do KYC when selling chocolate bars, and neither do we. :)

Cheers, Fredrik Strömberg, cofounder of Mullvad.

Thanks! Reading your site now. Is support for using native wireguard and OpenVPN clients considered first class alongside the Mullvad app? And any restrictions accessing geoblocked streaming content (both from your side and providers' sides blocking Mullvad)?
Last I checked Mullvad wasn't great for sites that actively ban VPN IPs like Netflix. For that NordVPN is better since (I recall reading) they use the residential IPs of users of some other free VPN services, so these rotate too frequently for Netflix to ban. You'll still have to ask for fresh IPs from time to time though as even those get blocked.
Yeah, streaming sites was the one issue I had with Mulvad. But I don't stream that much, and am super happy with them otherwise.
Hi!

I've been looking for a new VPN provider for a while, but most i found seem to disallow tormenting. Does mullvad permit it?

Tangential: If you mean torrenting (I see a typo in your comment), and if you don’t really need a VPN or can do with a basic VPN service, there are many “seedbox” providers who provide disk space, data traffic, and a set of ‘ready to install and use’ apps.
Recommended examples?
I don't have specific recommendations, but going through r/seedboxes (on reddit) and also reading the wiki there or asking questions can help.
Another Mullvad user here. Generally happy, but the Windows and Android apps are somewhat buggy.

Every couple of weeks I have to reinstall the Windows app because it's failing to update, and the Android app started eating my battery recently (used 46% of a full charge yesterday after some hours of internet browsing).

In their defense their support has always been amazing when I contacted them about it, and the Android issue could be manufacturer's fault, since OnePlus is known for its shenanigans.

I'll continue with Mullvad for the foreseeable future.

The windows app works perfectly for me - I'm vpn'd 24/7 and it never crashes. I think it depends on your usage.
You could try using the official WireGuard app rather than Mullvad’s. Just generate a WireGuard config on Mullvad’s website, and you should be able to import that no problem.
Thanks for this, just switched to Mullvad.
Happy Mullvad user here. Plus they offer WireGuard which is awesome.
Thats good, that has nothing to do with privacy.

The VPN concept can provide no assurance on privacy and any supposed assurance can change at any moment’s notice, whether they VPN provider is aware or not, coerced or not.

Who you want privacy from is important, but the people VPNs provide privacy against results in no differentiation between VPN providers.

I am surprised to see Tracking in Privacy Policy marked “Y” for ProtonVPN.

Why do I need to enter my email address on their app?

I just need an anonymous connection to their servers. It can be done without email (you pay and get a random ID from them).

I prefer using VPN based in countries that are NOT based in USA/EU and that are not friendly to USA/EU -> Russia, China, Myanmar, Iran etc.
This is the way to do it. Very glad to see that you value these important facts. I need a new Iranian provider, could you recommend one? I'd settle for similar if that is not available.
don't know the source or quality/people building it, but i did use [0] (get the detailed table and change to "all") when picking a VPN to roll with.

After i had already found OVPN i was amazed that they had the option to just anonymously mail them cash.

[0]: https://www.safetydetectives.com/best-vpns/#detailed

Mullvad and IVPN offers the same (disclaimer: I'm part of the IVPN team). SafetyDetectives is a site that is owned by a VPN conglomerate [0] with the added bonus of having a history of distributing malware [1]. I suggest not using them as a source for VPN related info due to conflict of interest.

[0] https://restoreprivacy.com/vpn-review-websites-owned-by-vpns... [1] https://www.cnet.com/tech/services-and-software/what-is-kape...

had no idea there was this level of dodgyness (nor consolidation) going on in the industry :(
Unless you are peering a VPN is just another ISP and like any ISP they are in complete control of your traffic.

Imagine you are in a hotel. When you order room service your food hygiene is in the hands of the hotel chef — the In-room-dining Service Provider (ISP) if you will.

You can order takeout instead, but you’re really only delegating food hygiene to a different chef, one that’s harder to track down and with a considerably lower stake in your well-being than the one provided by your hotel manager.

I’m more into camping, personally, but even then your produce comes from somewhere else.

That's true but doesn't entirely deny the value of a VPN. For example, using a VPN protects your privacy with the endpoints you connect to: Facebook or even some random forum administrators only see your VPN address and don't know where you are, whether at home, visiting your mom in another state, or staying at a hotel.
The point of VPNs is IMO that some people cannot choose which hotel they are staying at to use your analogy.

E.g. if you are traveling into certain countries etc.

Or you might wanna create the impression you are coming from somewhere else than you actually do for various reasons. E.g. let's say you want to consume media from a different country. Running your own VPN is practical if it is just about the tunnel, but it gets unwieldy if it is about having one in different countries or if it is about hiding your identity.

If you know the food in the particular hotel where you're staying is bad, then yeah, ordering takeout is helpful. But as general advice, the idea that a VPN, any VPN, is going to be inherently more secure than your ISP, any ISP, is nonsense.
Depends on how much you trust your ISP. For example, AT&T is in the top five list of ISPs around the world that do Deep Packet Inspection, so that they can throttle your NetFlix and Amazon Prime streaming TV speeds, as well as insert their own ads where they want, etc…. Who knows what else they’re doing?

Same with Spectrum. That’s the two high speed carriers that are common here in Austin. Sure, there are smaller carriers in fringe areas, but they are a small fraction of the market.

This is why I want a proper SDN. Let me treat the carrier like opaque dumb pipes, and aggregate the bandwidth across those channels, so that I am insulated from total failure if just one of them should go down, and in the expected case I can manage my own traffic shaping the way I want it to be in the house.

While I understand your point and I agree and think the same way, there is one small point, which should not be underrated in this: "a VPN is just another ISP" is only true as long as your ISP does NAT and you don't have a publicly available IP. That is true for some mobile networks here in Germany for example.

So a VPN (or things like TOR) provide you with one single out-point/edge/end-point that is (hopefully) shared with many many other people. With that you can hide in the crowed and it is very difficult to find you in the crowed.

On the other side it would defeat the purpose if the VPN provider limits the number of accounts on one out-point/edge/end-point to improve performance, because then it would defeat the purpose.

Each connection is NATed through the VPN though and the fact that the port number does not change makes it possible to make inferences about connections a user has made through the tunnel and inject arbitrary data into the connections.

https://www.usenix.org/system/files/sec21-tolley.pdf

With Wireguard, the listening port does change each time you connect.
Most VPN service providers (barring Mullvad and my current use- iVPN) have white label services. iVPN improved its app; Mullvad's price has remained static and its a brilliant deal for 60 Euros per year.

Proton uses its "pro" pricing to subsidise the people who use its free offering, and I find the product overhyped. AdGuard VPN is appealing for its implementation. I am using it on Android in conjunction with Adguard ad-blocker and have been happy with the outcome. I can also add Next DNS to the Adguard application for DNS level filtering.

Not affiliated, but I’m very happy with IVPN. Been using them for years. Very clean, zero-cruft native UI for my Mac, PC and iPhone, and they were an early adopter of Wireguard. It’s a bit pricey at $130/yr CAD but it’s one of those things that works exactly as advertised and never gets in the way or bugs me.
A good trusted VPN may offer some privacy.

The ISPs often openly state that they log traffic, both to comply with government regulations, also to improve their businesses. VPNs state they don’t, and they may or may not.

You choose your option!

I personally don’t trust most VPNs. Very few, however, appear to be trustworthy (at least I trust these particular ones more than my ISP).

Blog posts like this are just stupid.

I mean FFS, you are basing your entire privacy beliefs on what a company tells you, but in the end you are still transiting all your internet traffic through their servers.

For starters, how many of these VPN providers actually have regular fully independent, completely open-book, open-doors, audits of 100% of their infrastructure stack. None.

What is that old saying in cyber-security ? Physical access equals game over ?

Well, it's the same for privacy.

You don't control their servers. You don't control who they use as upstream internet providers. Hence you will never know the real answer on whether or not your traffic is being snooped on and by whom unless you are controlling the experience yourself end-to-end.

Right, the concept alone has limitations so it is weird how tribal people are about their favorite VPN provider.

Name a single VPN provider having no way of having the privacy assurance and people will argue about your proof because to them it damns that company. As opposed to acknowledging that no VPN provider can offer that assurance.

Don't name a VPN provider and people will assume their VPN provider is different, whether its a complete misunderstanding of Swiss data laws, or a gimmick about mailing cash to a PO box.

As a researcher studying VPN security, I have tested a lot of VPN providers, and there are few that stand out as trustworthy. Mullvad is mentioned in this thread several times for a reason. When we publicly disclosed CVE-2019-14899, they had a patch within a day and included it in the release - all within a week. To the best of our knowledge, Mullvad was the only provider and WireGuard was the only protocol to take swift action to mitigate the vulnerability.

This comment is only about the trustworthiness of the provider and not of VPNs in general, which I'm still hesitant about. I'll provide a link for our paper exploring CVE-2019-14899 and attacks we've developed since then:

https://www.usenix.org/system/files/sec21-tolley.pdf

There's also a blog post, which is quicker to read and written for a general tech audience:

https://breakpointingbad.com/2020/05/25/Vintage-Protocol-Non...

I've seen people here mention IVPN in the same breath as Mullvad; do you have any insight on how they compare? AFAIK Mullvad is based in Sweden, which is a Fourteen Eyes country, whereas IVPN is based in Gibraltar, which is not.
Gibraltar is a UK overseas territory and houses GCHQ facilities, therefore a fives eyes territory.
Good to know! If we go by jurisdiction, it seems that surprisingly NordVPN (Panama) is better than these two.
NordVPN relocated to the United States late last year.
Simple privacy VPN Check:

Do you own the VPN hardware? That's the answer of is it's private / secure.

If that hardware isn’t on your own personal private premises, then you can’t really be said to own it.

Even if you really did buy the hardware from somewhere else and shipped it to the co-location facility to have it put into what is supposed to be a private cage, you still don’t own the premises, and the co-location facility can choose to let in anyone they want.

I see quite a lot of people here talking about Mullvad. While I do trust their intentions as being good, the fact that they are so large, and based in a country that does in fact answer to some USA demands, I would not use them. I'm not positive, but I think I remember someone mentioning that Wireguard configs are generated client-side but with JS, where you would then have to implicitly trust Mullvad not to store your private key. The providers I use, the generation is done completely locally, and you only upload them your public and PSK.

This is HN. I'm surprised people haven't mentioned some of the really privacy conscience providers based off shore. They do exist, and surely do not cooperate with shitty demands for your info.

This article is pointless at best, and actively misleading at worst. Anyone skimming the content but reading the table could be forgiven for thinking it refers to in-app tracking.

Whether or not a VPN engages in activities such as tracking user actions on their marketing site in no way reflects how well (or poorly) they protect my privacy whilst using the product.