Some VPN providers don't even have exit nodes in the country they're claiming. Instead they'll have their IPs registered to the respective countries in GeoIP databases.
This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.
From our side we noticed a VPN provider had a location we'd been trying to get, but had been unable to, so we started digging to find their provider. Long story short the server purportedly in some middle east country was actually 3ms away from our server in Berlin.
Mullvad in particular has a page that lists the ISPs they use (in a few cases their own servers at a datacenter), although they don't list the datacenters (sometimes you can get this info from the ISPs).
I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).
I'd really like some version of E.G. Librewolf configured to spoof the exact SAME information no matter who's using it. Like standard resolution for a 1080p monitor, the same GPU profile, Allow device timing stuff to work but with a fixed profile etc.
Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.
This is already what LibreWolf does for most of its fingerprinting protection, including resolution, which you call out. It already works, LibreWolf is the only browser besides Tor I’ve found that actually defeated fingerprinters in some of my testing. Is there something that’s currently randomized that you think should be binned or homogenous?
I've always assumed that when I am logged in to a website like Hacker News and I switch VPN endpoints, Hacker News now gets to see that I am a VPN user and track me between the IPs. I mean being logged in to something obviously negates a large amount of anonymity but switching servers while logged in really gives away the VPN usage, right? Or do large web services already keep up to date indecies of all common VPN IPs?
1. I log into service X with account A1 via Mullvad from country C1.
2. I log into service X with account A2 via Mullvad from country C2.
If the service wanted they can calculate how likely it is that A1 and A2 are the same WireGuard key. If you only use one exit server this probability won't be very precise. But the more exits you use the more accurate it will be even if the sets of exits are distinct between the two accounts.
If the egress IPs were assigned randomly all that service X would know is that these were both Mullvad users but the IPs alone wouldn't allow them to correlate the two users further than that.
I wish Mullvad would focus on censorship breaking. These days anything that doesn't implement something along the lines of AmneziaWG/Xray/Shadowsocks/Outline feels like a waste of time, sadly.
Does this affect people using the socks proxy feature? I generally connect to the same Mullvad server over wireguard (not their client) and then use different servers for socks proxy as exits.
My clanker says no because socks proxies have all one IP per server but I don't know whether to trust it.
23 comments
[ 1.9 ms ] story [ 125 ms ] threadwhich is the blog post, rather than a list of exit servers
related to this post: https://news.ycombinator.com/item?id=48143880
https://datatracker.ietf.org/doc/rfc5737/
This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.
From our side we noticed a VPN provider had a location we'd been trying to get, but had been unable to, so we started digging to find their provider. Long story short the server purportedly in some middle east country was actually 3ms away from our server in Berlin.
https://mullvad.net/en/servers
They also have a document that lists some of their practices around the servers, such as not using shared servers:
https://mullvad.net/en/help/server-list
I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).
Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.
https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_g...
The browser also has a cool feature in the browser extension called Random mode. This gives you a different IP for each site, improving your privacy.
Wow, is this how things were before bureaucratic behemoths took over the tech industry?
I'm happy that Mullvad actually explains the issue very clearly in https://mullvad.net/en/blog/exit-ip-fingerprinting-between-v...
1. I log into service X with account A1 via Mullvad from country C1.
2. I log into service X with account A2 via Mullvad from country C2.
If the service wanted they can calculate how likely it is that A1 and A2 are the same WireGuard key. If you only use one exit server this probability won't be very precise. But the more exits you use the more accurate it will be even if the sets of exits are distinct between the two accounts.
If the egress IPs were assigned randomly all that service X would know is that these were both Mullvad users but the IPs alone wouldn't allow them to correlate the two users further than that.
My clanker says no because socks proxies have all one IP per server but I don't know whether to trust it.