Mullvad exit IPs as a fingerprinting vector

BrikoX@lemmy.zip · 3 days ago

Mullvad exit IPs as a fingerprinting vector

A Mouse@midwest.social · 2 days ago

Here’s a response.

I work at Mullvad. (co-CEO, co-founder)

Some aspects of the described behavior are as we intended and some are not. The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post’s findings you may get confusing results throughout the day.

We will also re-evaluate whether the intended behaviors are acceptable or not. Some of this is a trade-off between multiple aspects of privacy, and multiple aspects of user experience.

Please note that this is my current understanding, which may change. I was only made aware of this an hour ago, and most of that time was spent talking with Ops, considering what to do immediately, and writing this post.

Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away.

https://news.ycombinator.com/item?id=48145679

read_desert@lemmy.ml · 2 days ago

Very level headed response by the Co-Founder/Co-CEO. Also yeah, probably reach out to them first too before publishing. Bare minimum professional courtesy. Love Mullvad even though I bought into the Proton “ecosystem”.

AllNewTypeFace@leminal.space · 2 days ago

The Swedish relays are often blocked (presumably because they’re the default). Switch to a slightly more obscure country (say, Slovakia or somewhere) and you’re good as gold.

Mas@feddit.fr · 2 days ago

I have blockages with almost every country, but indeed, there are some exceptions.

Sv443@sh.itjust.works · 2 days ago

Estonia my beloved