https://x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-...
Titles of issues they found:
4.1.1 MLLVD-CR-24-01: Signal Handler’s Alternate Stack Too Small
4.1.2 MLLVD-CR-24-02: Signal Handler Uses Non-Async-Safe Functions
4.1.3 MLLVD-CR-24-03: Virtual IP Address of Tunnel Device Leaks to Net- work Adjacent Participant
4.1.4 MLLVD-CR-24-04: Deanonymization Through NAT
4.1.5 MLLVD-CR-24-05: Deanonymization Through MTU
4.1.6 MLLVD-CR-24-06: Sideloading Into Setup Process
All pretty straightforward IMO. They lean on "DAITA" aka Defence against AI Traffic Analysis pretty heavily, which I don't fully understand yet, but is probably worth some further reading.
Even OpenSSH has had issues with it [1].
It seems very difficult to build good abstractions for it in any programming language, without introducing some function colouring mechanism explicitly for this. Maybe a pure language like Haskell could do it.
[1]: https://blog.qualys.com/vulnerabilities-threat-research/2024...
Yup: see https://hackage.haskell.org/package/ghc-internal-9.1001.0/do... where it is clear that setting a handler simply writes to an array inside an MVar. And when the signal handler is run, the runtime starts a green thread to run it, which means user Haskell code does not need to worry about signal handler safe functions at all, since from the OS perspective the signal handler has returned. The user handler function simply runs as a new green thread independent of other threads.
But I like the fact that you brought up this idea. Haskell can't do it but in a parallel universe if there were another language with no runtime but with monads, we can actually solve this.
Another option is to use a proper OS that includes the ability to receive signals as a part of your main event loops: https://man.openbsd.org/kqueue.2#EVFILT_SIGNAL
I believe you can also do something similar with epoll() on Linux but not sure the semantics are quite as nice as kqueue.
Non async functions - pretty common problem but difficult to actually exploit. Every developer who has worked with signal handlers has probably made this mistake at some point because the issues it causes are extremely difficult to reproduce (some incredibly unlucky timing is required)
Arp leaking addresses - Not really a Mullvad issue and only exploitable on the local network
Deanonymization attacks - these work against all VPNs and you can always anonymize traffic more but it has a cost to do this.
Sideloading - Yeah this is probably the worst one but is not exploitable on it's own.
But: they found a triggerable heap corruption vulnerability in a Rust program, which is a nice catch.
I do think giving the vulnerability that follows that one a sev:hi, despite it being both theoretical (I don't think they have a POC) and not corrupting memory, is grade inflation though.
Doesn't this make it kinda pointless? If the target has a say in how they should perform their audit/attack, how does that not produce results biased to the targets favor? Wouldn't the most unbiased way to do such a thing would be for the target to have zero idea what the auditor would be doing?
> which opens up room for misinterpretation of the findings
If Mullvad dictated how to do things or imposed limits on the reach of the testing, the results are worthless anyway
It's mostly just a matter of having a defined scope. They could of course say "You can only attack this one exact thing" that makes them look good, but this is true of many things.
Defining the threat model is standard in the infosec auditing/pentest world, FWIW.
> If Mullvad dictated how to do things or imposed limits on the reach of the testing, the results are worthless anyway
That's only true if your threat model is "literally every possible thing that could ever happen", which is so broad to be meaningless and impossible to test anyway.
Computer programmers also do not typically design their programs under the assumption that someone stuffed newspaper between their CPU and heatsink and it caught on fire. They work on the assumption the computer is not on fire.
That's the whole point of a threat model: Mullvad has a threat model, and they build a product resistant to that. When someone audits the product, they should audit it against the threat model.
For example, this X41's threat model only supposes that an attacker could execute code on the system as a different, unprivileged user. They don't consider the situation where an attacker might have an administrative account on the system.
For my personal devices today, this matches my threat model. If an attacker has an administrative account on my machine, I assume that my VPN isn't going to be able to protect my traffic from them. There's no need to worry about laying out all the ways this could impact Mullvad's client.
> We believe the reason these vulnerabilities exist is because gocryptfs doesn’t have a clearly spelled-out threat model. Some of the attacks seem hard to avoid given gocryptfs’s performance goals and may have been introduced “by design” to meet these goals. We suggest writing down an explicit threat model and updating the website to better communicate the security guarantees that gocryptfs provides. This way, users are less likely to rely on it in ways which would make them vulnerable.
Later established: https://nuetzlich.net/gocryptfs/threat_model/
If I ask a person to do a audit I will tell them what the scope of their audit is, e.g. check the physical security measures of our server rooms. Otherwise they would have to take literally everything into consideration (what if the accountant is a malicous actor, what if the server rooms are attacked by a military, what if our hardware is swapped out during delivery, what if..) and they would never be able to stop.
If you take security seriously you try to defend against likely attack scenarios first. Your way to control that is by choosing the scope of audit.
So, first you have to determine what the target says.
Then you look around to see if that seems accurate.
Then you look around to see what are the systems and controls that are in place to keep things in a controlled state in the future.
To do an audit you have to audit against some sort of pre-established criteria. That is how audits work. In security, that will typically be a standard (or set of standards) alongside a threat model. In finances, you audit against what is legal in the areas you operate.
>[...] zero idea what the auditor would be doing?
That's a practical impossibility. From the client side you want to be able to evaluate quotes, stay within a budget, etc. You don't want to pay good money (audits are really expensive!) for areas that you are works-in-progress, or non-applicable threat models (e.g. lots of security software explicitly does not protect against nation-state actors, so they don't do audits from the perspective of a nation-state actor).
From the auditor side, you want to know what staff to assign (according to their expertise), how to schedule your staff, etc.
>If Mullvad dictated how to do things or imposed limits on the reach of the testing, the results are worthless anyway
Not at all. The company says "This is the set of standards we are auditing against and our threat model. This is how we performed". The results are useful for everything covered by those standards and threat model. By explicitly stating the threat model, you as a consumer can compare your threat model to the one that was audited and make an informed decision.
https://mullvad.net/en/blog/fourth-infrastructure-audit-comp...
Too bad because they were good for a long time.
Their reasoning is "they will be able to focus their resources where they can make a difference". Whatever that means.
It works much better and more reliabily as a site-to-site VPN on my router for some reason.
I'm not sure if this can be done without the app or not.
When did this happen? I was still able to use it within the last couple of weeks, whenever I last tried it.
Bitcoin isn't anonymous. Am I misunderstanding something?
Fun fact: you can just mail Mullvad some cash in an envelope. No need for any cryptocurrency
Who owns that wallet can absolutely be an unknown - although practically with 99% people buying through coinbase this isn't the case.
- use coinjoin with something like wasabi wallet(https://wasabiwallet.io/)
- purchase BTC with cash
IMO, most VPN users are normal people, like me, who just want privacy from online advertisers and data aggregators. I do not want or expect privacy from the VPN provider. After all, I connect to their VPN service from my home ISP (which has an IP) that has an account in my name too.
No matter how you try to hide your payment for the VPN service, they know who you are.
IMO, technical people often 'go too far' and become unreasonable about these things (especially security people). They have lost touch with real-world threat models and use cases. James Mickens has a good short paper on this called 'This World of Ours' https://www.usenix.org/system/files/1401_08-12_mickens.pdf
My sense is that there's a lot of BS going on. Including the fact that "cool" VPNs are supposed to be coming from Scandinavian countries (but most of them aren't).
Mullvad states they're based on Sweden -- are you claiming they aren't? They list where all there servers are located and who owns them, if that's your concern.
They seems to have extensive information about why you'd want to use a VPN or not. They don't log customer data and moved to a RAM-only infra. They're cheap with one flat rate.
So what exactly would you call BS? What would you like to see them do different?
I don't understand what you are implying. Neither why are they supposed to, nor why it isn't true. To be fair, the only "strong privacy", etc VPN I know that is not Scandinavian is ProtonVPN. Is there something else?
I occasionally run this just to make sure, especially when using an unfamiliar service:
curl ipinfo.ioAnd of course prefer that they are in a jurisdiction that isn't a haven for shady companies.
In short: I like them because there is little bullshit and they seem to be OK. I don't think I could ever trust PIA or all of those companies.
I have the suspicion the IP blocking is somewhat coordinated between Youtube and Reddit, to maximize annoyance and discourage VPN usage, since I frequently find exit server working for either one of them, but not both. Disrupting the ping pong of social media for VPN users, seems like an effective strategy to influence their behavior. And since they are natural monopolies respectively, they hardly risk alienating anyone doing so. Similar to how cookie banners are abused to modify people's sentiment on privacy regulations in favor of data mining. Even many tech people believe annoying cookie banners are the EU's fault, when common practice is either malicious compliance, unwarranted or straight illegal.
That said, it is actually fucking annoying. Then again, just a nuance in the greater enshittification and rapidly growing dissatisfaction with the web overall for me.
FTFY (added scare quotes)
I don't see blocking tracking and data mining as a problem at all, but rather a very good thing.
Many captchas are just bans but they are hoping for some free training
There isn't a lot Mullvad can do about it. Not all providers of hosting are willing to tolerate VPN endpoints in the same way they don't like hosting tor exit nodes.
reCAPTCHA is the GoDaddy of CAPTCHA services. It doesn't achieve its purpose and the CAPTCHA task is often just a time waster. It's already decided whether you're a bot or not - which is not based on your mouse movements, but rather your IP address reputation and whether you're signed into Google. It only still exists because of brand inertia. I'd like to see a Google executive put before Congress and forced to complete a reCAPTCHA over Tor.
This alone can be worth it for many people. I trust Mullvad significantly more than I trust my ISP.
https://mullvad.net/en/blog/2023/5/29/removing-the-support-f...
Discussion of the audit of TFA on the Privacy Guides forum:
https://discuss.privacyguides.net/t/mullvads-2024-security-a...
... isn't randomizing the virtual IP address makes the situation worse? sounds like the best solution would be just give every user the same boring static IP address like 169.254.199.1/30.
Personally I don't really get their multi hop when you connect on a predefined port on an ingress server to get redirected to egress in a different region. Easy guessable for a powerful observer.
Anyway any VPN is only an encryption tool, not an anonymizer.
I'm not suggesting a conspiracy, but is the VPN business that good? Are they funded by a privacy group?
One of my use cases for VPN is to watch free, legal anime on YouTube from Muse-Asia. I use a VPN to connect to Indonesia, which allows me to watch anime like Dandadan. a US IP won't show anything on their Youtube page. I'm using Mullvad VPN.
You are probably aware of the "Great Firewall of China" that blocks access from mainland China to Google, Meta, etc... Which means that if you are a westerner in China and want to access the internet as you know it, or if you are Chinese and access the rest of the world, then you need some kind of VPN to bypass the restrictions.
The Great Firewall is quite advanced, and you need some layers of stealth not to be detected and blocked. Furthermore, they actively search for VPN endpoints and block their IP addresses. It limits your choice of VPNs, and Mullvad is one of the good ones for that purpose, along with Astrill and LetsVPN.
And knowing that mullvad doesn’t come close to the mainstream marketing others (well in essence one) VPN providers, your comment comes of as malicious.
But, it's not white label. White label implies it would be Tailscale VPN (or similar) with no reference to Mullvalad in their docs or marketing. But that's not what is happening with their offering.
From their customers.
If money is no concern, use Astrill. Easy of software, number of countries, GFC, circumvent geoblocking, it is one of the best, if not the best, but it comes with a big price tag attached. I think 300 USD/2 years if I remember correctly.
If you don't need the best, AirVPN has often deals for 50USD/2 years. But the servers are very "spammy" (tons of captchas for you to solve).
Mullvad has had multiple public audits and even contributed to other security-related open source projects. You don't have to create an account and they even take cash by mail. It can't be more anonymous than that.
Astrill on the other hand has had no public audits, and costs more than twice as much. It is not worth the price, since their security can't be checked by normal users. Also they require an account. Furthermore even in their FAQ they don't say that they wouldn't give the data to a court. They ask the question, but don't really answer it.
I would never buy a VPN from a company like that.
Just use the best programming language. Ups? For what application? Yes, everything depends on the application. Honestly, I doubt that many VPNs are better then Astrill if it comes to the GFC. I mentioned, it comes at a price. But if you are price sensitive, Mullvad is still nearly double the price of AirVPN....
"Mullvad has had multiple public audits and even contributed to other security-related open source projects."
Well, airvpn has also interesting roots. https://airvpn.org/aboutus/
"You don't have to create an account, and they even take cash by mail. It can't be more"
Well, I dont think any of my recommendations takes cash by mail, but that may take bitcoin. And for the applications you are hinting at, it is much more important that you connect via Tor to your VPN. One thing gives anonymity, the other privacy.
"Furthermore even in their FAQ they don't say that they wouldn't give the data to a court."
ROTFL. Every company will give data, or the data they have, to a court. At least in their own jurisdiction. Yet, there are (or were) VPNs that were cyberspace only. No corporation, just a website. A business that is not incorporated and only exits in cyberspace may indeed have a lot of leverage. At this point, you may ask yourself what you are doing. But if it is really so important, I would start setting up my own servers and selling my own VPNs. A tree you can hide best in a Forrest.
"I would never buy a VPN from a company like that." If everything you have is a hammer, every problem becomes a nail. Everything depends on your application and what you want to achieve.
I trust Mullvad because it does security audits like this. And it stores no data and has a history of police showing up without any data compromised [1].
[1] https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-sea...
If you want a Mercedes of VPNs, likely Astrill is the choice. If privacy is your main concern, there are many options. Dont mistake privacy for anonymity. If in doubt, pay with Bitcoin and use TOR to connect to your VPN.
For my current application, AirVPN is more than enough. Two years: are 79 €, if they have a special, it is 49 euro. If you are cost sensitive, Mullvad is double the price already, but at least only less than half of the Astrill price.