[vinay_ys]

If mullvad is compromised, then all my traffic is also compromised and potentially my client machine is also compromised (since I'm running mullvad client). Alternately, to begin with, if my traffic wasn't sensitive or personally identifiable, then I don't actually need this multi-hop setup.

[mhitza]

No idea how mullvad setup is done, but in theory I think you could use Tor -> mullvad wireguard configured VPN -> target site.

That way your traffic would be "legitimized" (no infernal Captcha loops), and if the sites you visit have certificate pinning mullvad network compromise wouldn't matter.

A bunch of ifs, but that's the state of things.

edit: written before thinking out all the details, probably can't tunnel udp connections over Tor.

[capableweb]

Yes, if mullvad + your machine is compromised, then indeed there is not much you can do. But first, not everyone uses mullvads client, but instead the provided configuration files for wireguard/openvpn. Secondly, not all traffic is indeed personally identifiable, especially if you're using something like mullvad with for anonymous traffic to begin with. Imagine you have another account than vinay_ys that you only use via mullvad (and potentially other accounts). Using something like cash (or bitcoin for that matter) as a payment method makes it less likely the real person you will be connected to this other account.

Security and privacy is not a true/false thing, it's a thing you do at layers. Making payments anonymously is obviously adding another layer. Maybe it's not worth it for you, but for some it is.

[vinay_ys]

With a Wireguard VPN to reach Internet, all traffic from this machine meant for Internet is going via the tunnel, including the OS generated background traffic, and application generated background traffic (like update servers, analytics beacons/telemetry, license verification servers etc). These can contain tracking identifiers that can be tied back to app purchases, and even laptop purchase itself.

If you really have only limited sensitive traffic (even with fake identity), you are better off using just tor browser than using a full machine vpn.

[capableweb]

Yes, indeed, if there is identifiable traffic coming from the OS, you're screwed. This is why I said "not all traffic is indeed personally identifiable". If you are doing things where you have to be anonymous, there are plenty of OSes you can run to not have all those things giving away your identity. If you think just adding a VPN on top of the OS you use for other things, you're screwed.

I think you're missing the point here. Even if you use Tor browser or a completely new OS installation of Tails or whatever, if your payment method can be tied to you, you're once again screwed. Being able to anonymously pay, removes that vector, it's as simple as that.

[vinay_ys]

The point was exactly that – you are already screwed, irrespective of being able to pay anonymously. If you are the kind of actor who will (or needs to) take all the countermeasures needed to be truly anonymous at a whole machine traffic level, then you are likely not going to be using mullvad.

To a typical customer of mullvad who also reads hn I would say this – you aren't going to gain any additional privacy by using anonymous payments. Here's why: either you believe Sweden is a safe haven for user data privacy or not.

– If it is, then you have nothing to worry about even with payment method tied to you.

– If it is not, then a Swedish government agency can compel mullvad to reveal the customer details (like payment method details) based on the WireGuard UDP socketpair details. But then they can also very likely compel mullvad to give them a live dump of traffic within the tunnel.

For truly high-risk people (journalists/whistleblowers against powerful entities, not regular geeks who want to block ad tracking), I'm not sure if any vpn service like this is a net help or does it actually cause more harm.

[capableweb]

> If you are the kind of actor who will (or needs to) take all the countermeasures needed to be truly anonymous at a whole machine traffic level, then you are likely not going to be using mullvad.

That's the wrong conclusion. The right one is: if you're the kind of actor who needs 100% privacy, mullvad is likely a part of solution (because of their track record), together with many other services and tooling. No one relies on one part to remain anonymous, as again, privacy and security depends on layers, not just a single layer.

> either you believe Sweden is a safe haven for user data privacy or not.

Even if Sweden is "a safe haven for user data privacy" or not, the government is not the only threat against mullvad. Mullvad themselves, the location they have their servers, their payment processors and many else can also be compromised. Paying Mullvad in cash (and protecting yourself in more ways) helps more than paying with a credit card attached to your full name, as any middleman can be compromised (and not just by a government).

> For truly high-risk people (journalists/whistleblowers against powerful entities, not regular geeks who want to block ad tracking), I'm not sure if any vpn service like this is a net help or does it actually cause more harm.

High-risk people don't rely on a single VPN service but again, layers of them in order to facilitate things like proxy chaining and multi-hop.

But, talking with you back and forward, makes it clear that you haven't actually engaged with any of these "high-risk people" you feel so sure to proclaim how things work for. I urge to actually talk to some of them and see what kind of setup they can tell you about, as you'll learn some more about how you can protect yourself and remain anonymous, if you really want to.