[_8j50]

Good VPN company (one of the best) and good idea (sounds like USB Armory). But the best it can do is assure that their VMs are not logging anything and keep other promises. Will they also be able to share details of their hosting setup in a way you can independently verify (because they can always have more middleware transparent traffic logging VMs)? doubt it, same goes to whomever they use for hosting.

My point is, while I don't ascribe to the extremes of pro or anti VPN sentiments, having a good understanding of what services like this can and cannot do and performing rudimentary yet essential security and privacy risk asessment is essential before trusting them with all your traffic.

[Foxboron]

> Good VPN company (one of the best) and good idea (sounds like USB Armory). But the best it can do is assure that their VMs are not logging anything and keep other promises. Will they also be able to share details of their hosting setup in a way you can independently verify (because they can always have more middleware transparent traffic logging VMs)? doubt it, same goes to whomever they use for hosting.

We are working on this as part of the System Transparency project.

https://system-transparency.org/

Disclaimer: I work on this.

Beyond this Penetration Testing reports on the Mullvad infrastructure is public.

[LASR]

I’ve always wondered what is feasible through a state-issued mandate along with a gag order to circumvent the technology for something like this.

[_8j50]

That's what I mean about risk asessment. You should not expect mullvad or any other legally liable organization to resist lawful orders or unlawful coercion, these are not reasonable expectations and your security posture should account for that.

[vladvasiliu]

Couldn't this be solved by something like remote attestation?

[_8j50]

Thanks for the response and your transparency, it looks like you folks really believe in your mission.

The most revolutionary thing you are doing in my opinion is "registration" and email free account management and accept various forms of payment. You are way ahead of your time! Other apps and sites outside of VPN services could do so well to follow your example.

[handsclean]

Let’s not frame this as trust them vs don’t, it’s trust them vs trust your ISP. On one hand, you have a company that seems to be doing as much as possible to commit to privacy, and on the other, a company that straight up tells you they’re monitoring you and sending the data all over the place. Does that scale really tilt differently if you point out there’s a non-zero chance the first company is secretly just as bad as the second?

[_8j50]

Not just your ISP but the ISPs ISP, local police, government, etc... one thing people seem to forget in such situations is your ISP router's security, is it better or worse than Mullvad's security? A compromised router can and has (see VPNFilter) rerourted traffic through attacker compromised infra for mitm and most people have to accept whatever crappy gateway is given to them. If you are on arbitrary wifi networks, the chances of joining a compromised network get higher with the more networks you join but having one constant potential point of failure that you can reasonably take measures to account for is better.