[Foxboron]

> Good VPN company (one of the best) and good idea (sounds like USB Armory). But the best it can do is assure that their VMs are not logging anything and keep other promises. Will they also be able to share details of their hosting setup in a way you can independently verify (because they can always have more middleware transparent traffic logging VMs)? doubt it, same goes to whomever they use for hosting.

We are working on this as part of the System Transparency project.

https://system-transparency.org/

Disclaimer: I work on this.

Beyond this Penetration Testing reports on the Mullvad infrastructure is public.

[LASR]

I’ve always wondered what is feasible through a state-issued mandate along with a gag order to circumvent the technology for something like this.

[_8j50]

That's what I mean about risk asessment. You should not expect mullvad or any other legally liable organization to resist lawful orders or unlawful coercion, these are not reasonable expectations and your security posture should account for that.

[vladvasiliu]

Couldn't this be solved by something like remote attestation?

[_8j50]

Thanks for the response and your transparency, it looks like you folks really believe in your mission.

The most revolutionary thing you are doing in my opinion is "registration" and email free account management and accept various forms of payment. You are way ahead of your time! Other apps and sites outside of VPN services could do so well to follow your example.