[infinitedata]

When you access it while using Mullvad, it still asks you for your account number. Service should automatically detect you are on VPN and let you search, why the need for the extra step?

[coffeeri]

It is good that this does not work. As one IP might be shared by multiple accounts. A cache of the mapping IP --> AccountNo is also not favorable in terms of privacy.

[piaste]

> As one IP might be shared by multiple accounts.

No "might" about it, that's one of the most important traits of this type of service.

[coffeeri]

Yes indeed, but it's not guaranteed that there'll be multiple clients connected to one server at a time, even if it's unlikely.

[piaste]

To enforce the usage limits.

[varispeed]

Can you guess someone else's account id or sort of brute force to find valid ids and then run malicious searches against them?

Seems like a security risk.

[galleywest200]

I would bet money that Mullvad heavily rate limits incorrect ID entries. Also its a 16 digit number, good luck.

[gizzlon]

Is it the full account number? Good luck guessing that :P

If so it's like 16 digits. Isn't that 10^16 values? If they had 1 million users, that's still a lot of numbers to test before you find 1 valid one :)

I suck at math, but that's like 999999999 non-existing accounts per valid account? (10^16 - 10^6 - 1)

[YellowSuB]

Well if that is 1 million active users I would bet that there are still many more 'used' keys, myself being a Mullvad user have used about four different accounts, since you can just generate a new one. I don't know if this really makes a difference though

[piaste]

The mullvad "account number" is not a user id, it's a 16-number secret key. If you have that, you have the account.