[banister]

Well said. This is a nothing-burger for all VPNs except the ones that are likely heavily leaking already due to the absence of basic firewall rules.

Their "side channel attack" also made me spit out my drink.

EDIT: looks like NordVPN (at least on mac) doesn't have those basic firewall rules and so IS vulnerable to this exploit.

[foobiekr]

A general rule for life is that companies making a big deal about military grade encryption or about how they are affiliated with Nordic countries are scams.

[berniedurfee]

Or more generally, marketing budget and trustworthiness tend to be inversely proportional.

[froddd]

Can you expand on that? Specifically the affiliation with Nordic countries?

I’m a Nord VPN customer, I’d quite like to know more — may help inform any future decision on renewing or even staying with them.

[sigmoid10]

In general, Nordic countries are known for their extensive privacy laws, which in theory would make it harder for law enforcement to gain access to your traffic (and with a court order it is very easy to decloak your VPN traffic). However, as all Nordic countries are part of the Schengen Area, they are bound by European laws - and their enforcement. When Europol started cracking down on VPN providers that didn't comply, NordVPN (and all others who wanted to remain in the European market) were forced to admit [1] that they do comply with law enforcement orders. Today, all VPNs that you can legally buy are worthless in the aspects they advertise to you. You neither get extra security through encryption when browsing the web (https is already good enough for public wifi) nor actual privacy from your own government. There is exactly one use case for public commercial VPNs these days: If you want to easily access the internet from a different location to bypass geoblocking. But many big services like Netflix have started to simply block or otherwise limit access from traffic that comes from big VPN provider IP ranges, so even that use-case is becoming more worthless every year.

[1] https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...

[NoGravitas]

You are missing one valid use-case: avoiding three-strikes letters being sent to your ISP by the MPA. Unless you're part of a release group, the complaints from the MPA never rise to the level of actual legal action, so your VPN provider is free to bin them, whereas your actual ISP would almost certainly act on them.

[sigmoid10]

Yes of course, if you're engaged in low level criminal behaviour, then even these low levels of obfuscation will keep some pressure off your back. But since copyright law is somewhat of a grey area in the EU, you technically don't even need a VPN for that. You could run a VPS somewhere and get the same results much cheaper. But this kind of use case is not something VPN providers can advertise with anyways, so my point remains unchanged.

[DEADMINCE]

You can get a good VPN for $5/month. I don't think you can get a decent VPN with enough bandwidth to use as a tunnel for the same price.

And as for infringement being grey in the EU, not really it goes by country. Nothing grey about it in Denmark for example.

[jkaplowitz]

HTTPS is not enough for public WiFi. Domain names get leaked due to how the TLS negotiation works, and unencrypted HTTP sites or ones with weak crypto are still more common than they should be.

Plus, many public WiFi networks exist which block SSH or specific websites to keep security auditors happy while allowing VPN to make business people happy. I used such a public WiFi quite recently, which blocked not only SSH but Hacker News - I assume some bad site database misunderstands the name of this site.

As for hiding from governments, I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government. So far, they can sometimes force silence, and can sometimes force a previously published canary notice not to be removed, but they haven’t yet had any right confirmed to uphold a compelled lie. So any Western provider that continues to publish suitably broadly worded canary notices on a verifiably still-updated basis (e.g. securely OpenPGP-signed together with a bit of new daily news headlines) is either telling the truth or is lying without being legally forced to do so.

[sigmoid10]

>I’m not aware of any Western government that has so far gained the power to force its companies to affirmatively lie about whether they have shared logs with the government

Do you see the problem with this statement?

[jkaplowitz]

Depends on what things you think are likely to be true in secret or judicially determined in the future without an intervening legislative change. My impression of the law in most Western countries is that the courts would overturn any requirement to compel a company to affirmatively lie to the public through explicit speech of some kind, even in the national security context. Orders compelling silence or non-removal of past statements are a very different constitutional and human rights balance than compelled false speech.

[DEADMINCE]

Mullvad at least doesn't seem to log :shrug_emoji:

[froddd]

So, should they be requested to do so by a formally issued court order, they would comply and start logging a user’s activity, but do not do so by default.

Calling them worthless at providing secure browsing seems far-fetched; calling them a scam is fully disingenuous.

[jhugo]

What, specifically, is the “secure browsing” that they offer and how does it improve on HTTP over modern TLS?

Funnelling your traffic through another entity doesn’t magically increase security.

[ang_cire]

*Tunneling* it through one hides the nature of that traffic from intermediary systems that it traverses from you up to that VPN exit point.

There is a lot of metadata in packets that can be viewed by any interim hop, like your ISP, workplace IT security, ARP-cache-poisoned coffeeshop router, etc.

[froddd]

Being able to cover/scramble your actual or virtual location can provide security in some contexts

[stavros]

Even Mullvad?

[sigmoid10]

You can answer the question yourself for any provider using this simple test: Can you legally buy access to it from inside the EU? If yes, they will suffer from the same problem as all other providers.

[stavros]

What are these problems, exactly?

[actionfromafar]

Mullvad complies, but they go out of their way to keep very little information. If you don't have the information in the first place, you can't surrender it.

[sigmoid10]

Beware that despite all marketing statements, VPN providers can easily be forced to store logs using court orders, even if they don't do it by default.

[codetrotter]

Yeah. But Mullvad VPN, based in Sweden, is an actual good one.

[pests]

Migadu for email hosting is amazing as well, also Sweden I beleive.

[ChymeraXYZ]

Migadu is Swiss

[prmoustache]

Why do people keep mistaking Sweden and Switzerland?

[pests]

My mistake, I did know they were one of the two. I should have double checked. In general I know the difference between the two just forgot which Migadu was based on.

[short_sells_poo]

People confuse Switzerland and Swaziland and those two aren't even on the same continent :)

[ikiris]

What was the side channel attack? There’s no way I’m reading 20 pages of networking for absolute toddlers to try to find it.

[josephcsible]

The side channel attack lets the attacker determine whether or not you're trying to connect to certain IP addresses over your VPN. If you properly fix this, then even when the DHCP server is performing the attack, the traffic in question still goes through your VPN. If you just mitigate it, then when the DHCP server is performing the attack, the traffic will be dropped. The side channel is that if you just mitigate it, then the attacker can repeatedly start and stop the attack for specific IP addresses, while monitoring how much VPN traffic you're sending and receiving.

[ikiris]

That’s certainly a take.