[lorenzohess]

The purpose of a VPN does not include anonymizing users with respect to the sites they visit,so it shouldn't be too surprising that Mullvad doesn't enforce unique exit IPs. Users who want anonymity should use networks like Tor.

[illiac786]

Why not? Why can’t it be the purpose of a given VPN service?

[PhilipRoman]

If you use the VPN for the Web, browser fingerprinting is a major threat outside of specialized scenarios

[mort96]

In other words: a VPN service can't by itself solve all problems which potentially lead to deanonymization, it can only provide anonymous networking.

Why can't it aim to solve what it can do? TOR is a great example: the TOR network itself can't perfectly anonymize you due to browser fingerprinting, but users of the TOR Browser get both the TOR network resisting deanonymization on a network level and a browser with plenty of anti-fingerprinting measures built in. A VPN could aim to prevent deanonymization on a network level so that users who want to stay anonymous can use the VPN in combination with fingerprinting-resistant software.

[newdee]

Have you taken a look at Mullvad’s browser?

[mort96]

No, but it makes sense that they want to offer a complete privacy product and not just a VPN. The point is just that having a privacy preserving VPN is worthwhile, because one can use fingerprint resistent browsers, whether that browser is made by the same company or not. I imagine Mullvad + Librewolf would also make a decent package.

[pseudalopex]

Mullvad have a Tor Browser fork for this reason.

[colordrops]

Isn't Tor a us government project that has been shown to be deanonymizable?

[SirHumphrey]

Sort of. There are a bunch of timing attacks bug in general it still works fairly well.

[overfeed]

Also, a buch of conspiring entry-/exit-nodes will do the trick, if you have a budget for enough of them.

[mike_hock]

It has been successfully deanonymized, and resistance to NSA-level capabilities is explicitly not a stated goal.

[DaSHacka]

Do you have a source for this?

[mike_hock]

No, because I don't keep a list of every article I've read over the past decade or so, but there were multiple busts where a regular law enforcement agency (FBI and their international counterparts) were able to prove the identity of a user simply by timing attacks.

The fact that Tor does not intend to tackle the timing problem is plainly stated on the Tor website.

[lucb1e]

I was also curious about a source for this but if you just mean the common knowledge that...

> Tor does not intend to tackle the timing problem [as] plainly stated on the Tor website.

then that's not how I read the above claim about Tor "having been deanonymized". Yes, yes, it strictly fits within the meaning of what you wrote, but it's like saying bread has been made free before because someone found a place where they could plant wheat seeds and chop trees to bake it without having to pay for using the ground and wood: there is a roundabout way of getting there but it's not true in the common case (you can't just do this for everyone at will)

[mike_hock]

"Tor has been successfully deanonymized" = "There are documented cases of successful deanonymization attacks."

https://www.schneier.com/blog/archives/2013/12/tor_user_iden... https://www.schneier.com/blog/archives/2024/10/law-enforceme...

If law enforcement can do it, then intelligence agencies and anyone with a similar budget can do it.

I did not say there is an easy exploit available that anyone can use or that attacks have a 100% success probability.

[breppp]

and so is ARPANET

[jorvi]

That is exactly the point of public VPNs..

If I'm on a public VPN, I don't want anyone to know who is making the request, including the terminating IP.

Think about it. By your logic, VPNs shouldn't be used for torrents because VPNs shouldn't anonymize you to the terminating IP. Whereas they work gangbusters for that.

If you are talking about private VPNs.. Mullvad isn't one.

[charcircuit]

I think you are misreading his comment. He is saying that on a VPN it is standard behavior that if you visit site A and site B they will both see you connecting from the same IP and can infer you are potentially the same person.

[fragmede]

Site A and B have to collude in order to make that inference. Outside of Cloudflare, no one is colluding at that level.

[camgunz]

Plenty of people own more than one website. You're also forgetting about random site assets like web fonts, CSS, JavaScript CDNs, etc. etc.

[antonvs]

That would only be true if there were no ad networks.

But today’s internet is essentially a giant ad network.

[jorvi]

Then he is using the wrong terminology.

Privacy = hide what I am doing

Anonimity = hide who I am

If site A and site B share some backchannel, then they can share what I was doing on their site, but aside from "this person is on Mullvad endpoint A1", they can't infer who I am[0]. To those sites, I am anonymous but not private.

On the other hand, to my ISP, I am private but not anonymous. They can see a tunnel originating from my home IP to Mullvad, so they know exactly who is connecting to Mullvad. But they don't know what I am doing inside that tunnel or where it leads beyond Mullvad.

That is the whole crux of a public VPN. The ISP doesn't know who to tell who I am, and the sites (and other terminating IPs) don't know who to tell what I'm doing, because the VPN breaks the chain in both directions.

So, if you torrent a movie illegally, the movie studio can only send an angry letter to Mullvad about someone on endpoint A1 torrenting their movie at 22:34. If it were possible for them to tell your ISP that you downloaded something illegally (privacy, the what), your ISP would have to give your address to the movie studio for a settlement fine (anonimity, the who).

It is kind of hilarious I am at -3 when parent is still in the positive, when he is so utterly wrong. But that's modern HN for ya.

[0]Fingerprinting obviously can throw a spanner into that, but that has nothing to do with the VPN. And it can be mitigated.

[DrBenCarson]

Public VPNs only protect you from your ISP

[DaSHacka]

And, arguably more importantly, from the service you're using.