Aren't they just reselling Mullvad? So is everything said here true for Mullvad generally?
Edit: I use an always on VPN on my phone but I can only have one, and that's taken by my local wireguard so I can access the not-cloud services that I run remotely.
I've figured out how to connect Mullvad at the same time on that server, such that all traffic on the server goes through Mullvad. I can't figure out how to chain them. I want to make a request to my local network wireguard (wg0) and have any traffic that isn't local be routed through to the mullvad connection (wg1) so I can both access my local network and use the internet over the VPN. Has anyone don this or could anyone point me in the right direction? This is on a linux machine...
Either your wireguard endpoint should be the router / gateway for the local traffic, and ip_forwarding is enabled on that gateway, OR you have to specify routes in iptables for the different networks you want to reach.
ip route add <subnet> dev <device name> via <gateway or router>
Like this:
ip route add 192.168.1.1/24 dev wg0 via 192.168.1.1 (which is the router, usually).
From the Introduction: "This report describes the results of a security assessment targeting five Mozilla VPN Qt5applications and clients, together with their corresponding codebase"
It's only the client-side software in scope,not the VPN service itself.
I was just about to comment "how does this compare to Mullvad?", had no idea they were basically the same thing. Mullvad is already great and available in more countries, so I see no reason to move to Mozilla VPN.
There's no problem having several wireguard connections enabled at the same time. Routes are selected per metrics/distance.
E.g:
A private virtual network between you and remote hosts won't be interrupted by the presence of a VPN service. The entry connection to the private network would be routed through the VPN service, though.
But what's the advantage here? Once Mozilla blesses Mullvad, then... customers already know that Mullvad is good. It's understandable why Mullvad could have a partnership agreement with Mozilla, but it's not obvious why customers shouldn't just bypass Mozilla and go straight to Mullvad with cheaper prices.
Mozilla isn't actually providing the VPN infrastructure and bandwidth -- Mullvad, a well-respected Swedish operator, is. I think they run their own ISP behind the scenes.
The provided staging build contains the Mozilla VPN WebSocket Controller, which exposes a WebSocket endpoint on localhost. No additional authentication is required to interact with this port, thus allowing any website to connect and interact with the VPN client. At the beginning of the audit, Mozilla assured that this WebSocket server is only part of the staging build. However, later it was revealed that Mozilla would like to reuse this connection for communication with a browser extension in the future. Thus, Cure53 decided to report this issue."
A classic one.
Also interesting:
"On Linux and macOS, a helper shell script is called by the privileged daemon which sets up WireGuard and network configurations. This script is extremely critical for security and should normally get most of the security attention. However, prior to the test, Mozilla has announced that it will be replaced soon and, as such, does not warrant substantial reviewing efforts. This - in Cure53’s opinion - is rather unfortunate in relation to its criticality. Cure53 therefore recommends that the upcoming changes get comprehensively reviewed in terms of security before they are shipped in production releases."
Tangential: Can anyone with experience in this field provide an estimate for how much this kind of audit costs? Just considering the viability of open source projects fundraising to cover the cost of an audit.
It bothers me that Cure53 is the only auditing agency for VPN providers that actually publishes their findings, finds more than nothing, and responds via email to queries regarding their past audits.
Yes, there is another company, Altius IT, that audited PureVPN for their no-log policy. But they found nothing, and refused to answer my email inquiry with a simple question: "if PureVPN were have caught not storing any logs or connection data, but immediately sending them to a third party, would that have been reported as a finding?". The question was asked because on paper, this is not a violation of the published policy.
I've toyed with some VPN browser extensions. Not naming names. I became a customer of a few VPNs over the years, to try some of these extensions out, and the extensions leak your real IP inadvertently. One such extension said it was 'connected' when I DuckDuckGo'd 'what is my ip' and it reported my real / naked IP.
So my solution was to use a (hardware) VPN router which ensures all your traffic is tunneled through the VPN and you don't have to worry about edge cases like this leaking your real IP. Also: many users don't even turn off WebRTC which can expose you too. Many people it seems, don't know about the WebRTC VPN vuln that was disclosed many years ago.
Edit: I reported these extension vulns and they got fixed, but I still don't trust them.
My biggest problem with using a VPN is the overtly hostile treatment by Google and Cloudflare.
Everytime I try to browse with a VPN (currently using Windscribe) I just see those nasty captchas everywhere. Google won't even let me do a simple search without letting me tag zebra crossings and school buses. Same with Cloudflare which also adds CAPTCHA before showing me a site which is basically most of the internet now.
Really don't understand why they do this to VPN users. Anyway, Anybody know how to fix this?
Unfortunately criminal/fraudulent/unsocial activity also occurs almost elusively behind a VPN, you might not be doing such things, but websites can't tell if you're not one of those people.
Cloudflare works with Privacy Pass, a browser extension through which you can solve CAPTCHAs in advance to accumulate tokens that let you bypass CAPTCHAs served by participating services (including Cloudflare, but not Google) as you browse the web. One pre-solved CAPTCHA gives you 30 tokens for ReCAPTCHA or 5 tokens for hCaptcha:
I didn't encounter any serious CAPTCHA issues when I tried out Mullvad and Mozilla VPN. Windscribe is probably worse for CAPTCHAs because of its free tier and the lifetime membership that it previously sold for a low price. VPNs that require ongoing paid subscriptions tend to have higher-quality traffic.
Gcaptcha hates VPN users, and Firefox users [1, 2]. You can ameliorate this by being logged in in a google account (!). The cynic in me mutters something here about advertising.
Cloudfare, on the other hand, sometimes just decides that the website said "nope" and blocks you. It's such a giant PITA. I spend a lot of time in two countries because of my job and family -- and one restaurant near my home in one of them has decided to block all IPv4 (but not ipv6...) connections to it with cloudfare. I used to look at their menu online, often on the days that I flew back (in the 'before times'). I have to use a VPN to get around that (their food is good!). Cloudfare recently started introducing obnoxious captcha requirements and occasionally outright blocking.
The more people who use VPNs -- and I am sure they are on the rise -- the more it becomes normalised hopefully the more that this goes away. To be honest, it's a price worth paying for privacy at any rate.
Because like 90% of the traffic is malicious. VPNs and proxies obviously change your exit IP, and people rotate through these as they do things like spam, make accounts, credential stuff, etc. This means they're burning through the IP ranges and getting them flagged.
If you're on a VPN with a fresh ASN and IP range you won't have any issues (until people start using it for other reasons).
If you wanted to "fix it" the dirty method, there's extensions for chrome/firefox/etc that will automatically submit your captcha to a captcha solving service and it costs some tiny amount.
tldr; Mischievous basically has to go through VPNs, and they rotate through IPs getting them flagged. You can join the dark side with a captcha solving service and extension, and there's some "solutions" like privacy pass you can try.
You're exaggerating. I use mullvad on 3 systems and definitely see captcha here and there but it's not very often. I can't imagine that mozilla's vpn is much different since the backen is the same.
Hey, finally I'm catching a report like this at a point in time where I'm not myself working as a software security assessment consultant, which frees me to get publicly back on my hobby horse about public assessment reports.
I think third-party assessment reports like these are a real problem in our industry. There are firms that are worse about them and firms that are somewhat better but it's a near-universal problem.
I don't at all object to technical vulnerability reports being shared. It's good to know when third-party auditors have spotted problems in products (and it's also good for prospective customers of consulting firms to know what kinds of vulnerabilities that firm is likely to spot, and how padded out some of these reports can be with low-quality findings). I also think it's worth remembering that the overwhelming majority of security assessment engagements are never reported out to the public; even when vendors do publish reports, more often than not it's after previous unpublished engagements have been run.
But the way these reports get written creates a huge conflict of interest. They're not simply reports of (1) what was tested and (2) what was found. Too often, they're also product marketing documents, beginning and concluding with "overall assessments" of the target software that is almost invariably positive, even on projects that reduced the target to a smoking crater (to say the least, that didn't happen here, but when it does, it's always framed as "[vendor] has made great strides in improving their security in the wake of this important engagement").
There are firms that specialize in writing public audit reports, and firms that specialize in finding excellent vulnerabilities, and the Venn of those firms is practically two disjoint circles† --- at least in the sense that there's a sort of insider chatter about who the quietly bad-ass firms are, and who the "most credible for shutting down sales objections" firms are.
Even when they're not intended to be tools of persuasion, public audit reports tend to function that way systemically. That's because vendors control the terms on which these audits are done, what's to be tested, when the testing will occur, how much time will be allotted and who's staffing. Vendors pay for public-facing reports, as an extra line item in the SOW, and in some circumstances get to review drafts.
Meanwhile, the public that reads these reports is in no way qualified to weigh or contextualize the report. If you're reading an audit report from a commercial vendor, it is invariably presented as a "clean bill of health". But even if you somehow get principals at Azimuth to assess your system, there is no such thing as a clean-bill-of-health audit. Different teams of auditors will find different bugs (even different teams from the same vendor!).
I think we need a new norm in the industry, and that it can only come from the auditing firms themselves. I think that, roughly, that norm should be that public-facing reports can be provided only in the same dry, technical form they're presented to development teams in ordinary, non-public projects: a methodology, a scope and rules of engagement, and a list of findings. No editorializing and no editorial review by vendors. Probably, though I'm less clear on the mechanics of how this would work, it should also stop being OK to charge different amounts for projects that do and don't have public reports.
I know there are consultants that disagree with me about this; I look forward to reading their takes.
† I'm not editing this out but on reflection this is pretty imprecise and it's probably easy to come up with a counterexample.
The issue with pretty much all of these security audits is that they typically are limited to code audits of desktop or server software.
Much of the security of VPNs though depends on the configuration of the servers/endpoints. Does it keep logs (on purpose or accidentally), are logs/traces of connections wiped from the RAM as well when you disconnect ... So even if you VPN client is perfectly secure, if someone is listening on the server nothing matters. Importantly, it's probably not unlikely that they were even set up by a "subcontractor" so even if Mozilla does everything right, there is the chance that a subcontractor still made a mistake and logs are being saved for example.
So a proper security audit would do lots of spotchecks on servers to see how well they are configured.
Shouldn't some non-trivial % of VPN companies popular on the market be run by intelligence agencies by various countries as a honey pot operation? Or is the idea that intelligence agencies have better means to monitor internet traffic?
I mean, supposedly that's exactly what happens with tor, nsa and friends run many, many exit nodes and scrap info from there, to such a level that people are worried that it is possible (or plausible) that they can/could identify users through different fingerprints, maybe not for something that would hold in court, but enough that it could make you a person of interest for them to see if they can deploy some of their malware packages
As for intelligence agencies, famously ProtonMail which works from Switzerland operates in a country with information sharing partnerships with the 5eyes, yet they are not all too concerned about it, nor interested on having their server-side software audited, so that to me raises eyebrows
In the past we have had the cryptoag scandal and BCCI which was an entire huge international bank with branches all over the world which basically only existed to be a front to CIA money laundering.... I personally believe that these guys are now operating with Deutsche bank and Cryptocurrencies which is just what would make sense for them as Deutsche bank is a corruption ridden company and Crypto is can be obfuscated so much as to be basically nontraceable
I have personally moved away from ProtonMail, I have 0 sources but they give me too much of a bad cryptoag vibe/honeypot, sad as it is, if you want secure email you must self host it which can be quite a pain in the arse, but these are the costs to have peace of mind
As for their VPN I would not use it, I don't like that ProtonMail centralized so many "privacy things" into a single point of failure
Actually, skip all of that: social engineering is still the best way, even NSA has stated that.
Assuming that social engineering is hard (for example, the target are computers operating machinery), while Windows is... not bulletproof, most applications (especially in-house apps) tends to be nothing more than a wooden gate, and therefore it's more expedient to do that than monitoring encrypt communications (obviously, it's has some benefits but it also has a lot of chaff, so it's better to have a wiretap directly).
Once I learned that Mozilla was using Mullvad servers, my trust to Mullvad increased. Though, besides credibility I am not sure what other benefit Mozilla brings to the table by reselling it? Since they both use WireGuard protocol, client is mostly about UI, rather than functionality.
What would be cool, if Mozilla partnered with multiple VPN providers and had a multi-hop VPN with at least 3 nodes and multi layered encryption, similar to TOR.
Read the report and see if the findings are super basic or super advanced. If you can't tell, then this audit report is not of value to you, similar to how my mom has no use for open source software yet I would still say it's valuable to have open source software in the world.
they do use mullvad to provide this service and mullvad's pricing model is flat monthly rate at ~$5 and yet mozilla charges almost double the amount per month at $9.99 and you need to get locked in to 12 month subscription to get the same price as mullvad charges.
[+] [-] xanaxagoras|4 years ago|reply
Edit: I use an always on VPN on my phone but I can only have one, and that's taken by my local wireguard so I can access the not-cloud services that I run remotely.
I've figured out how to connect Mullvad at the same time on that server, such that all traffic on the server goes through Mullvad. I can't figure out how to chain them. I want to make a request to my local network wireguard (wg0) and have any traffic that isn't local be routed through to the mullvad connection (wg1) so I can both access my local network and use the internet over the VPN. Has anyone don this or could anyone point me in the right direction? This is on a linux machine...
[+] [-] commoner|4 years ago|reply
No, since the client apps are different. However, Mullvad has completed several audits, including 2 of their client app:
https://mullvad.net/en/blog/tag/audits/
[+] [-] jvanderbot|4 years ago|reply
ip route add <subnet> dev <device name> via <gateway or router>
Like this: ip route add 192.168.1.1/24 dev wg0 via 192.168.1.1 (which is the router, usually).
This really helped me https://unix.stackexchange.com/questions/666072/how-to-set-u...
[+] [-] tyingq|4 years ago|reply
https://github.com/mozilla-mobile/mozilla-vpn-client
[+] [-] 3np|4 years ago|reply
It's only the client-side software in scope,not the VPN service itself.
[+] [-] Thorentis|4 years ago|reply
[+] [-] ynezz|4 years ago|reply
Policy based routing https://blog.scottlowe.org/2013/05/29/a-quick-introduction-t...
[+] [-] Jiocus|4 years ago|reply
E.g:
A private virtual network between you and remote hosts won't be interrupted by the presence of a VPN service. The entry connection to the private network would be routed through the VPN service, though.
[+] [-] nullify88|4 years ago|reply
I haven't worked with wireguard and it may already have this feature built in, but the fundamentals remain the same.
Edit: Perhaps its "AllowedIPs" in the connection config.
[+] [-] kristjank|4 years ago|reply
Chaining is doable using separate routing domains. Not for the faint of heart though.
[+] [-] Causality1|4 years ago|reply
Mozilla VPN disadvantage: Mozilla is probably far less tolerant of all the things most people actually use a VPN for.
[+] [-] threatofrain|4 years ago|reply
[+] [-] azalemeth|4 years ago|reply
[+] [-] KorematsuFred|4 years ago|reply
I can also see because of Mozilla's reputation employers offering these VPN free of cost to their employees.
[+] [-] chrisseaton|4 years ago|reply
[+] [-] mfollert|4 years ago|reply
The provided staging build contains the Mozilla VPN WebSocket Controller, which exposes a WebSocket endpoint on localhost. No additional authentication is required to interact with this port, thus allowing any website to connect and interact with the VPN client. At the beginning of the audit, Mozilla assured that this WebSocket server is only part of the staging build. However, later it was revealed that Mozilla would like to reuse this connection for communication with a browser extension in the future. Thus, Cure53 decided to report this issue."
A classic one.
Also interesting:
"On Linux and macOS, a helper shell script is called by the privileged daemon which sets up WireGuard and network configurations. This script is extremely critical for security and should normally get most of the security attention. However, prior to the test, Mozilla has announced that it will be replaced soon and, as such, does not warrant substantial reviewing efforts. This - in Cure53’s opinion - is rather unfortunate in relation to its criticality. Cure53 therefore recommends that the upcoming changes get comprehensively reviewed in terms of security before they are shipped in production releases."
[+] [-] corty|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] opheliate|4 years ago|reply
[+] [-] patrakov|4 years ago|reply
Yes, there is another company, Altius IT, that audited PureVPN for their no-log policy. But they found nothing, and refused to answer my email inquiry with a simple question: "if PureVPN were have caught not storing any logs or connection data, but immediately sending them to a third party, would that have been reported as a finding?". The question was asked because on paper, this is not a violation of the published policy.
[+] [-] lol768|4 years ago|reply
[+] [-] vmoore|4 years ago|reply
So my solution was to use a (hardware) VPN router which ensures all your traffic is tunneled through the VPN and you don't have to worry about edge cases like this leaking your real IP. Also: many users don't even turn off WebRTC which can expose you too. Many people it seems, don't know about the WebRTC VPN vuln that was disclosed many years ago.
Edit: I reported these extension vulns and they got fixed, but I still don't trust them.
[+] [-] Crazyontap|4 years ago|reply
Everytime I try to browse with a VPN (currently using Windscribe) I just see those nasty captchas everywhere. Google won't even let me do a simple search without letting me tag zebra crossings and school buses. Same with Cloudflare which also adds CAPTCHA before showing me a site which is basically most of the internet now.
Really don't understand why they do this to VPN users. Anyway, Anybody know how to fix this?
[+] [-] slivanes|4 years ago|reply
[+] [-] commoner|4 years ago|reply
https://privacypass.github.io
I didn't encounter any serious CAPTCHA issues when I tried out Mullvad and Mozilla VPN. Windscribe is probably worse for CAPTCHAs because of its free tier and the lifetime membership that it previously sold for a low price. VPNs that require ongoing paid subscriptions tend to have higher-quality traffic.
[+] [-] azalemeth|4 years ago|reply
Cloudfare, on the other hand, sometimes just decides that the website said "nope" and blocks you. It's such a giant PITA. I spend a lot of time in two countries because of my job and family -- and one restaurant near my home in one of them has decided to block all IPv4 (but not ipv6...) connections to it with cloudfare. I used to look at their menu online, often on the days that I flew back (in the 'before times'). I have to use a VPN to get around that (their food is good!). Cloudfare recently started introducing obnoxious captcha requirements and occasionally outright blocking.
The more people who use VPNs -- and I am sure they are on the rise -- the more it becomes normalised hopefully the more that this goes away. To be honest, it's a price worth paying for privacy at any rate.
[1] https://grumpy.website/post/0RzW4elEN [2] https://news.ycombinator.com/item?id=20147015
[+] [-] penagwin|4 years ago|reply
If you're on a VPN with a fresh ASN and IP range you won't have any issues (until people start using it for other reasons).
If you wanted to "fix it" the dirty method, there's extensions for chrome/firefox/etc that will automatically submit your captcha to a captcha solving service and it costs some tiny amount.
tldr; Mischievous basically has to go through VPNs, and they rotate through IPs getting them flagged. You can join the dark side with a captcha solving service and extension, and there's some "solutions" like privacy pass you can try.
[+] [-] stjohnswarts|4 years ago|reply
[+] [-] relaunched|4 years ago|reply
[+] [-] lilsoso|4 years ago|reply
[+] [-] ipaddr|4 years ago|reply
[+] [-] tptacek|4 years ago|reply
I think third-party assessment reports like these are a real problem in our industry. There are firms that are worse about them and firms that are somewhat better but it's a near-universal problem.
I don't at all object to technical vulnerability reports being shared. It's good to know when third-party auditors have spotted problems in products (and it's also good for prospective customers of consulting firms to know what kinds of vulnerabilities that firm is likely to spot, and how padded out some of these reports can be with low-quality findings). I also think it's worth remembering that the overwhelming majority of security assessment engagements are never reported out to the public; even when vendors do publish reports, more often than not it's after previous unpublished engagements have been run.
But the way these reports get written creates a huge conflict of interest. They're not simply reports of (1) what was tested and (2) what was found. Too often, they're also product marketing documents, beginning and concluding with "overall assessments" of the target software that is almost invariably positive, even on projects that reduced the target to a smoking crater (to say the least, that didn't happen here, but when it does, it's always framed as "[vendor] has made great strides in improving their security in the wake of this important engagement").
There are firms that specialize in writing public audit reports, and firms that specialize in finding excellent vulnerabilities, and the Venn of those firms is practically two disjoint circles† --- at least in the sense that there's a sort of insider chatter about who the quietly bad-ass firms are, and who the "most credible for shutting down sales objections" firms are.
Even when they're not intended to be tools of persuasion, public audit reports tend to function that way systemically. That's because vendors control the terms on which these audits are done, what's to be tested, when the testing will occur, how much time will be allotted and who's staffing. Vendors pay for public-facing reports, as an extra line item in the SOW, and in some circumstances get to review drafts.
Meanwhile, the public that reads these reports is in no way qualified to weigh or contextualize the report. If you're reading an audit report from a commercial vendor, it is invariably presented as a "clean bill of health". But even if you somehow get principals at Azimuth to assess your system, there is no such thing as a clean-bill-of-health audit. Different teams of auditors will find different bugs (even different teams from the same vendor!).
I think we need a new norm in the industry, and that it can only come from the auditing firms themselves. I think that, roughly, that norm should be that public-facing reports can be provided only in the same dry, technical form they're presented to development teams in ordinary, non-public projects: a methodology, a scope and rules of engagement, and a list of findings. No editorializing and no editorial review by vendors. Probably, though I'm less clear on the mechanics of how this would work, it should also stop being OK to charge different amounts for projects that do and don't have public reports.
I know there are consultants that disagree with me about this; I look forward to reading their takes.
† I'm not editing this out but on reflection this is pretty imprecise and it's probably easy to come up with a counterexample.
[+] [-] cycomanic|4 years ago|reply
Much of the security of VPNs though depends on the configuration of the servers/endpoints. Does it keep logs (on purpose or accidentally), are logs/traces of connections wiped from the RAM as well when you disconnect ... So even if you VPN client is perfectly secure, if someone is listening on the server nothing matters. Importantly, it's probably not unlikely that they were even set up by a "subcontractor" so even if Mozilla does everything right, there is the chance that a subcontractor still made a mistake and logs are being saved for example.
So a proper security audit would do lots of spotchecks on servers to see how well they are configured.
A proper security
[+] [-] bdibs|4 years ago|reply
[+] [-] lilsoso|4 years ago|reply
[+] [-] CyanBird|4 years ago|reply
As for intelligence agencies, famously ProtonMail which works from Switzerland operates in a country with information sharing partnerships with the 5eyes, yet they are not all too concerned about it, nor interested on having their server-side software audited, so that to me raises eyebrows
In the past we have had the cryptoag scandal and BCCI which was an entire huge international bank with branches all over the world which basically only existed to be a front to CIA money laundering.... I personally believe that these guys are now operating with Deutsche bank and Cryptocurrencies which is just what would make sense for them as Deutsche bank is a corruption ridden company and Crypto is can be obfuscated so much as to be basically nontraceable
I have personally moved away from ProtonMail, I have 0 sources but they give me too much of a bad cryptoag vibe/honeypot, sad as it is, if you want secure email you must self host it which can be quite a pain in the arse, but these are the costs to have peace of mind
As for their VPN I would not use it, I don't like that ProtonMail centralized so many "privacy things" into a single point of failure
[+] [-] zinekeller|4 years ago|reply
Assuming that social engineering is hard (for example, the target are computers operating machinery), while Windows is... not bulletproof, most applications (especially in-house apps) tends to be nothing more than a wooden gate, and therefore it's more expedient to do that than monitoring encrypt communications (obviously, it's has some benefits but it also has a lot of chaff, so it's better to have a wiretap directly).
[+] [-] YeBanKo|4 years ago|reply
What would be cool, if Mozilla partnered with multiple VPN providers and had a multi-hop VPN with at least 3 nodes and multi layered encryption, similar to TOR.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] pgroves|4 years ago|reply
[+] [-] Psychotherapist|4 years ago|reply
[1]: https://cure53.de/#publications
[2]: https://cure53.de/#team
[+] [-] lucb1e|4 years ago|reply
[+] [-] rsj_hn|4 years ago|reply
[+] [-] badguybeetle|4 years ago|reply
i don't get what is the reasoning behind this
[+] [-] Lio|4 years ago|reply
[+] [-] k_bx|4 years ago|reply
[+] [-] LeoPanthera|4 years ago|reply
[+] [-] aborsy|4 years ago|reply
On Mullvad VPN right now!
Any privacy benefit if I go through Mozilla?
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]