How would you claim it's a no log VPN?

That’s been my pet theory from day 1, and not because of DDoS. Simply because they are the SSL terminator for most of the internet and can see anything going on in cleartext (and I’ve seen them protecting some shady stuff)

I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)”

If NSA aren’t installed at Cloudflare, I wonder what they are even doing.

I don’t see how they couldn’t be. Either on purpose, secretly my coercion, or secretly without their own knowledge. It’s so valuable

> Wonder who can do those sudden attacks?

Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire.

Yeah, their origin is a story of absolute incredible luck. Cloudflare came out of nowhere and suddenly massive sites with huge user bases around the world, including places like 4chan, were getting DDoSed. Then they immediately announce that they transitioned to Cloudflare. Hell of a lucky time to make a company that the entire internet suddenly became absolutely dependent on.

The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said.

> It does significantly lower the bars for identifying you though, but the requirements are still high

If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.

1. https://en.wikipedia.org/wiki/NOBUS

Every now and then there are articles like this one about something that Mullvad may or may not be able to do better, and there are always comments about whether they're an intelligence front.

I don't know the answer, but there are two ways to take it:

1. Submarining to destroy confidence in an actually trustworthy, decent VPN company

2. They're an intelligence front.

For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off.

Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile.

If you use the VPN for the Web, browser fingerprinting is a major threat outside of specialized scenarios

Public VPNs only protect you from your ISP

I think you are misreading his comment. He is saying that on a VPN it is standard behavior that if you visit site A and site B they will both see you connecting from the same IP and can infer you are potentially the same person.

Sort of. There are a bunch of timing attacks bug in general it still works fairly well.

and so is ARPANET

But what privacy do you think majority of people who not doing something badly illegal expect from VPNs?

Most likely these people just look to hide their torrenting, saying political shit on Twitter from employer and not share their choice of porn with local ISP. Also just adding one more layer between them and occasional scammer who can sometimes infer more broad geodata from their IP leaked from yet another database. Oh and now to avoid "Show your ID" page on the same porn sites.

It works well enough for this goal. Not everyone needs NSA-proof solution.

PS: Obviously more tech savvy people understand importance of hiding traffic on public WiFi, but I doubt average Joe the VPN user will buy VPN for this.

It is privacy with respect to your ISP. A lot of ISPs are pretty shitty. Some will rat out their own customers to copyright mongrels and threaten to disconnect you - which is important when there's a local monopoly.

Things you connect to or log in to are clearly going to be able to ID you at least with in the context of the login that you use regardless of what the VPN does.

I'm logged into HN through Mullvad as it happens. I usually leave it on regardless of what I'm doing because what I'm doing isn't my ISP's business even though I'm pretty happy with them.

"Not knowing who a user is" privacy may still be useful even if you don't have, "not knowing two users are the same user" privacy.

oopsie, has someone burned their proprietary intel for internet points?

Can it get my IP?

I'll go ahead and answer that it can't. It knows I'm mullvad user X, thus deanonimization, "it knows I use mullvad", but it doesn't know my original IP, so "it doesn't know I'm me".

This might be a good idea, but consider banning them for, say, a couple hours at a time. It’s easy to rotate IP, especially if you’re using a residential proxy service, and there’s a good chance you’ll end up blocking real users using the same ISP.

That’s nice, I need to implement this.

By the way, if you’re a webmaster doing this, look at the Accept-Language header instead: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

I use aVPN when I’m traveling and want to order food delivery for my 93 year old mother in NY. UberEats and InstaCart will stop me from ordering when logged in my mom’s NY account if I’m in China, Saudi Arabia, India, Vietnam, etc.

It's possible that contributes, but to be honest most VPN users are split "privacy seeking" and "abusive". Though I grant you paid users are probably slightly more circumspect than users of Tor, etc.

It seems more likely this is just about load-balancing use against their available nodes.

> I imagine there are a bunch of things on the internet that break if you start trying to connect to them from varying IP addresses. Things like the various CAPTCHA schemes and rate limiting etc, IP reputation etc.

Given how much of the world is stuck behind CGNAT now, I would expect any major sites to handle it.

> 4. Allowing you to bypass geo-restrictions on certain content.

In theory, but as someone who uses Mullvad in the UK on a day-to-day basis on my personal laptops (not my phone) - I'm using it now, I'm afraid there's quite an additional downside I've found, in that because Mullvad's (at least UK, but also French and Dutch ones I've tried) exit IPs are known, many companies (Cloudflare, Akamai) at the very least know about them, and several sites block access when using Mullvad, returning 403s.

Santander bank for example, I can't always (sometimes I can) connect to when using Mullvad, and sometimes have to turn it off, as I get 403 responses from the bank otherwise (using Firefox).

Sometimes using IPv6 in the Mullvad settings gets around this, but more and more recently I've found it doesn't, so there sites where I'm having to stop using Mullvad to actually access sites.

(I'm still a happy customer, and 1 to 3 are still true and why I use it otherwise).

How is private company (VPN) is more trustworthy than an other private company (ISP) and how do you expect them to protect your identity in face of determined state actors that are afer you?

What power is in $2.99/month that it offers so much security?

Why is that at least 40% of sponsorship to YouTube Creators seem to be from VPN industry?

What is that they know and we don't know?

Marcus Hitchens (security researcher who blackholed the WannaCry ransomware domain) made a post on LinkedIn today comparing VPNs to snake oil. With regard to the way they're advertised in internet ads, they are. VPNs will not protect ordinary users from ad tracking or commercial data mining. They're marketed as a privacy tool when their privacy value is very limited.

VPNs are useful for the reasons you mentioned.

Making your traffic cross jurisdictional boundaries also adds a level of difficulty for tracking usage.

Local law enforcement can tap a local ISP for their records, but it would take a scale more effort to then tap a non-local service provider for their records. Each additional level of difficulty adds a cost, and at some point those costs aren't worth the potential results.

(assuming that the VPN provider doesn't just roll over due to an email inquiry, or isn't a front for very cooperative law enforcement).

Unfortunately, the largest and most well-marketed VPNs are, in fact, less trustworthy than your average ISP.

> place of low-trust, your ISP, to a place of high-trust, ideally a trustworthy VPN like Mullvad

This is highly subjective statement.

Almost all commercial VPN services farm and sell your data. Just by that, my ISP is definitely high trust point while any commercial VPN is a low trust.

I do all my illegal shit over Mullvad and I've only been raided once.

(yes, I've been raided)

(I started using Mullvad after - because of - that)

(I don't do illegal shit, I just like some obfuscation of my trail because I enjoy fiddling with this stuff - which may have been why I ended up a raid target in the first place)

> That doesn't scream US three-letter organization at all.

They have their own tools + tor, they do not need mullvad.

VPNs as marketed to "normies" is absolutely snake oil. It won't improve anyone's "privacy" in any meaningful way to simply proxy all their regular traffic through a VPN.

VPNs are a technical tool for technical people. You need to know exactly why you need it in order for it to be useful.

If people using some tool made my job harder id be vocally against it during off hours. But lets be real any powerful group interested in tracking people would just be working with or running vpn companies. Or perhaps providing free vpn. Either way I think its all moot as for tracking you have to question who you do and do not want to be tracked by and for other purposes vpn works just fine