I genuinely don't understand what is the incentive for using Mozilla VPN? I'm a Mozilla and Firefox fanboy, but this new product had me sceptical since the beginning. They literally bring nothing to the table except their brand name. They don't even do the server side, but just resell Mullvad's infrastructure with their brand.
I'm already a Mullvad customer, and if I were to switch to Mozilla VPN:
* It would not be available in my country (Germany) right away
* I would have to join a waitlist
* I would have to pay with my credit card, instead of cash-by-mail. (Great privacy improvement! /s)
* I would have to use Mozilla's GUI instead of the wg-quick CLI. (The use of wg-quick is documented by Mullvad in addition to Mullvad's GUI, but I haven't found any wg-quick documentation on Mozilla VPN)
All of this for the same infrastructure, the same service (number of devices, ...) at the same price. What the hell are you doing Mozilla?!
This is the question though: who are these demographics?
I know Mozilla likely have a lot more data on this than I, but who is using Firefox / interested enough in Mozilla to read their marketing & research their VPN offerings, but is simultaneously not someone who would research VPN providers in general / use Mullvad? What is this techie/non-techie interested/not-interested hybrid person?
I'm one of those incongruent persons. Being wary of many VPN services, I never committed to using one, although I really wanted to start. Of course, I am aware of Mullvad and I could still skip the intermediary. However, I trust Mozilla more, as I've been following them for so long.
It sounds funny, because I do acknowledge exactly what you're saying. I'm in tech, interested in using VPN for years. I researched some, but was put off if they would mishandle my data. In the end, it will be Mullvad who will be dealing with my data, after all. But now I kinda trust them more after Mozilla.
I know it sounds illogical, just explaining how I feel about this.
that demographic is huge. most people under 40 today have grown up watching the surveillance industry establish itself, and those with any consciousness of their own vulnerability want to take action to minimize their surface area. until recently that's been extremely difficult and technical, but now firefox with container extensions, adblockers, and a VPN are all easily approachable for the average person, and they're all under one brand.
> now firefox with container extensions, [...] are all easily approachable for the average person
I think you might be in a bubble of you think the average person is using container extensions. There aren't even that many average people using Firefox anymore, least of all any extensions beyond adblockers (which still only reach at most 20% in general, including the all round more average Chrome users)
<off-topic-rant>
Add to that there aren't even any container extensions that work well: the official Mozilla one doesn't support management of domain lists, and the best alternative (Containerise) is still limited and poorly supported (has outstanding bugs with things as simple as the www prefix). As for the individual site-specific options, the Google one is an all or nothing affair; there is no way to separate your traffic within Google's ecosystem, nor outside it: there's effectively two "zones", similar up Private Mode.
I wouldn't recommend containers to an average user in their current state
Just about anybody that watches YouTube regularly knows what a VPN is. Even very mainstream, non-tech channels have been sponsored by VPN companies. It has died down a bit now, but it was insane for a while. A constant flow of sketchy VPN companies.
VPNs are heavily marketed to regular consumers these days. Mostly for region shifting or vague privacy/security benefits.
> most people under 40 today have grown up watching the surveillance industry establish itself
I'm not sure "watching" is the correct word.
> those with any consciousness of their own vulnerability want to take action to minimize their surface area
This is a pretty small minority, as demonstrated by the number of people that continue to use Google and Facebook properties by choice (refering to their actual services, not their pervasive tracking around the Internet at large)
> firefox with container extensions
As a more-technical-than-average person, my experience is that attempting to get all Google services running in a specific google-only firefox container is a non-trivial and extremely painful experience, as there doesn't appear to be a way to simply add *.google.com to the 'always open in this container' list, so each subdomain needs to be added individually. And then youtube.
> adblockers
Adblocks can break the check-out flow on multiple ecommerce sites. "Don't shop there" doesn't fly when that's the only online outlet that has the shoes she wants. What's the workaround? Spend a while working out what's causing the flow to break, and find a way to explicitly whitelist that domain for that site? Nope, just disable the adblock entirely and hope you remember to re-enable it once you're done.
I think most under 40 don't know that Google Chrome and Google Search are two separate things let alone VPNs and containers.
When these people say "surveillance" they mean they think that Facebook magically hears it when they say something out loud and they start seeing ads for it. We engineers overestimate the awareness average user has about technology.
> When these people say "surveillance" they mean they think that Facebook magically hears it when they say something out loud and they start seeing ads for it. We engineers overestimate the awareness average user has about technology.
Not "magically" - they don't trust their device. And can you blame them? Their device likely isn't trustworthy in so many different ways.
Hell, when accelerometers can be repurposed as rudimentary microphones, and when just about every modern device/app defaults to maximum "yes please track me," I tend to be paranoid myself!
This is kind of exactly what I mean too. In your case, you have a clear idea of what might be going on. But a vast majority just don't. They trust the wrong parties and place blame in the wrong places. At least this is the case with the people I know.
To give an example, after the recent WhatsApp PR crisis because of the change of toc, I see a whole bunch of my contacts changed to Telegram. They could have chosen Signal but no. They switched from an end-to-end encrypted app to an unencrypted app! That's what paranoia gets you unless you know what you're doing. I've pretty given up on the average user on these matters.
I for one would trust far more to Mozilla foundation's brand than any random small VPN company to not abuse the user's trust or lie about its actual practices. From what I've been reading most of VPNs on the market actually have some level of privacy flows, so it's not such an easy choice as it might seem - especially for people outside of US.
I often have a hard time convincing someone why Mullvad is better than PIA, NordVPN, etc, because they simply don't know what to look for in a good VPN.
At least I can point at Mozilla VPN and make an appeal to authority.
Mullvad is simply better than Nord and Proton by a lot. Their policies are more detailed, you can pay with cash and crypto, your accounts aren’t associated with any identifying information or email, they describe what exactly is stored in their database tables, they support WireGuard by default, their client engineering team seems more knowledgeable, etc.
I used to use Mullvad, but a lot of their servers were blocked for shows my wife wanted to watch and even on Netflix. I've had much better luck with ProtonVPN for that reason.
Maybe ProtonVPN is one of the ones using their users residential IPs to route traffic. How else do you prevent Netflix enumerating all your IP addresses?
No one educated should be using NordVPN, more or less. At best it might be acceptable to throw a ton of torrents on as long as you don't use their terrible proprietary client.
Even the front page is already freely giving away tons of data to multiple analytics providers.
Basically any VPN with an affiliate scheme you should stay away from. NordVPN, Ivacy, VPN Unlimited, FastestVPN, etc explicitly, run like fuck. The more "YOU ARE UNPROTECTED REGISTER NOW!" the faster you should run.
NB: I am a power user/developer, but I do not use either company. Objectively, a basic eyeball comparison (match bullet point indexes):
Mullvad:
- Says "Not using Mullvad" / "Using Mullvad" (a neutral statement)
- Shows their company address and registered location at the bottom of every page
- No on-page analytics
- No third party includes
- One price
NordVPN:
- "Your Status: Unprotected"
- "Copyright NordVPN.com" only
- Multiple on-page analytics and third parties
- Loads google tag manager, google analytics, bing marketing, youtube, third party web surveys, zendesk, twitter ad pixel, google ads, bing, cloudflare, ada chatbot, ravenjs, processout, multiple fingerprinting and persistent device identification/tracking services (also performs webgl/font iteration/plugin iteration/canvas fingerprinting, etc)
- Repeated upsells, lying to you about price (see JS for fake "sale ends in x seconds" countdown timers that attempt to induce FOMO and more), packed with dark patterns; "9 hours left easter special TODAY ONLY" - same sale that has been running for years
They had a pretty wicked breach (for nearly an entire year) a while back: https://nordvpn.com/blog/official-response-datacenter-breach..., and I've also heard their rather expansive marketing (the usual youtube personalities) brought up as a negative, but that one doesn't register much for me.
That's right. I use NordVPN because I got suckered into it using their terrible tactics (the whole 67% off for a limited time only offer that's been running for the past what, 3 years?), because stupidly I didn't do any research, but in general I only use NordVPN for ahem torrents. All else, I'd trust my ISP more than NordVPN.
To someone who isn't a leet hacker or SW dev, that is the ball game. Firefox and Mozilla aren't household, but millions of less-technical people know of them. Rather than getting their VPN (if they even know the value proposition) from some podcast advertisement, Mozilla is saying "Hey, this kind of service gives you privacy and we stand behind it".
I use it upon occasion. It's dead simple to purchase, set up on any OS and I trust Mozilla not to send me to a shady backend.
If you already have VPN and they don't offer it in your country, they clearly aren't targeting you.
I was also a mullvad customer and wanted to switch to Mozilla VPN specifically because it seems to be one of the only ways to support the browser. At the time they didn't support linux at all, but someone wrote a tool[0] to squirt out the necessary configs to use with wg-quick. When I saw that, I pulled the trigger and haven't looked back.
"Mozilla" is a complicated entity, and quite a lot of their funds go toward projects unrelated to Firefox (to the chagrin of many Firefox users as much of the donor goodwill toward Mozilla Foundation as an entity comes from Firefox).
> They literally bring nothing to the table except their brand name.
Isn't it the most important thing for a VPN provider? You want a company that is privacy-conscious, not one that logs your traffic and sells it or open it to the various TLAs of the world.
> They literally bring nothing to the table except their brand name.
That has been enough for me. I generally trust Mozilla when they say privacy first and if I'm going to give my money to a VPN provider I rather give it to Mozilla than say NordVPN.
> I genuinely don't understand what is the incentive for using Mozilla VPN?
Supporting browser development instead of Mozilla Foundation.
This way at least they pass through the hands of the organization that does the most important work.
(Nothing against the other issues but right now the browser should be their top priority and I was massively annoyed when I found that donations towards the foundation couldn't be used for browser development and the browser.)
I have a hard time coming up with an alternative that isn't just playing the ball into the hands of Google so that they can kill ad blocking right away?
It's as simple as that: You are not the target group.
If a regular consumer searches for a VPN product they get a million results, all with different deals and they'd have to figure out how to find the best one and will still be around in a year. If they already trust the Mozilla brand they'll go with that. Just like people go with stock apps on their computer over some maybe better third party app.
>I genuinely don't understand what is the incentive for using Mozilla VPN? I'm a Mozilla and Firefox fanboy, but this new product had me sceptical since the beginning. They literally bring nothing to the table except their brand name. They don't even do the server side, but just resell Mullvad's infrastructure with their brand.
The incentive for you is that Mozilla will keep Mullvad under close watch and make sure promises are kept - so you don't have to. Furthermore, there is no limitation for Mozilla to not seek other partnerships and/or develop the server side service themselves - they have the in-house dev talent to do so.
So, yes, they do bring quite a lot to the table besides their brand name.
If you don't know anything about VPN's and are unlikely to (have time, motivation to) do a lot of research then you might trust Moziala/Firefox more
then some unknown company-named Mullvad.
But they don't really know that anyway. Your account is just a number and when you mail cash you include a token that they can tie to your account number.
Obviously they could log your IP address (which they promise not to), but that's an issue even if you go through Mozilla to purchase the service.
I wonder if the cash-by-mail payment option creates some kind of legal liability for Mullvad. If it suddenly became very popular, I would imagine the financial authorities would be rather unsatisfied with "oh, we receive a bunch of cash from anonymous customers by mail, nothing dodgy here..."
I feel like most of those VPN services are using very borderline marketing and like to keep a lot of information blurry.
As far as I know, in a lot of country (like France) it is a legal obligation to keep logs and be able to identify one of your customer if the police demands it. Therefore, if you have server in France or any country with similar rules, you can't operate a "0 log" service. And since those kinds of services have servers everywhere (and it is even one of their selling point), it is extremely unlikely that they don't keep you data and will hand it to the police (willingly or not) if requested.
And if their own server get breached, you can get the info of all the customers who used the breached server.
So I find the claim of those services that they provide "more privacy" pretty lousy. Yes they do hide your IP addresses, but that's far from being the only data use to fingerprint you. And if it is to protect you against a Wi-Fi that you don't trust or your ISP, sure it works, but you move the trust from them to your VPN provider.
> As far as I know, in a lot of country (like France) it is a legal obligation to keep logs and be able to identify one of your customer if the police demands it.
Not for all types of services. ISPs are sometimes under obligation to log, but VPN services don't belong in that category.
I can't speak for others but we have contacts with legal experts (in a few jurisdictions) that alert us to changing laws. Ultimately if a country required us to start logging we would just cancel all of our machines there and leave.
On the topic of trustworthiness, you are completely right of course that VPN users put a lot of trust in their VPN provider. There is also the lemon market aspect - the information and competence asymmetry between user and operator. That begs the question of how to ascertain trustworthiness.
I would love to use Mullvad, but I need split tunneling on a per-process basis (Windows), since there is the occasional website that hates VPN-based servers. I have a special browser installation I use for such occasions, but few VPN providers offer per-process VPN exceptions. Any chance Mullvad is considering this feature?
Have you considered running a SOCKS proxy outside of Mullvad (ie on a Raspberry Pi or in the cloud?)
You could then use Firefox Multi-Account Containers to bind a container to the SOCKS proxy, and whenever you need to access a site that doesn’t support a VPN you can just open it with in said container.
You're correct that scummy, overselling advertisements make the whole VPN industry look bad, but Mozilla's VPN is provided by Mullvad, who doesn't engage in those sorts of advertisements.
FWIW, I've looked into Mullvad and even had beers with some of their programmers (all of whom appeared to be Scandinavian anarchist/anti-authoritarian types) and I think Mozilla made an good choice with that partnership. (Of course, don't take my word for it; do your own research, or just host your own VPN.)
The entire VPN industry is really shady. Their marketing is entirely based on creating literal FUD (fear, uncertainty, doubt) and sell their service as the perfect and cheap solution. The presence they have on youtube ads and other mainstream platform ads is really disturbing.
I agree. A VPN should only ever be used for the following:
- Shifting traffic over a VPN when using untrusted/sketchy wifi hotspots
- Spoofing your geo-location to use geo-specific content
And that's it. If privacy is your goal, Tor is much more suitable since it's not a single-hop proxy like a VPN and compartments all your traffic. (But of course Tor is not a silver bullet and there are caveats).
That's what a VPN is really for. The other uses are more side effects exploiting the encryption and tunnelling properties of VPN rather than the original intended purpose of a VPN.
I think hes talking about VPN's in the context of these companies selling vpn services under the guise of "privacy" or "security". ProtonVPN, Nord, Mozillas, Mullvad and there are a ton others, many with less than stellar reputations and some that outright lie.
Thats a bit separate from a road warrior, corporate vpn or even one that one may host on a VPS that they have full control over and are willing to allow the hosting provider still see the traffic. As in, they trust the hosting provider more than the transit provider. Think University/Campus networks, public gov networks, or even some ISP's or corp networks.
I wouldn't go that far. There are some reasons that one could be useful. I dont personally have a use case cause I have other mitigations in place but i wouldn't consider a company like Verizon particularly trustworthy in general.
Even Comcast has been known to inject ads. The core tenant of these VPN services is trust, with it they dont survive, but for an ISP with a de-facto monopoly thats a non factor. There are also plenty of sites and services that use IP tracking. Google is really bad but others are doing it behind the scenes and not telling you. Reddit 100% does. Amazon too. To the point that if i proxy my connection and try and login to one of my google accounts i sometimes have to verify or go through recovery.
So in some cases its better than no vpn. And I wouldn't use any authenticated service over tor that i wish to keep. There are so many malicious relays and exit nodes.
TOR is easily tracked at the nation-state level. China can axe tor traffic, even with bridges and OBFS4 configured.
With a service like nord, you can get on and do your thing to bypass the great wall for the most part. And the the great firewall drops that connection you have a very large pool to choose from for your next.
So there are definitely some reasons I could understand some would use them based on their own assessments/needs.
Unfortunately as GP has mentioned, advertising around these typical VPN companies (Nord, Proton, ExpressVPN, Surfshark and many more) tends to be very misleading. Tom Scott put out a good video[1] that tries to debunk various marketing claims.
Sure there are use cases like getting around georestrictions, and like you mentioned you can use it to get around tracking. Except that for privacy and evading tracking you need more than just a VPN, you need to be doing things like adblocking, tracker blocking, clearing all of your cookies, not signing in to anything because then the service gets to link your new VPN IP with you again. VPN ads that sell "privacy" is snake oil unless it is paired with a guide on the additional things you should be doing.
I get why people want proxies and such like. I'm just saying it's weird how VPNs have become peoples de facto go to when they want something proxied. Most of the time when people think they need a VPN, what they actually need is something else that is incidentally provided by VPN. As in they're covered as a side effect of using a VPN rather than using a VPN for it's intended purpose. But I guess you could argue I'm being elitist and what not, which is fine. Literally the only reason I bring it up was because it just tickled me when someone posted on a nerd forum a list of the purposes of VPNs and actually missed off the primary role of a VPN.
It’s less elitist and more it’s a simple measure that the masses can understand and very simple and easy to implement. Security is hard and security/ encryption done right is even harder.
I have piholes with dnssec running at least upstream for privacy. And a vps I use as both a socks proxy and vpn here and there. But I have the technical know how to implement that.
Let’s say, my parents just wanted a way to make sure their traffic was encrypted from either their ISP or Corp provided iPhone. I wouldn’t tell them to go build a Linode or use Pi-hole. They don’t care. But a vpn with a decent trust rating with nothing more than a login would do it and is easily achievable.
Would I still advise them to be congnizant that other lower level spyware may be on their Corp phone, sure, absolutely. But that’s not always the case. My org doesn’t do that. We give you a phone and pay for service. You can use your iCloud and we have the ability to lock it/decom it because we own it. And can lock them out of email but we can’t run find my iPhone on it.
There have been requests to our provider for more traffic data for x user. So even I run a vpn when using their data.
Another example. I had a buddy going to China for a couple months bye wanted advice on how to secure his stuff. I advised him to use burner devices and chnage passwords yadda yadda. But then the question of accessing email, such as gmail came up. The great firewall is pretty nuts. I set him up an account on my vps and enabled obfs etc on the vpn.
But he also used nord as a backup because he had ton of options there geographically dispersed. In the end, all he needed was nord at all. And when the firewall dropped his states to one node he would just reconnect. It worked just fine.
Tor is explicitly not private, only anonymous. The end node can see all the traffic you send through it if it's not encrypted. If privacy is your main concern, tor is definitely not the right tool to use.
It depends on how you use Tor. For example, visiting your own personal homepage and then using the same relay to visit a NSFW site would be bad OPSEC. Also, Tor comes pre-installed with HTTPS Everywhere, and you can toggle a setting that disables all http traffic if you're worried about sketchy exit nodes analyzing your plaintext traffic.
Remember: Tor can't read your mind. If you want true anonymity you have to go through extraordinary lengths to achieve it, and even then, you could make mistakes.
The caveats you're mentioning are exactly why tor is a bad tool if privacy is your main goal. None of those concerns would be an issue with a service that focused on privacy.
Also HTTPS everywhere isn't enough; you also need ESNI, which requires server support.
And even if ESNI was ubiquitous, a malicious exit would simply perform a reverse DNS lookup and have very high certainty about which sites you’re visiting.
If someone is determined enough, they just subpoena the VPN and ask for logs. Since a VPN is a single-hop proxy, your real IP is trivially exposed. Even if the VPN provider claims they don't keep logs. There's no way of proving they don't keep logs, and you need to hope the server you connect to is not compromised in some way. And VPN providers are known to use cheap colocation servers/Virtual Private Servers which have questionable security.
VPNPro doesn't list ExpressVPN as having Chinese ownership. Wikipedia[1] claims it operates in the British Virgin Islands, and Quora claims the same. That written, a comment on Quora claims that it's owned by the CIA. Ha ha!
You don't need to be based in BVI to be registered as a business there.
(Weather or not they are owned by CCP or anything like that I have no idea, I'm just saying that being registered in BVI doesn't mean it's not possible for them to be owned by a CCP or anyone else)
The company in the British Virgin Islands is a shell company with HK ownership, AFAIK.
With the CCP taking over HK, ExpressVPN could be used to gather information on domestic dissidents and foreign visa holders. Assuming it's not already.
Comparing VPN services, I’ve found ExpressVPN to be highly rated. The aforementioned callout means ExpressVPN may not be the best service for me.
In lieu of specific technical criteria regarding VPN services, who are the go-to (aka “top of mind” or “A list”) providers that privacy conscious, technically adroit (e.g. web dev with some sysadmin knowledge but little networking knowhow) users prefer?
In other words, I’m looking for VPN recommendations but no longer trust my own Google-fu (advert rabbit hole) to discern what is a “good” choice.
I've never used any vpn myself, but whenever I come across the topic in tech circles people seems to recommend mullvad. Can't vouch for them or anything, but might be worth looking into.
In some countries, censorship circumvention usually require sophistication that not all VPNs provide. A few like getoutline.com, getlantern.io, and psiphon.ca specialize in that.
In most countries, VPNs aren't even needed to circumvent censorship. Apps like getintra.org, GreenTunnel employ simpler techniques to bypass firewalls.
> Routing traffic over untrusted home/office ISP
With TLS v1.3 and DoH / DoT, I think VPNs may no longer be required if "hiding traffic" is the only need. Hiding IPs, however; (of both the client's from the server and the server's from the ISP) would continue to require the use of VPNs.
Another benefit is that VPNs raise the bar for investigation. You are not safe from the FBI or interpol, but for "petty crimes" like pirating you are safe(r).
Comcast basically has automated the process of sending you a cease and desist if they detect you are torrenting something you shouldn't. Mozilla doesn't.
It's really disappointing to me that Mozilla VPN didn't support Linux from the get-go, and even now, from their FAQ [1], apparently only supports Ubuntu. The code for the client is open source, and can be built on other distributions, but the more pressing question to me is why their own client is necessary at all. Mullvad (which this VPN is based on) allows you to just download WireGuard/OpenVPN config files, which you can use with your own, more widely used/trusted client. The only reason I can see for Mozilla to require the use of their own client is to enforce their device limit, which really leaves a sour taste in my mouth. I don't think their desire to impose the device-limit should outweigh the security implications of disallowing me from using the standard WireGuard client.
I want to give Mozilla my money for this, but it's really annoying how unfriendly its implementation is.
I can't speak for Mozilla, but we have our own desktop and mobile apps because it enables us to do more privacy-preserving things with a higher assurance. Consider for instance DNS leaks, Teredo leaks, IPv6 leaks, esoteric DHCP directives that can hack your routing tables, and so on.
And these are just a few of the things we were early in mitigating correctly. Consider also the tight relationship between UX and security, and it is clear that we can't rely on "generic VPN clients" to always agree with our design and security preferences. That doesn't mean they are wrong and we are right of course. It's just that we have a very specific mission.
One architecture decision we made for our app was to write its backend in Rust, and integrate tightly with the firewalls on Windows, macOS, and Linux. It facilitates stability and therefore reduces the risk of states where data leak outside of the tunnel. Check it out, it's open source. As all security-related things should be.
Hi, thanks for the response. I'm a big fan of Mullvad's approach to creating a VPN, and I'm hopeful that more companies will follow in your path. I've been using your service for a few months now, and I'm really satisfied with it.
I should perhaps have been clearer when I referred to generic VPN clients, I was talking about the original WireGuard implementation by Jason Donenfeld, not just some random software, which I would hope you agree is a (sufficiently) secure implementation when used by technically proficient users? I do appreciate that there are reasons for having a specific client for your service, and it is absolutely necessary for those who are new to VPN apps, but I would hope you appreciate the reasons for providing implementation-agnostic WireGuard/OpenVPN config files, since your own service does so?
Regardless, thanks again for the work you're doing in this sector, and best of luck for the future.
Thanks! Yes, I completely recognize that many users prefer to download a generic configuration file for WireGuard or OpenVPN. In our case we want to support that use case. At the same time encouraging use of our own app allows us to invent to a much greater extent. And mitigate risks.
There are plenty of VPN clients, some by big enterprise-y networking companies, that at least historically have behaved in ways that leaks the user's traffic when interfaces change, on DHCP issues, tunnel disconnections. It's just easier to make our own app and be able to say what it does and doesn't. And that nothing will change tomorrow because of someone else's design decision. :)
I absolutely love your service and will definitely renew it considering my one-year license is close to expiry.
Any reason why you don't use a PPA or something to auto-release updates? I've postponed an update quite a few times because the friction of going to your website, downloading it, and then upgrading the package is just a bit too much in certain situations.
Other than that my only gripe with the app is that I can't close it from the app indicator, but have to re-open it, click on the settings, and then choose "quit app".
Hi! I'm glad to hear that! Regarding PPA etc I can't say for sure since I don't lead the app team and don't want to interrupt their work day. I'll relay your comment though. I hope that's OK.
This is great to see. I highly recommend your team look into it. Setting up a PPA (or even just your own APT repo on S3) is extremely simple and is a robust way to push out updates. I would be happy to do a few hours of consulting for your team to help get this done.
Mullvad allows you to use any Wireguard public key you want on your account, you can just use the standard client, generate your own keys, and do your own config.
I thought Mullvad recommends WireGuard and that your app uses OpenVPN? On Mac, WireGuard is certainly faster to connect and more stable than the Mullvad app.
But it throws compatibility with devices that don't support your client out the window. Like I might want to have an entire VLAN on my home network route all traffic through the VPN which would happen through my router. But my router only supports common VPN protocols like IPSec, OpenVPN, and WireGuard.
Sure, I could make it work with a separate Linux server running your app and some routing but that's far more work than most other VPN providers.
I'm fine with warnings in your UI about connections with these protocols being "less secure" like how Zoom handles E2E with phones.
So then what's with all the claims that Mozilla VPN doesn't work with them? I held off trying Moz's VPN service because of people saying it didn't work and not finding any official support.
While Mullvad provide those configuration files to customers who use their service directly, customers who are subscribed to Mozilla VPN don't have access to these configuration files, which is what makes it especially irritating to me.
The device limit is enforce on Mullvad's side already. It's 5 devices, even if you use other client (tracked by simultanously connecting IPs IIRC with some leeway for spikes).
Like it's absolutely wild that their VPN implementation requires their client to work. Basically every other VPN provider will expose endpoints for IPSec, OpenVPN, WireGuard, etc. etc. for instant compatibility with clients that can't run your pretty app.
Sad that PIA tanked their rep because their Linux support was top notch. They even had a script that would set up NetworkManager profiles for you.
The website of Mullvad itself has essentially no identifying information, and that's fine and perfectly reasonable, it's just got to be part of your threat model of using the thing. Mozilla whitelabeling the service and giving it a well known reputation is another thing entirely.
Hmm... I may not fully understand what you're looking for. From their website:
"Who owns Mullvad?
The Mullvad VPN service is operated by Mullvad VPN AB which is a subsidiary of Amagicom AB. Both companies are 100% owned by founders Fredrik Strömberg and Daniel Berntsson."
Location, Company name, individual names of founders/owners. What other "identifying information" would satisfy?
I found their FAQ, blog and guides tremendously helpful, transparent and upfront. There's a wealth of info with just a couple of clicks.
The rise of VPNs signals to me that we as an industry have given up on end to end encryption. Instead VPNs try to encrypt the "first hop" with the assumption or hope that the networks further down the line are "secure"
Being on an "unsecured" local network shouldnt be an issue for security.
How has the industry given up on encryption? In recent years, HTTPS became the new standard and most apps are forced to use encrypted connections as well. Just because VPN ads are calling local networks "unsecure" doesn't mean that they are a true risk.
I can't find a single reason why Mozilla should be wasting resources on VPN when there are already plenty of companies on that grind.
I can't find any good reason for encouraging people to circumvent network controls, or throw more networking complexity into what was previously very simple for users.
The constant marketing of 'you need a vpn' is super counter productive for users because they have no idea what it even is, what it can break, or why they needed it in the first place. I've run into plenty of folks that said they use vpn because someone offered it to them for free, not because they needed it for any reason.
It's stupid shit like this that makes the development of their key software languish.
Recently visited family in a different state and stayed with them for a week. They had a fast internet connection but something in their router made establishing a new TCP connection take forever. I bought a subscription to Mozilla VPN and viola, now my TCP connections open quickly again. Also bonus: I don’t pollute their ad results with my searches.
While yes I could dig into their router problem, they had no issues with how things worked and I needed to get work done.
I would prefer something a bit more granular than changing my device's network configuration and sending all of its traffic through the same VPN. Just because I want to watch a movie through a server in another country doesn't mean that I also want my video chat app or stock trading app to take the same detour.
Since this is Mozilla, how about a Firefox extension that passes all Firefox traffic through a VPN, like Tor Browser does, but doesn't touch any other app? That would differentiate it from most of the other VPN offerings out there. Currently my go-to solution is to set up a local SOCKS proxy with an SSH tunnel and point Firefox at it. It's good enough for testing, but not all services work properly when accessed that way.
I completely agree with this. If Firefox worked this way, or even just some special tabs of it, that would be great. Brave has TOR tabs AFAIR. Also an easy to use app would be great that can manage other apps' network connections - some could be blocked, some could be redirected through a VPN, etc.
All I'd want from Firefox would be a browser based VPN. As in per tab or container. That I would appreciate. Mostly for GeoIP restrictions for some sites.
A VPN for the whole system I can use other providers who's main business is VPN.
When in Beta, firefox VPN is indeed a browser addon, I used it for months, really good, but they now removed the addon, and only support desktop version, I don't know why, is this a stupid idea? Why not support browser plugin?
A few use-cases I can think of: GeoIP spoofing (watching streaming shows not available in your country), bypassing IP bans from places, preventing DMCA letters from torrenting, and getting past restrictive firewalls that block websites
I don't understand what can be so hard about "supporting" more countries? It's the internet. Anyone can access your servers. International credit card charging was invent decades ago. Take my money.
Probably that fraud detection doesn't work well enough in some countries to make more money than you spend. AVS, for example, is only available in the US, UK, and Canada. It sucks, but for some types of services, there's an army of people trying to use stolen CC numbers.
Not speculating on why, but yes, those are the only countries that do AVS. Though AVS is just part of it. They support Singapore, which doesn't do AVS. So apparently whatever fraud protection is available there suffices.
Also, it's available in New Zealand, but not Australia, which is a fairly large anglophone population.
Is Mozilla VPN going to be available in other countries in near future?
I would like to hear the roadmap from Mozilla folks.
I live in Japan and am wondering when it would become available in my country...
I don't like that it's tied to your Mozilla account, which I never used anyway because I like to keep strictly local copies of my credentials using Keepass. Storing secrets in the cloud comes with a risk. Someone (hello NSA) will use your encrypted cloud-based vault as target practice and try to crack it. With a local copy, only I can access it.
The way I always hear it, the title of a Mozilla blog post was “We need more than deplatforming”¹, which was/is interpreted by some to be an endorsement of deplatforming.
Imagine that you wanted to advocate against deplatforming, specifically by suggesting better ways to accomplish common laudable goals. However, you can’t argue directly against deplatforming, as this instantly labels you a Trump supporter (and might get you deplatformed). So what could you do?
I am not claiming any secret knowledge about what Mozilla was or is thinking, but what they wrote can certainly also be interpreted in this light, as well.
I was curious about the above question, so I did a basic google search out of curiosity. Not sure if this is disturbing, ironic or funny, but here is a blog post from Mozilla: "We need more than deplatforming
by Mitchell Baker"
Argle bargle Mozilla bad something something Pocket integration, Firefox isn't even that fast grr Brendan Eich, one time Thunderbird loaded a tracking pixel.
I switched to Brave, I feel it's the new Firefox really (both Brave and Firefox were founded by Brendan Eich). IPFS, Tor, built-in ad blocker in Rust, crypto, that's what I want in my browser. VPN is so 2010.
Supporting the transparency of politics has nothing to do with user privacy. Mozilla has an excellent track record on the latter and they put up a great fight in a seemingly lost battle.
Mozilla: a corporation funded by a spying company with a recent shady record of injecting stuff into products secretely (hello Mr robot). What could go wrong in this thought crime?
I'm already a Mullvad customer, and if I were to switch to Mozilla VPN:
* It would not be available in my country (Germany) right away
* I would have to join a waitlist
* I would have to pay with my credit card, instead of cash-by-mail. (Great privacy improvement! /s)
* I would have to use Mozilla's GUI instead of the wg-quick CLI. (The use of wg-quick is documented by Mullvad in addition to Mullvad's GUI, but I haven't found any wg-quick documentation on Mozilla VPN)
All of this for the same infrastructure, the same service (number of devices, ...) at the same price. What the hell are you doing Mozilla?!