I’ve trash talked this website before in my head, but maybe I was approaching it as a professional organization instead of more of a blog run by a small group of people.
They aren’t just doing ads dude, it’s a for-profit propaganda machine.
But seriously, Mullvad would do well to switch out their email provider to something that’s not Google. Even though email is inherently unsafe, email through Google is pretty much is unsafe as it can get.
A long screed but has this jackhole who writes so unprofessionally even reached out to Mullvad for comment or explanation? Because that’s usually what respectable journalistic outfits do.
They don’t post some screenshots, make inferences without knowing all of Mullvad’s backend, and say “what we are saying is definitely true and there’s no possible way we could technically be wrong.”
I can think of several ways they could be wrong, it would have been helpful to have any statement from Mullvad, because they might have a technical reason for this (up to and including making sure their emails aren’t disappeared as spam, because running your own email server sucks.).
Anyway, pretty unprofessional and makes me pretty skeptical of the claims until more solid evidence than a screenshot surface.
For example, who is to say that Mullvad hasn’t set up their own client side encryption keys? This is an option Google offers for use with business accounts. This effectively means Google doesn’t have your keys nor can read your emails.
If privacy is of utmost concern, we recommend that you refrain from communicating any personal data to us since plain-text email is not a safe media for communication. If necessary, use PGP-encrypted email.
…
…
We do use a third party to operate our email service, so we remind you to carefully read #1 again.
Your computer, your IP address, your message to a destination gets encrypted in a couple layers and passed on.
Your ISP knows exactly who you are and that you’re reaching out to server 1. They can’t see your data but to them, you’re using a VPN probably.
The first server also necessarily knows who you are, unpacks one layer of your request and sends it on to a second server (in Invisiv’s case, Fastly; in Apple’s, Cloudflare).
The second server now knows that data was requested from the first server, and it can see the name of the domain you’re requesting (YouTube, for example) but because the request came from the first server, it theoretically won’t know it’s you making that request
The data moves on from the second server to the destination, with the destination only knowing it’s receiving data from the second server, and not knowing about the first server.
The obvious issues here:
Do you trust the people providing the multi-hop VPN-like service?
Do you trust the two servers, which have necessarily entered into an agreement of some sort, to not collaborate regarding transmitting data?
How easy is it to audit the code we can see?
What else is going on with your data?
In the case of Apple/Cloudflare, reputation is rather poor. From PRISM to false advertising to notification telemetry, Apple hasn’t exactly delivered on their promise. In terms of Invisiv, the company has some big names on board but Fastly and Cloudflare both have a rather significant grip on the internet (with Cloudflare’s being bigger) but any CDN gets a good view into personal data most of the time.
Update: in the case of Cloudflare/Apple, Apple adds additional location data to your request, making its “private” relay leak approximate location data the same way your IP address could leak it. To wit:
Apple relays geolocate user IP addresses and translate them into a “geohash”. Geohashes are compact representations of latitude and longitude.
But on the bright side: a VPN has far more issues than either of these, as it’s basically #4 above except the same service also has your identity by necessity. An untrustworthy VPN is as harmful as an untrustworthy ISP, with very little separating them.
A bit less private because things are going through one fewer hop, in addition to having to sign up. In my experience with Invisiv, it’s much faster and more reliable than Tor, but slower and much less stable than a traditional VPN.
It would be cool if more commercial VPN companies adopted this kind of tech.
They rent their servers, so it depends on what you consider as running the server. They have virtual access to it, but they don’t own the hardware. At least, that’s the case for countries I checked, maybe they have their own servers somewhere too.
My main concern is that cloudflare knows what content it is serving and it is certainly fingerprinting your browser. So regardless of how you request the data, cloudflare knows.
After reading their documentation a little closer, I discovered something else unsavory about Private Relay: it “relays” your approximate location, as it could usually be derived from your IP address.
Hate to break it to you but all the major CDN providers do the exact same things. My employer runs multiple websites mainly for US and European users. We use Akamai for both CDN and WAF services. For any CDN and/or WAF to operate properly it needs access to unencrypted content. Part of Akamais WAF tools includes what they call Bot Manager, which can identify traffic coming from over 1000 known bots and can also classify unknown ones. Part of how it works is by browser fingerprinting as well as TLS session fingerprinting and other proprietary fingerprinting.
So any time you visit a large website you’re likely being fingerprinted and otherwise analyzed by the CDN and security tools used by those sites.
I am absolutely aghast that Firefox would say Firefox is the best web browser. Their chart is, however, open to external audit so it is entirely unimpeachable.
(This is a parody of people who were arguing in favor of an “independent” browser privacy website run by someone paid by one of the browser companies)
But she explains why that is different in the video.
The idea is the hotspot is an entirely separate device, that just provides Internet access/VPN access. Your not logging in to your VoIP provider or your messaging applications using that hotspot. You can also purchase the device and service anonymously making it much harder to connect to your identity to the hotspot.
This separates the baseband processor from our sensitive data that is stored on our phone. This also forces your phone to actually use the VPN. (There has been reports that Apple and Google bypass the VPN in some cases if you use a VPN on your phone.)
No Internet Explorer either, and it has a bigger market share than Brave… Not everything Mozilla does is some evil conspiracy, they just put their browser on a table comparing it to its biggest competitors. Please go outside.
I’ve been using them for nearly 3 years now and never used (or even knew they offered) email support.
Not ideal they use GMail of course but they could be using private keys (as most business users do I believe) which means Google couldn’t see a thing anyway.
privacy
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.