Nice. But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples. One of those "standards" that have been a great idea, but lack practical relevance.
simoncion 2 hours ago [-]
> But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples.
Mmm.
It's pretty easy to put three IPv4 /24s on a sticky note on your monitor. I think it's not unfair to say that if one can remember every fact related to one's job, then one has a job with a very, very small scope.
Also, this is another great reason to use IPv6. The v6 documentation prefix is '2001:db8::/32'... plenty of space for example subnets and easy to remember.
Insimwytim 10 hours ago [-]
On a side note, buttons icons on this page won't load without javascript. I cannot comprehend what would justify such decision.
jermaustin1 10 hours ago [-]
Without justifying it, the reason is simple. They are using a front end framework (bootstrap) that many developers use/understand that also supports 99.9% of browsers.
Running a browser without javascript that you still want graphics to display (so not a screenreader or text-based-browser), is part of the .1% they are willing to disappoint.
Do I think it is overkill? Sure. Do I still use jQuery at work even though the vast majority of its once handy features are now baked into JS in the browser by default? Of course.
fc417fc802 3 hours ago [-]
How do you jump straight from JS to screen reader or text based browser? What happened to HTML+CSS viewer? Isn't reading an RFC the perfect poster child for an activity that ought to consist of viewing a noninteractive document?
UqWBcuFx6NV4r 8 hours ago [-]
It’ll be a run-on effect of whatever framework they are using, and they very justifiably don’t want to bother catering to you. Having JS disabled in 2026 and complaining about sites not behaving is simply a performative act.
akimbostrawman 1 hours ago [-]
>and they very justifiably don’t want to bother catering to you
Considering they are one of the very few sites and VPNs that allow sign up without JS your claim is verifiably false. They also collaborate with and develop there own tor browser fork which has the highest rate of non JS user.
sroussey 7 hours ago [-]
It’s a weird type of virtue signaling.
lazide 6 hours ago [-]
It’s basic self defense. Who runs around the web in 2026 allowing random JS? Might as well be licking seats on the subway.
lmm 5 hours ago [-]
If you trust your browser it's fine, and if you don't then both CSS and SVG are significantly more risky.
margalabargala 3 hours ago [-]
This isn't true at all.
Anything SVG does maliciously, it does by containing JavaScript, so SVG's worst case is a subset of JS's.
fc417fc802 3 hours ago [-]
Remind me again what the ratio of browser sandbox escapes coupled with full RCE is between JS, CSS, and SVG?
sysguest 5 hours ago [-]
> then both CSS and SVG are significantly more risky.
how???
ernsheong 3 hours ago [-]
Are you in 2006 or 2026?
opem 12 hours ago [-]
The page already contains link to both of these resources
john_strinlai 12 hours ago [-]
right. but one of those resources contains much more context than the other, making it much more suitable for the submission link.
m132 4 hours ago [-]
Maybe it's just me, but I'm incredibly surprised by their prompt reaction to this. As a user, I was already preparing to deal with this myself.
Wow, is this how things were before bureaucratic behemoths took over the tech industry?
stingraycharles 3 hours ago [-]
This is just how things work when there’s much less overhead. Which is typically the case for smaller companies.
mjevans 12 hours ago [-]
I'd really like some version of E.G. Librewolf configured to spoof the exact SAME information no matter who's using it. Like standard resolution for a 1080p monitor, the same GPU profile, Allow device timing stuff to work but with a fixed profile etc.
Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.
kqp 4 hours ago [-]
This is already what LibreWolf does for most of its fingerprinting protection, including resolution, which you call out. It already works, LibreWolf is the only browser besides Tor I’ve found that actually defeated fingerprinters in some of my testing. Is there something that’s currently randomized that you think should be binned or homogenous?
Or tor browser, where all the features came from. You can also enable it on firefox with privacy.resistFingerprinting enabled.
traceroute66 11 hours ago [-]
> You can also enable it on firefox with privacy.resistFingerprinting enabled.
Not the same thing.
I use both Firefox and Mulllvad Browser side-by-side on a regular basis and in practice Mullvad Browser is far more aggressive in its privacy preserving measures to the extent that you do sometimes stumble across websites that are "broken" in Mullvad Browser but work fine in Firefox, for example the animated map features on the Ventusky website (which, IIRC, breaks because Mullvad is more aggressive at blocking JS graphics functions).
If you us Mullvad browser, which has built in Mullvad proxies, this isn't an issue because it doesn't use wireguard.
The browser also has a cool feature in the browser extension called Random mode. This gives you a different IP for each site, improving your privacy.
Cider9986 11 hours ago [-]
You can probably also use it on regular Firefox.
charcircuit 7 hours ago [-]
It's not going to be an issue for most things which have been properly thought out as they will have proper isolation between servers which should have separate identities. Reusing the same VPN for all servers and relying on an eventual expiry before the IP changes is fundamentally not a great approach to rely on for isolation.
stefan_ 9 hours ago [-]
Which you absolutely shouldn't use, because just like Tor Browser before, a vulnerability in the browser can be immediately escalated into decloaking your real IP. Ideally the proxying doesn't even happen on the same machine.
joskvw 9 hours ago [-]
"Absolutely shouldn't" is silly.
- Browser vulnerabilities are non-trivial.
- Mullvad browser's proxy feature only works if you're connected at the OS level, which helps mitigate browser level exploits.
Compared to any other off the shelf solution, Mullvad browser provides a good balance of usability & privacy.
Compared to something like you're describing, I agree it's worse.
ranger_danger 9 hours ago [-]
One possible mitigation might be to run your system (or just the browser/certain apps) sandboxed to only communicate with the IP/ports mullvad uses for VPNs.
fc417fc802 3 hours ago [-]
You absolutely shouldn't do that because a vulnerability in the kernel can be immediately escalated into decloaking your real IP. /s
(TBF this is presumably why parent specified that proxying ought to happen on separate hardware.)
Cider9986 9 hours ago [-]
What threat model should you use Mullvad browser in? What threat model should you avoid Firefox-based browsers?
Please talk in terms of specific threats instead of fearmongering. For people wanting to avoid surveillance capitalism, which is a very common threat, I think Mullvad Browser is a fantastic choice.
For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.
prophesi 8 hours ago [-]
> For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.
Curious why Chrome/Brave is recommended? I don't think any modern browser is better for anti-fingerprinting like the Firefox-based ones, including TOR and Mullvad Browser? Don't install random extensions outside the defaults and you're doing a lot better than a Brave/Chrome install if you want a usable internet.
Cider9986 6 hours ago [-]
I mentioned those because they are more focused on security than privacy/anonymity.
Chrome takes security a lot more seriously than Firefox, but Firefox does more for privacy. It would depend on the specific person, whether they are more worried about zero days or more worried about being identified.
Zero days for chrome will cost more than zero days for Firefox because Chrome takes security more seriously, there are more exploit preventions.
Brave is based on chromium and has a good update schedule, but it has some regressions like allowing manifest v2. Chrome is going to have the best update schedule.
Vanadium is the only browser that improves on Chrome's security.
(Don't get your opsec advice from HN)
(I learned this from GrapheneOS)
andrewstuart 13 hours ago [-]
Do VPNs pay retail ISPs for exit points?
TkTech 12 hours ago [-]
No, not usually. Few ISPs are willing to risk blacklisting.
Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.
tiffanyh 11 hours ago [-]
I see DataPacket.com have VPN clients.
Does anyone know if this is any issue for non-vpn users of datapacket.com?
>Does anyone know if this is any issue for non-vpn users of datapacket.com?
Probably not that much worse than other VPS providers with trashed IP reputations, eg. digital ocean, vultr, ovh. If you're blocking bots, the first thing to block is any datacenter ip ranges, not just known VPN servers.
r_lee 12 hours ago [-]
why is this downvoted? I'm not aware of a single ISP that would willingly let VPN providers use their ip blocks for their exit nodes
12 hours ago [-]
joveian 3 hours ago [-]
Mullvad in particular has a page that lists the ISPs they use (in a few cases their own servers at a datacenter), although they don't list the datacenters (sometimes you can get this info from the ISPs).
I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).
hnlmorg 9 hours ago [-]
Some VPN providers don't even have exit nodes in the country they're claiming. Instead they'll have their IPs registered to the respective countries in GeoIP databases.
This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.
sammy2255 5 hours ago [-]
Mullvad doesnt do that, but "ExpressVPN" absolutely does
dtech 12 hours ago [-]
Not retail ISPs, but many extensions and free VPNs route VPN traffic through the connections of those who use them.
joxdosba 12 hours ago [-]
This isn’t correct, the residential IPs are a completely separate and vastly more expensive product.
> Will other users of tuxlerVPN be able to connect using my IP address?
"When you use our free residential VPN, you automatically agree to add your IP address into the community pool. This means that you are trading your own IP address in return for the ability to connect via the IP addresses of other users. You can opt out of this by purchasing our premium subscription; once you upgrade to the premium version, your IP address will be removed from our community pool."
preinheimer 12 hours ago [-]
I mean, most “residential proxy” providers are selling access to hacked devices, or sneaky plugins
And what evidence do you have that this May 14th disclosure has nothing to do with Wyden's March warning? If you remember your history you'll know Wyden tried to shake the Snowden revelations out before the Snowden revelations.
Dismissing Wyden's remarks as "american politics" is near equivalent to dismissing the entire notion of VPN security.
Mullvad has explicitly given their reasoning. That's the evidence. Now the burden of evidence is on you to show that these things are connected since you are the one challenging Mullvad's claim.
asixicle 4 hours ago [-]
It could be two things at once, and OP was just speculating and trying to add to the conversation.
john_strinlai 11 hours ago [-]
>Dismissing Wyden's remarks as "american politics"
its a letter signed by american politicians, addressed to an american agency, about american citizens.
no scare quotes are needed around american politics.
(mullvad is swedish)
willis936 11 hours ago [-]
And would you classify Snowden's revelations the same?
The pattern is "Wyden rings the bell about a dragnet and then we learn the details about it". It just seems like an extraordinary claim with no extraordinary evidence to say that "person warning about VPN compromises has not motivated any of Mullvad's recent security work". Just provide that evidence for your claim.
john_strinlai 11 hours ago [-]
>It just seems like an extraordinary claim
what? it's not extraordinary at all. mullvad has a long history of being very security conscious. they do not wait for american politicians to direct their security work. i will stress again, mullvad is a swedish company.
feel free to read the co-founder's HN comment right here: https://news.ycombinator.com/item?id=48145679. they found out about the issue via the blog post, looked into it, and fixed it. end of story. (it says as much in the first line of mullvad's blog post too...)
eipi10_hn 3 hours ago [-]
You need to give evidence that this has something to do with Wyden's March warning first.
which is the blog post, rather than a list of exit servers
related to this post: https://news.ycombinator.com/item?id=48143880
https://datatracker.ietf.org/doc/rfc5737/
Mmm.
It's pretty easy to put three IPv4 /24s on a sticky note on your monitor. I think it's not unfair to say that if one can remember every fact related to one's job, then one has a job with a very, very small scope.
Also, this is another great reason to use IPv6. The v6 documentation prefix is '2001:db8::/32'... plenty of space for example subnets and easy to remember.
Running a browser without javascript that you still want graphics to display (so not a screenreader or text-based-browser), is part of the .1% they are willing to disappoint.
Do I think it is overkill? Sure. Do I still use jQuery at work even though the vast majority of its once handy features are now baked into JS in the browser by default? Of course.
Considering they are one of the very few sites and VPNs that allow sign up without JS your claim is verifiably false. They also collaborate with and develop there own tor browser fork which has the highest rate of non JS user.
Anything SVG does maliciously, it does by containing JavaScript, so SVG's worst case is a subset of JS's.
how???
Wow, is this how things were before bureaucratic behemoths took over the tech industry?
Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.
Not the same thing.
I use both Firefox and Mulllvad Browser side-by-side on a regular basis and in practice Mullvad Browser is far more aggressive in its privacy preserving measures to the extent that you do sometimes stumble across websites that are "broken" in Mullvad Browser but work fine in Firefox, for example the animated map features on the Ventusky website (which, IIRC, breaks because Mullvad is more aggressive at blocking JS graphics functions).
I'm happy that Mullvad actually explains the issue very clearly in https://mullvad.net/en/blog/exit-ip-fingerprinting-between-v...
The browser also has a cool feature in the browser extension called Random mode. This gives you a different IP for each site, improving your privacy.
- Browser vulnerabilities are non-trivial.
- Mullvad browser's proxy feature only works if you're connected at the OS level, which helps mitigate browser level exploits.
Compared to any other off the shelf solution, Mullvad browser provides a good balance of usability & privacy.
Compared to something like you're describing, I agree it's worse.
(TBF this is presumably why parent specified that proxying ought to happen on separate hardware.)
Please talk in terms of specific threats instead of fearmongering. For people wanting to avoid surveillance capitalism, which is a very common threat, I think Mullvad Browser is a fantastic choice.
For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.
Curious why Chrome/Brave is recommended? I don't think any modern browser is better for anti-fingerprinting like the Firefox-based ones, including TOR and Mullvad Browser? Don't install random extensions outside the defaults and you're doing a lot better than a Brave/Chrome install if you want a usable internet.
Chrome takes security a lot more seriously than Firefox, but Firefox does more for privacy. It would depend on the specific person, whether they are more worried about zero days or more worried about being identified.
Zero days for chrome will cost more than zero days for Firefox because Chrome takes security more seriously, there are more exploit preventions.
Brave is based on chromium and has a good update schedule, but it has some regressions like allowing manifest v2. Chrome is going to have the best update schedule.
Vanadium is the only browser that improves on Chrome's security.
(Don't get your opsec advice from HN)
(I learned this from GrapheneOS)
Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.
Does anyone know if this is any issue for non-vpn users of datapacket.com?
https://www.datapacket.com/case-study/nordvpn
Probably not that much worse than other VPS providers with trashed IP reputations, eg. digital ocean, vultr, ovh. If you're blocking bots, the first thing to block is any datacenter ip ranges, not just known VPN servers.
https://mullvad.net/en/servers
They also have a document that lists some of their practices around the servers, such as not using shared servers:
https://mullvad.net/en/help/server-list
I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).
This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.
> Will other users of tuxlerVPN be able to connect using my IP address?
"When you use our free residential VPN, you automatically agree to add your IP address into the community pool. This means that you are trading your own IP address in return for the ability to connect via the IP addresses of other users. You can opt out of this by purchasing our premium subscription; once you upgrade to the premium version, your IP address will be removed from our community pool."
https://medium.com/@xianghangmi/resident-evil-understanding-...
Technical paper: https://ieeexplore.ieee.org/document/8835239
https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_g...
Dismissing Wyden's remarks as "american politics" is near equivalent to dismissing the entire notion of VPN security.
https://www.washingtonpost.com/politics/after-years-of-obscu...
its a letter signed by american politicians, addressed to an american agency, about american citizens.
no scare quotes are needed around american politics.
(mullvad is swedish)
The pattern is "Wyden rings the bell about a dragnet and then we learn the details about it". It just seems like an extraordinary claim with no extraordinary evidence to say that "person warning about VPN compromises has not motivated any of Mullvad's recent security work". Just provide that evidence for your claim.
what? it's not extraordinary at all. mullvad has a long history of being very security conscious. they do not wait for american politicians to direct their security work. i will stress again, mullvad is a swedish company.
feel free to read the co-founder's HN comment right here: https://news.ycombinator.com/item?id=48145679. they found out about the issue via the blog post, looked into it, and fixed it. end of story. (it says as much in the first line of mullvad's blog post too...)