Even if you have encrypted your traffic with a VPN (or the Tor Network), advanced traffic analysis is a growing threat against your privacy. Therefore, we now introduce DAITA.
Through constant packet sizes, random background traffic and data pattern distortion we are taking the first step in our battle against sophisticated traffic analysis.
So… Tor?
Tor is much better than a VPN privacy wise. However, you are limited on speed and stuck with TCP.
Not just tor. Tor plus random traffic.
Let’s say across your VPN you always sent one megabyte per second of traffic even if you had nothing to say. And then everybody connected to the VPN endpoint did the same thing. Then it gets very difficult to actually follow the traffic flows of the encrypted packets. You don’t see a large chunk of data passing through the network
Tor does this to and is much better than a VPN
It does not generate random traffic on your link to Tor.
No but people generate random traffic
The point is that for a state actor which can watch (or at least buy detailed traffic data for) both ends, a certain pattern of packets happenning from your side to a known Tor entry node and the exact same pattern between a specific server being watched and a known Tor exit node on the other side will indicate that it’s your machine connecting to that end server, the more such patterns spotted the higher the level of confidence.
This is quite independent of how much your data is mixed with other data inside the Tor network and how many nodes it has been routed around, because this kind of analysis doesn’t care about the IP address your machine is sending requests to or the IP address the watched server is receiving request from, it only cares about your pattern of data requests and responses matching that server’s pattern of received requests and returned responses.
Whatever protocol is in the middle is wholly irrelevant. At best if the website is heavilly used and you’re lucky, the specific end node (be it the router on the other side of your VPN connection or the exit node of your Tor connection) sending your requests to that server might have other users also sending requests to that server hence you’re all disguising each other’s pattern, but this is to do with popularity of the service more than the protocol itself being good at defeating this kind of analysis.
Edit
This is not entirelly true - if the protocol changes the exit node between requests to the server then it can disguise your pattern. However given that changing the IP address from were the request comes breaks all the keep-alive performance optimizations in HTTP since v1.1, performance would be horrible at least for web browsing in modern websites (which have tons of additional content associated with a typical webpage).
/Edit
It’s all there in the Mullvad post (so you need to actually read it) and it helps if you have a background in IT Security and Cryptography since there are kinds of attack using similar mathematical principles in other areas (such as the statistical analysis of unchained symetrical encryption protocols to derive the text from the encrypted text based on the probability of the words and letters occuring in a specific pattern or the power consumption analysis of cryptographic microchips such as those in smartcards to derive the encryption keys based on the way power was drawn by the ALU during encryption and decryption, a weakness which was funnilly enough also defeated by adding noise in the form of junk operations).
It’s all pretty obvious, really ;)
I just think VPNs are over hyped. At the end of the day if someone is monitoring both sides it was game over a long time ago. Also there is no way to know what is on the other side of a VPN.
What would be interesting is a paid I2P or Tor exit proxy.
Oh yeah, people thinking that VPNs are the end-all of Privacy and Security against eavesdropping in the Internet aren’t really informed enough to understand that there are quite a lot more attack vectors than just a person’s IP address.
That said no-logging VPNs do remove one from the “low lying fruit” category for things like legal companies sending “gimme money because we detected you infringing our copyright” letters to people doing file sharing using things such as bittorrent. This is because they remove the easy way for such companies to get a person’s information when detecting file sharing from a specific IP address: one thing is getting the target by a process as simple as sending an e-mail to a local ISP demanding the identification of a user using a certain IP at a certain time due to copyright infringement (using the laws made for just that purpose during the last couple of decades in several countries), a whole different ball game is to first having to get a Court Order in an altogether different jurisdiction to force the VPN provider to install some kind of wiretap-equivalent to catch such a user at a later time for a case of Copyright Infringement - it costs way too much, takes way too much time and has way too much risk of being laughed out of court (methaphorically speaking) to be worth it for a case of non-commercial Copyright Infringement, especially if there is an overabundance of easier targets.
As with everything else in this world, VPNs are good tools for certain jobs, not some kind of silver bullet for Privacy and Security against eavesdropping.
Still waiting for Defense Against the AI Dark Arts to drop
DAIDA
And Dumbledore’s AIrmy for when they forbid DAAIDA as an anti-terrorist measure
?
That’s one of the reasons why I love Mullvad, they actually care about their customers, not just about their bottom line
I wonder how much of a bottom line they actually have given how cheap their service is.
I’m pretty sure they are profitable, considering they were founded in March of 2009. You can’t really run a company without profits for 14 years, right? Just routing network traffic isn’t that expensive after all. They are the only ones being honest about it, other VPNs charge way more because they only want to extract money from their customers.
Cheers. Network related stuff isn’t my forte so I really have no idea about the costs. I just figured that the moment you start adding a decent amount of users the costs will go up, and €5 seems like a really fair price.
It’s actually the other way around, the more users you have the cheaper everything eventually becomes
Economy of scale?
Yes, there’s no reason this wouldn’t apply to a VPN provider. It’s also the reason NordVPN or Surfshark is so incredibly cheap.
They have lots of users -> They can pay lots of money for advertising -> They get more users -> Everything becomes cheaper -> They can pay more for advertising
You get the point
If only they didn’t bend the knee to the five eyes and drop port forwarding
They got rid of port forwarding to improve the reputation of their IP ranges. That makes it less likely for Mullvad users to get blocked by CDNs like Cloudflare and Akamai when visiting websites. If you want port forwarding, just use AirVPN or rent a VPS and use that. Not sure what you’re talking about, but Mullvad is based in Sweden, which is not a part of the five eyes alliance. It’s a part of 14 eyes, but Sweden has very strong privacy, Mullvad even has an entire page about privacy legislation in Sweden: https://mullvad.net/en/help/swedish-legislation
They also have a page that explains how Sweden being part of the 14 eyes alliance doesn’t really affect Mullvad: https://mullvad.net/en/blog/5-9-or-14-eyes-your-vpn-actually-safe
Their office was also raided by prosecutors last year, and they weren’t able to seize any customer information, because Mullvad doesn’t store anything about their customers: https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised https://mullvad.net/en/blog/update-the-swedish-authorities-answered-our-protocol-request
you don’t even have a “real” user account with them ffs. I think if they really wanted to fuck people over they’d have introduced mandatory email linked to accounts long ago
Yup, and you can pay using crypto or cash if you want, and you’ll never need to let them know who you are, where you live, etc. All they care about is that your account number gets paid, and that’s it.
You could always tunnel a publicly routable IP address over your VPN… I.e. https://tunnelbroker.net/
So it’s like a VPN-busta-busta?
What if they have a VPN-busta-busta-busta though?
How about defense against dhcp option 121 changing the routing table and decloaking all VPN traffic even with your kill switch on? They got a plan for that yet? Just found this today.
I doubt it would matter in some environments at all.
As an example a pc managed by a domain controller that can modify firewall rules and dhcp/dns options via group policy. At that point firewall rules can be modified.
Don’t you control your dhcp server?
Of course but you don’t control rogue dhcp servers some asshat might plug in anywhere else that isn’t your network
The Option 121 attack is a concern on networks where you don’t.
Exactly where you’d want a VPN. Cafes, hotels, etc.
True that. Hadn’t thought of that as it’s not my typical VPN use case.
I’m not sure what a VPN provider could do about that though, they don’t control the operating system’s networking stack. If the user or an outside process that the user decides to trust (i.e. a dhcp server) adds its own network routes, the OS will follow it and route traffic outside of the tunnel.
The defenses I see against it are:
- Run the VPN and everything that needs to go through the VPN in a virtualized, non-bridged environment so it’s unaffected by the routing table.
- Put a NAT-ing device in between your computer and the network you want to use
- Modify the DHCP client so that option 121 is rejected
Edit: thinking about it some more, on Linux at least the VPN client could add some iptables rules that block traffic going through any other interface than the tunnel device (i.e. if it’s not through tun0 or wg0, drop it). Network routes can’t bypass iptables rules, so that should work. It will have the side effect that the VPN connection will appear not to work if someone is using the option 121 trick though, but at least you would know something funny was happening.
Love they called the defence framework “Maybenot”.
I use Mullvad really good, love how they don’t care who you are and can actually maintain complete anonymity even in payment.
Propably going to be banned soon for some stupid reason if gets popular, like free speech is allowing the terrorists make bears cry or something.
