[HN Gopher] Mullvad Leta: A search engine used in the Mullvad Br...
___________________________________________________________________
Mullvad Leta: A search engine used in the Mullvad Browser
Author : pnt12
Score : 257 points
Date : 2023-06-20 10:48 UTC (12 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| 2OEH8eoCRo0 wrote:
| I'm still very disappointed with the discontinuation of port
| forwarding and wish they would be more transparent about their
| reasoning.
| risho wrote:
| yeah if only they made a blog post explaining exactly why they
| disabled port forwarding.
| honeybadger1 wrote:
| Seems like a way to curb costs..It is quite common that plex
| server enthusiasts will run their entire piracy automation over
| good always-on VPN services and that requires port forwarding
| to do so. AirVPN still does it and I have had an account with
| them for far longer than any other VPN service.
| humid9059 wrote:
| [dead]
| rashkov wrote:
| Now that you mention it, I'm amazed that charging $5 a month
| is enough to cover unlimited bandwidth across a user pool
| with these kinds of high bandwidth usage patterns
| sixothree wrote:
| Pretty sure the existence of VPNs like this demonstrates
| the low cost of bandwidth. Or more so, how ISPs overcharge
| for bandwidth.
| mritzmann wrote:
| It was communicated transparently: it was abused too often.
|
| It's not a secret that a no-log policy also attracts abuse.
|
| https://mullvad.net/de/blog/2023/5/29/removing-the-support-f...
| theossuary wrote:
| Cool, I have 8 months prepaid for a service I can no longer
| use because they have a months notice they're removing a
| feature I need. And they refuse to refund crypto, the payment
| method they supposedly prefer.
|
| What I get for trusting mullvad I guess.
| joffspkfjeueebo wrote:
| [dead]
| pnt12 wrote:
| They explained it:
|
| > Regrettably individuals have frequently used this feature to
| host undesirable content and malicious services from ports that
| are forwarded from our VPN servers. This has led to law
| enforcement contacting us, our IPs getting blacklisted, and
| hosting providers cancelling us.
|
| https://mullvad.net/en/blog/2023/5/29/removing-the-support-f...
| madars wrote:
| It's pretty much a content-free statement.
|
| Prompt: Give me a single sentence technical reasoning a VPN
| company could use to discontinue port forwarding feature.
|
| GPT4: "Due to the increased security risks and potential for
| exploitation associated with port forwarding, we have decided
| to discontinue this feature to enhance the privacy and
| security of our VPN services."
| stavros wrote:
| Is it content-free? I can see content fine. I don't know
| why abuse isn't a good enough reason for you, and there
| must be ulterior motives.
| 2OEH8eoCRo0 wrote:
| I've seen that but I still have questions. Which hosts? Who
| are the IP blacklisters (at least the big names)? What kind
| of undesirable content was the last straw? Copyrighted
| material, CSAM, terrorists, or worse?
| red-iron-pine wrote:
| Only needs to be one or two. Spam filters pull from a
| buncha sources, so pissing off Spamhaus or SORBS or
| whatever once is enough to get burned everywhere. Ditto for
| a lot of other sites.
|
| The specific content doesn't really matter, tripping the
| sensors for enough sites could potentially get entire IP
| blocks flagged.
|
| They may not also be able to reveal specifics if it is an
| ongoing investigation.
| infinitedata wrote:
| When you access it while using Mullvad, it still asks you for
| your account number. Service should automatically detect you are
| on VPN and let you search, why the need for the extra step?
| coffeeri wrote:
| It is good that this does not work. As one IP might be shared
| by multiple accounts. A cache of the mapping IP --> AccountNo
| is also not favorable in terms of privacy.
| piaste wrote:
| > As one IP might be shared by multiple accounts.
|
| No "might" about it, that's one of the most important traits
| of this type of service.
| [deleted]
| coffeeri wrote:
| Yes indeed, but it's not guaranteed that there'll be
| multiple clients connected to one server at a time, even if
| it's unlikely.
| piaste wrote:
| To enforce the usage limits.
| varispeed wrote:
| Can you guess someone else's account id or sort of brute
| force to find valid ids and then run malicious searches
| against them?
|
| Seems like a security risk.
| piaste wrote:
| The mullvad "account number" is not a user id, it's a
| 16-number secret key. If you have that, you have the
| account.
| galleywest200 wrote:
| I would bet money that Mullvad heavily rate limits
| incorrect ID entries. Also its a 16 digit number, good
| luck.
| gizzlon wrote:
| Is it the full account number? Good luck guessing that :P
|
| If so it's like 16 digits. Isn't that 10^16 values? If they
| had 1 million users, that's still a lot of numbers to test
| before you find 1 valid one :)
|
| I suck at math, but that's like 999999999 non-existing
| accounts per valid account? (10^16 - 10^6 - 1)
| YellowSuB wrote:
| Well if that is 1 million active users I would bet that
| there are still many more 'used' keys, myself being a
| Mullvad user have used about four different accounts,
| since you can just generate a new one. I don't know if
| this really makes a difference though
| threeseed wrote:
| Not sure by what definition this is a search engine.
|
| It's a caching proxy for Google Search and could well just be
| Squid.
|
| I assume it also doesn't interact well with Google's location
| services.
| Kiro wrote:
| So DDG is not a search engine either?
| piaste wrote:
| Strange question. Why on Earth would a privacy service want to
| "interact well" with Google location tracking in the first
| place?
|
| It's a bit like asking if you can install Cortana on Trisquel
| GNU/Linux.
| threeseed wrote:
| Because if I am searching for a review of cafe or want to
| know where a movie is showing I would prefer it to be in the
| same continent as me.
|
| I am not expecting it to know my exact GPS location but would
| be nice if it could at least bring state or country level
| tailored search results.
| adr1an wrote:
| You may add 'near Cityname, Countryname' to your query ;)
| jwmcq wrote:
| It's never even occurred to me not to do this. I wonder
| if that's just because I grew up on the internet before
| geolocation methods were widespread/good.
| piaste wrote:
| I just checked, and there's an optional country selection
| box you can use.
|
| But for local results, I'd just prepend $cityname to your
| search query. Faster, unless you live in
| Llanduwhatsthattowninwales.
| samizdis wrote:
| Ah, that would probably be Llanfairpwllgwyngyllgogerychwy
| rndrobwllllantysiliogogogoch.
|
| See: https://en.wikipedia.org/wiki/Llanfairpwllgwyngyll
| zorrolovsky wrote:
| Humorous question: Could moving there be a privacy
| advantage? I can imagine insanely long locations break a
| good bunch of databases and CRMs, specially legacy
| ones... I would give my location to every spammer and
| scammer and refuse to spell it. "Oh yeah... I'm super
| interested in your product. But you gotta ship it to Taum
| atawhakatangihangakoauauotamateaturipukakapikimaungahoron
| ukupokaiwhenuakitanatahu. Is that ok?"
|
| https://en.wikipedia.org/wiki/Taumatawhakatangi%C2%ADhang
| ako...
| stavros wrote:
| This is the xkcd with the 1III1II1 plates, it's "oh, that
| Welsh town with the long name".
| marginalia_nu wrote:
| User profiling is a _huge_ reason why Google works as well as
| it does. Location data is just one part of that, but a pretty
| big one.
|
| If you remove that, it's as bad (or worse) than most of its
| competition.
| rcoveson wrote:
| User profiling is a _huge_ reason why Google works _the
| way_ that it does.
|
| I remember a time when my wife was trying to look up a fix
| for Mass Effect on a 21:9 monitor. Terms like "ultrawide
| mass effect" and such. Google _would not stop_ returning
| Blizzard help pages on how to configure the resolution for
| Heroes of the Storm, another game that she played. Not a
| single page related to the actual search terms. The more we
| poked at it the more I couldn 't believe it. Bing, of
| course, just did the dumb, obvious, correct thing and
| returned a bunch of web pages containing the search terms,
| which were helpful.
|
| Google seems to do this infuriating thing where it reduces
| search terms to basic "synonyms" (which are often more
| general than the original word, e.g. "Mass Effect" becomes
| "Video Game") and then injects personal search history
| related to the synonym (which is how Heroes of the Storm
| ends up as part of the query). Most of the time it's just
| subtly enraging; you know the page you're looking for
| exists, and you know your search is extremely precise, but
| Google keeps giving you overly-generalized results with a
| skew towards your "profile".
|
| Anyway, all that is to say that I feel exactly the opposite
| of what you feel about the relationship between this Google
| "feature" and the quality of its results.
| moss2 wrote:
| I looked over there list of "achievements" in their About page.
|
| They state that in 2022 they stopped accepting subscription
| payments because it forces them to store data about their users
| for long periods of time. Now they only accept one-time payments
| for monthly memberships.
|
| They really are committed to privacy.
| z3c0 wrote:
| They've truly demonstrated something I believed untrue prior,
| and that's the notion that a company can keep growing while
| maintaining very strong opinions and principals. I switched to
| Mullvad after PIA's acquisition, thinking it would be a
| temporary stop until they inevitability alienated their
| original userbase. But nope, they've only gotten better.
| chefandy wrote:
| I'm not a business guy so I might be full of shit, but I
| think they're playing the long game and know who their
| audience is. They're trying to distinguish themselves from a
| bazillion fly-by-night VPN providers: not doing the current
| standard 'vacuum up every conceivable bit, nibble, and byte
| in case it's useful for marketing or resale later' is a great
| way to a) get a great word-of-mouth rep from credible people,
| and b) get a customer base more compelled by marketing real
| improvements to your core ecosystem than totally BS super
| flashy marketing and ad budgets. Flashy marketing might be
| super effective in the short term, but if genuine
| improvements to your core offering are your biggest selling
| point, that seems like it would directly contribute to long-
| term sustainability.
|
| Given, this is assuming everything they say is legit. It's
| kind of hard to not be jaded these days.
| DemiGuru wrote:
| This service is not ubiquitous which is something I expect of a
| search engine. From my perspective the limitations lie with the
| fact you need to be logged-in to their VPN service in order to
| use it. Yes, it's a way to ensure that only paid customers can
| use it. But those paid customers will only be able to use it on
| their personal devices. Nowhere else. Most if not all work
| environments block third party VPNs.
| red-iron-pine wrote:
| And that's fine. You're on a work network and using work
| hardware -- you don't get to use whatever you want, even if we
| have a Guest Network.
| ipsum2 wrote:
| What happens if someone searches their home address or a place
| nearby? If it's automatically cached, it could be a data leak.
| Some sufficiently motivated person can correlate it with someone
| who connects to Mullvad servers.
| swores wrote:
| Well that would only show (if indeed it can leak somehow) that
| _somebody_ used Mullvad to search for that - if using it for
| yourself it wouldn 't be hard to say "cafe near 49 my street"
| rather than "44 my street", or whatever, so a) that's probably
| the kind of caution you should always use if wanting to protect
| privacy or your house number since there's essentially no
| downside, unless you're literally ordering something to be
| physically delivered and b) it gives plausible deniability that
| anyone whose house address were known to have been searched
| doesn't really mean the person living there is the one who
| searched it.
|
| (But of course, ideally they would have something in place to
| prevent such a leak at all, and perhaps they do somehow?)
| philprx wrote:
| As I understand it, it's the result to a given search string
| that is cached.
|
| Sure, If I search for "44 little poney street", then the result
| itself is cached at Mullvad, and someone needs to search
| himself/herself for "44 little poney street" by entering
| precisely this search string to access the cached page.
|
| So I don't see a leak with caching... There are leaks anyway:
| the search term sent to Google, if someone compromises Mullvad,
| etc... But not one specific with caching and related to other
| users.
| Musky wrote:
| This has also been noted by Assured AB when they did their
| security audit of the service [0].
|
| > 3.4.1 Note Plaintext search queries in cache database
|
| > Assured recommended hashing search terms before insertion /
| lookup in the cache database. Since search term cache lookups
| are only performed with exact matching, this should not affect
| functionality.
|
| > Mullvad: We are now hashing (and salting) the search terms
| before they are added to Redis
|
| [0] - https://mullvad.net/en/blog/2023/5/16/security-audit-of-
| our-...
| celtoid wrote:
| As a longtime Mullvad customer, I'll use this. Using any VPN
| company and its services in this age of surveillance capitalism
| is always a sketchy affair. Mullvad is the least sketchy of the
| non-DIY options that I can find.
| AHOHA wrote:
| Mullvad VPN, Mullvad browser, Mullvad search engine.. never ever
| put all your eggs in one basket, so much data and meta data can
| be collected and cross referenced to your ID.
| hammock wrote:
| Google DNS, Google Chrome, Google search...
| AHOHA wrote:
| Exactly, it's never a good idea to do that, the only
| difference is google doesn't advertise itself as a privacy
| advocate so when someone use all these google services they
| don't really care about the collected data, on the other
| hand, the userbase of mullvad will have that false sense of
| security and privacy while putting more and more trust in
| Mullvad, it's just a matter of time until some bad news
| drops.
| piaste wrote:
| It's a bit more nuanced. Let's keep it simple and say you
| produce 3 data sets when browsing and clicking on results:
| search queries, DNS queries, HTTPS queries.
|
| If it takes a correlation of the 3 datasets to identify you,
| then it is better to use 3 different providers.
|
| However, if any one of those datasets is sufficient to ID you,
| then it is better to choose a single provider.
| AHOHA wrote:
| Unfortunately it isn't that simple, from the moment your
| device connect to the wifi for example, every sigle
| information/packet/etc. shared or stored can be used to
| identify you, the more you share, the more can be collected
| to identify you. Now VPN alone by concept isn't meant for
| privacy as you always have to trust the unregulated provider
| (contrary to your ISP for example), when all your data is
| tunneled through their servers, that's a lone is big risk
| based on a trust only, however, and due to the nature of
| these shared IP vpns, sometimes maybe (keyword maybe) it's
| challenging to pinpoint a specific client, and here comes the
| others, a browser that can have unique fingerprint, and now
| search queries that can add an extra source of information to
| further pinpoint you, especially as others mentioned below
| that you still need to enter your VPN code to use that search
| engine.. I haven't tried it yet to give my personal
| experience as I stopped using mullvad, but if I did I will
| update this post further.
| aorth wrote:
| I'm a Mullvad customer and will check this out. I can already see
| that this is not so convenient for when you're on a device or
| network where your Mullvad connection is not active. For example,
| I'm typing this from my work laptop on the corporate network as
| we speak. :P
|
| On a related note, I am also a happy Kagi customer. It's a paid,
| privacy-focused search engine that gives you a "magic" session
| link to allow easily searching from multiple devices. Very happy
| with the search there. Haven't used Google more than a handful of
| times for several months!
| unshavedyak wrote:
| Same, love Kagi. I think the biggest surprise for me was that
| it is getting frequent improvements.
|
| I'm so used to Subscriptions being just a drain. You "buy" the
| product, and then you pay just to keep using it. Which can
| feel, emotionally, a bit unappetizing because i'd rather just
| purchase it fully. The subscription just feels like a money
| sink with no added value.
|
| Conversely i've not had that opinion with Kagi. Not only am i
| happy with the product, but the frequent[1] improvements[2]
| make me feel like i'm buying something newer and better each
| month.
|
| Developments on FastGPT, increasing what i get for my dollar,
| integration of more features in general. I frankly assume i
| just joined at a good time, because this pace can't keep up..
| right lol? Regardless my Kagi subscription has felt like i'm
| getting more value each month. From other companies i'd feel
| lucky to get these advancements, and if i did i'd expect it to
| cost me more. "5 new features? Welp, i guess i get to buy a Pro
| subscription tier to access it" or w/e, is what i'd expect.
|
| Really can't praise Kagi enough.
|
| [1]: within the last couple months, at least, as i'm new to the
| product and have only been subscribed for 2 months.
|
| [2]: You can see some here: https://blog.kagi.com/blog
| Melatonic wrote:
| Image search was already good and hugely improved - and the
| native reverse image search is also pretty cool!
| rurp wrote:
| I really hope they improve their pricing/usage plan. I wasn't
| that impressed with the results when I first tried Kagi out,
| but was planning on giving it some more chances down the
| line. Sometimes it takes a few tries before a new tool really
| sticks for me.
|
| Unfortunately they ended that sort of trial usage with the
| new payment plans. I'm already wary of starting any new saas
| payments, and one where I need to worry about how many
| searches I'm doing per month is a non-starter.
| unshavedyak wrote:
| It's definitely worth a month, just to see what your search
| baseline is at. I was worried i'd be on an expensive tier
| but i am far lower on average than i thought. _And_ they
| increased the quota by 50% recently.
| aio2 wrote:
| May I ask why specifically Kagi? What's special about it
| compared to other search engines, aside from being privacy
| friendly? Like, you could say Searx is also nice because of
| that. Or Duckduckgo. Or Brave Search.
|
| What sets Kagi apart, and especially, what makes it different?
| IgorPartola wrote:
| Not the person you are replying to but DDG is just as bad as
| Google at returning and prioritizing blogspam results.
| "Recipe for oatmilk" returns a slew of 2500 word articles
| that start with "What is Oatmilk" and "How is Oatmilk
| Different from Milk". I just want to know the ratios. A
| search engine they can do that for me would be great.
|
| Another example "XYZ-brand motorcycle boots after crash". I
| want to know how well they survive an actual crash and the
| brand is popular enough that I bet there are plenty of images
| out there. Yet all I get is a bunch of promo images of brand
| new boots.
|
| Give me a search engine that'll actually return results I
| want!
| _benj wrote:
| Not op but also a very happy kagi customer. This is usually
| hard to answer because search results is very dependent on
| what is searched. For me the quality of results instead of a
| bunch "top 10 libraries to use with react in 2023" kind of
| results is what sets it apart for me. I can prioritize what
| kind of results or sites I want stuff from, I've been
| surprised multiple times by finding a random blog post from
| somebody working with some tool/library that I've search for.
|
| I'd suggest to give it a try, it took less than then 50
| search a month limit for me to jump onboard
| aorth wrote:
| After years of trying Duckduckgo and then always going back
| to Google, it was this 2022 interview with the Kagi founder
| https://dkb.blog/p/kagi-interview that I read a few months
| ago that got me to try Kagi. I was shocked that they thought
| people would pay $10/month for a search engine. Then I
| thought, "if Google lets us search for free, how much must it
| be worth for them?" Over the last few years I've started
| trying to pay for things that I use, and financially
| supporting developers working on products I like. That's when
| I decided to try Kagi.
|
| And yes, I have used Google only a dozen or so times in the
| last few months since I went all-in on Kagi on all my
| devices. The search results are very good.
| bisby wrote:
| The thing that has held me back from Kagi (I've had the
| pricing tab open for the past month, just staring at it),
| is the usage limits. I have no idea how many searches I
| make in a month. I don't know if I'm looking at a $5/month
| situation or a $20/month situation, and my inability to
| predict that makes it hard for me to commit. From a single
| device, my firefox history says that in May I had 750
| different variants of duckduckgo.com/?q=X. And thats not
| counting my phone, or work device. Will the $10/1000
| queries be enough for me? (This isn't necessarily for you
| to answer, but just restating my anxiety around the
| product.)
|
| I too love to pay for things, and thus use a product,
| rather than be the product.
| mongol wrote:
| If you use Google, and you have not disabled it, you can
| visit your search history to get an idea.
| Melatonic wrote:
| Kagi is awesome - also a paying customer on their now
| grandfathered in tier - and it only gets better with time! The
| image search function is hugely improved and the main core
| search is blowing away Google for most uses.
|
| Also love that they added reverse image search now
|
| Not currently a Mullvad customer ( I was in the past ) but this
| looks definitely like a good thing!
| d4mi3n wrote:
| Both a customer (and now investor!) if Kagi's and can't say
| enough nice things about the product. It's refreshing to have a
| search engine that will give you relevant results rather than
| shoveling ads down your throat.
| stavros wrote:
| Are the results really that much better? I use DDG and paying
| $10/mo for a search engine seems like a tall order, especially
| when I don't know if Kagi can be that much less broken than
| Google.
| dharmab wrote:
| For technical info like programming language references, I
| get much better results in Kagi after I spent a few minutes
| setting my blocks and pins. I just searched "run a test suite
| in go" in Google, DDG and Kagi, and blogspam results were
| higher in Google and DDG while GoDoc and Stack Overflow was
| higher for me in Kagi. Many of the DDG results were about
| running a single test out of a suite, rather than running a
| suite.
| stavros wrote:
| Interesting, thanks, I'll try it for a month!
| Melatonic wrote:
| I did not do an extensive comparison to DDG but I would say
| it is definitely worth it. Been paying for awhile now and it
| blows away Google. And they are constantly adding new
| features and improving old ones (and finding new ways to
| improve their back end costs as well which makes it more
| sustainable).
|
| I use search engines a TON though (especially for work) so
| 10$ a month is absolutely worth it for me. I am currently
| trying to convince my boss to buy it for our whole IT team
| stavros wrote:
| That's interesting, I'll try it for a month, thank you!
| dharmab wrote:
| The magic session link was such a great idea. I could easily
| add a session to my work computer.
| rmi_ wrote:
| Wonder how it compares to other privacy-minding Google-proxies,
| such as startpage.com
| piaste wrote:
| At a quick glance:
|
| - Leta is _much_ faster than Startpagw - Startpage offers a lot
| more of Google 's features, eg date range filter, image search,
| and so on
|
| I would guess that both differences are due to Startpage not
| doing any caching.
|
| Startpage also has a neat "Anonymous View" feature where they
| proxy the request for you, acting as your HTTP client. If you
| trust Startpage, it's probably a pretty good ad-hoc anonymity
| tool.
| yuumei wrote:
| Have been using Mullvad for a few years now. Has been working
| well, this search actually looks useful. But one suggestion: can
| I pay for a dedicated, non advertised, residential IP please
| Mullvad? Lots of places are blocking VPNs now, like cloudflare.
| Hakkin wrote:
| I would think it would be extremely difficult to provide
| residential IPs in a privacy-preserving way, from what I've
| heard most services that offer them are quite sketchy in how
| they go about "acquiring" those IPs. The very nature of
| "residential" IPs means your traffic is flowing through some
| random person's home internet, which certainly isn't something
| I would want, even these days where almost everything is
| encrypted. There would be no way Mullvad could provide any kind
| of privacy guarantee if they don't control the endpoints.
| miohtama wrote:
| Providing residential IP as a service would be breaking some
| agreements, or lying somewhere. I don't Mullvad can do this,
| because they are committed to openess and transparency. For
| resident IP thru malware services you need to look up other
| dishonest competitors.
| _rs wrote:
| I suppose this isn't a highly requested feature because as soon
| as you have a dedicated IP you become easily trackable. I
| wonder if there's any middle ground to prevent that
| red-iron-pine wrote:
| using residential IPs for commercial purposes is expressly
| forbidden by most ISPs.
| Etheryte wrote:
| As a paying customer, I think this is a really good way to use
| the resources. While it does rely on Google not pulling the plug
| on using the API that way, I think for the time being it's a
| great way to reduce your online footprint. Very few of my
| searches need freshest data by the hour and I can always either
| make the search string more specific to cache bust or go back to
| Google for search.
| okso wrote:
| I am curious about the technical reasons motivating the
| requirement to login with a Mullvad account number while already
| using Mullvad VPN to reach Mullvad Leta.
|
| The Mullvad website and the https://mullvad.net/en/check page
| show that Mullvad already has tools to detect users of its VPN.
| hammeiam wrote:
| Does Google TOS allow for caching of results? A lot of APIs (esp
| map/geo apis) do not
| rhim wrote:
| What is the difference to a self-hosted version of:
| https://github.com/searxng/searxng ?
| pvitz wrote:
| I guess that you couldn't be fingerprinted by Google.
| humid9059 wrote:
| I am going to use public Searxes for comparison.
|
| The difference is that there is less noise from other users as
| it is limited to Mullvad subscribers, and there is presumably a
| smaller user base.
|
| Otherwise, there is probably little to no difference,
| considering that Searxes are not used by many in the same vein.
|
| However, self-hosting is the equivalent of directly using the
| search engine under your own IP, just without javascript. There
| is no noise from other users looking up unrelated queries.
| Thorentis wrote:
| Mullvad was the darling of the Vpn world, up until they removed
| support for Port forwarding. Would be really curious to see if
| their subscriber numbers have tanked since then.
| bearmode wrote:
| >Mullvad was the darling of the Vpn world
|
| Very much still are.
| Hakkin wrote:
| As a 10+ year paying Mullvad customer, it hasn't changed my
| experience using the product at all, and I recently deposited
| another years worth of credit. While I did occasionally use
| port forwarding, it certainly wasn't a "must have feature" for
| me. I mostly found it useful for temporarily exposing services
| publicly, but there are plenty of alternatives that accomplish
| the same thing these days. The only Mullvad unique-ish feature
| (I believe some other VPNs offer something similar) I use
| regularly is their SOCKS5 endpoints, it's very convenient to be
| able to connect to any of their exit nodes from any server.
| Otherwise I mostly just want a bog standard Wireguard VPN.
|
| It seems the people this most affected were the ones using VPNs
| primarily for torrenting, which I've always just used a VPS or
| dedicated server for. Though, even in that case, it's not like
| it's impossible to torrent without port forwarding, millions of
| people do it every day behind their NAT.
|
| It is unfortunate they had to remove the feature, but I have to
| assume the abuse of the feature was at the level where it was
| threatening the service as a whole, if I had to choose between
| Mullvad without port forwarding or no Mullvad at all, I'd
| obviously choose the former. They also do seem to be refunding
| people who request it, so it doesn't really seem like any kind
| of "rug pull" or anything.
| mongol wrote:
| Where do you get the VPS?
| AHOHA wrote:
| > it hasn't changed my experience using the product at all
|
| It did change though, I've been using them since they started
| but in the past 2ish years their network is very bad, slow,
| continuous interruptions and disconnects (can't say it
| correlates but noticed happened around the time Mozilla VPN
| started as they use the mullvad backbone), blocked in a lot
| of regions even in some government websites, anong other
| issues, the straw was when they stopped port forwarding.
| Hakkin wrote:
| I personally haven't experienced many of those issues. I
| also don't use their first party client though, just
| standalone Wireguard, so I can't speak to the quality of
| that. The only time I've had connection issues really is
| when they completely decommission a server, since I'm using
| static configs, I have to manually go in and update the
| server IP, but that's not really a big issue for me and is
| fairly rare. My experience has actually been that the
| servers I tend to use are quite a bit faster than they were
| in the past, I imagine since they've been making an effort
| to upgrade everything to 10gbit+.
|
| As for IP blocking, I've also rarely encountered that, when
| I do it's mostly on e-commerce sites, and in those cases I
| typically find it's just a single exit IP that's blocked
| and setting up a rule for that domain to tunnel the traffic
| to a different server (via their SOCKS5 endpoints) fixes
| it. I can understand how having to do that might be an
| annoyance to some people, but again for me it's not really
| a big deal, just a few occasional minor inconveniences in
| an otherwise good product.
|
| Edit: I should also say I don't really use any services
| like Netflix or things like that, it's my understanding
| that streaming sites like that almost universally block
| Mullvad since they make no effort to mask that their IPs
| are from datacenters. Again, not an issue for me, but I
| definitely could understand if that was a deal breaker for
| some.
| InCityDreams wrote:
| 4yrs customer here...never had a problem.
| Gasp0de wrote:
| Why would I need port forwarding to torrent? I've been using
| it for ages without.
| Hakkin wrote:
| It seems to be a widespread misconception amongst
| commercial VPN users that port forwarding is required for
| torrents to work. While port forwarding can be beneficial
| in certain situations, as you said, it's certainly not a
| requirement, especially for well seeded torrents like I'm
| sure the large majority of people are downloading.
| jorams wrote:
| You don't necessarily need port forwarding to torrent, but
| if everyone was behind a VPN without port forwarding the
| network wouldn't work.
|
| For two peers to connect, at least one needs to be
| reachable by the other. Behind a VPN that requires port
| forwarding, so if you don't have it you rely entirely on
| peers that _are_ reachable.
| Gasp0de wrote:
| How do people download my torrents that I seed then?
| [deleted]
| jorams wrote:
| Your client connects to them after discovering them, they
| indicate interest, then you start sending data. A
| bittorrent connection, once opened, is a two-way street.
| mig39 wrote:
| I'm wondering if the port forwarding was the reason so many of
| Mullvad's IPs were frequently blocked or had "bad reputations"
| ?
|
| Anyway, I've been a customer for a long time, and will continue
| to be.
| TobyTheDog123 wrote:
| I very much doubt many good actors left the service over it. I
| assume their popularity comes from a battle-tested no-logs
| claim, a good UI/UX, and a general consensus that they're
| trustworthy.
| Gasp0de wrote:
| The port forwarding feature was abused heavily. I understand
| and support their decision to remove it, as it improves the
| reputation of their IP addresses
| pgl wrote:
| Mullvad really does have a commitment to privacy.
|
| Some key points:
|
| - Acts as a Google proxy, removes tracking links and caches
| results
|
| - Only available for Mullvad paid users
|
| - 100 free _direct_ searches a day, unlimited cached searches
| (further search result pages count towards limit)
|
| - Results cached over all users for 30 days
| keyle wrote:
| I'm sorry but besides your first point, what is substantial in
| the claim that they have a commitment to privacy?
|
| Also why would I trust them over Google?
| pgl wrote:
| It all comes down to trust in the end, but over time I've
| come to trust Mullvad more and more. One particular example
| that sticks out to me is that they ended subscription based
| billing, specifically because it required them to hold
| customer information that they didn't want to have.
|
| https://mullvad.net/en/blog/2022/6/20/were-removing-the-
| opti...
|
| You can see an example of their lack of data retention from a
| post about when they were raided - there was nothing to find.
|
| https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-
| subjec...
|
| Their blog is a good place if you want to get a sense of what
| they're like as a company.
|
| https://mullvad.net/en/blog/
| panick21_ wrote:
| - The offer many types of payment, some that can be
| anonymous.
|
| - They have strong commitment to open source and have put
| their finances into that in addition to releasing code.
|
| - They are doing a lot in terms of transparent
| infrastructure:
| https://mullvad.net/en/blog/2022/1/12/diskless-
| infrastructur...
|
| > Also why would I trust them over Google?
|
| For Google your data is the product, for Mullvad you pay for
| a service.
| lagniappe wrote:
| You can send a carrier pigeon with a tenner and a sticky
| note holding your account number and they'll take it.
| piaste wrote:
| Buying a Mullvad scratch card is probably the most
| practical anonymous method. Usually the fact that you are
| using Mullvad at all isn't a secret (your ISPs can see
| you connecting), so outside of a very overcomplicated
| scenario where Amazon/$yourlocaltechstore are colluding
| with Mullvad to track individual scratch cards, it's
| fine.
|
| Mailing cash in an anonymous envelope has a certain
| charm, but OTOH I have consistently had terrible
| experiences with the Swedish postal service and that
| seems to be a widespread opinion.
| zirgs wrote:
| You can't trust anyone, but for Mullvad you're a customer not
| a product.
| Melatonic wrote:
| Problem is that Google search itself has still gone
| downhill......
|
| This is a cool addition for sure though
| ignoramous wrote:
| I don't see anything in their _terms of service_ / _privacy
| policy_ re Leta. It 'd be nice to know if they retain any sort
| of data at all (there's prominent mention to caching stuff, but
| just what are they caching?), regardless of whether it is tied
| to PII.
| secfirstmd wrote:
| Lol. Sure. M247 Ltd limited hosts...
| htrbcav wrote:
| I was wondering already why Sweden, home of the Pirate Bay
| and Assange lawsuits, does not shut it down. This could be
| the answer.
| danpalmer wrote:
| I remember ~10 years ago that Google said 40% of searches were
| unique. Just searching for that again now I can see this[1] tweet
| that suggests it's 15% as of 2022, that's with billions of users.
|
| I wonder how well the caching actually works for a user base of
| the size that Mullvad has.
|
| This could be tackled with a different UX, perhaps rather than
| showing predictive search, instead showing similar queries that
| are in the cache? I'm not a customer so can't see the product,
| can any customers give any input as to what the UX is and whether
| it might be improving their cache hit rate?
|
| [1]: https://twitter.com/Google/status/1493681643290300425
| flas9sd wrote:
| a statistic I'd be interested in: what percentage of searches
| can be answered computationally cheap. As in: Wikipedia title
| index, simple word lookup dictionaries. Indices that could
| complement a caching search-engine proxy to not hit its origin
| crawl repository.
|
| A study[1] by wikipedia done with DDG notes it showed up in the
| top5 results and information module for ~13% of searches with a
| click-through rate for each at ~8% - so a total of ~16% click-
| through rate. Granted, that is not a number gained from title
| searches but the whole articles.
|
| [1]: https://diff.wikimedia.org/2021/09/23/searching-for-
| wikipedi...
| pnt12 wrote:
| Good question: I see one way it may work and another it may
| not.
|
| I think the profile of their users is less diversified: mostly
| tech savvy people. "Normies" are using those vpns advertised in
| YouTube, or not using any at all. This may result in similar
| interests and lower the number of unique queries.
|
| On the other hand, we may produce more unique queries than
| other people: who will receive-use the cached "how to fix
| ValueError on main.py:67"?
| bentcorner wrote:
| As far as I can tell there's no predictive search. UI is a
| simple search box, optional country selector dropdown and an
| "Only search in cache" checkbox. Smoke test shows the cache
| checkbox works - apparently nobody else has searched for "dog"
| in the US.
|
| The country dropdown is interesting as far as the cache goes -
| _not_ selecting a country is meaningful as far as the cache is
| concerned. My prior "dog" query in the US does not return hits
| if I don't select a country. Not selecting a country and
| searching the cache appears to return english results (with a
| few sample searches).
|
| It's interesting that you can explore the cache with this
| checkbox. Not sure if there are any privacy concerns with this
| feature - considering cache searches are "free" you can kind of
| scrape what other users are searching for, maybe with enough
| users it doesn't really matter. I suppose there could be rate
| limiting and such to prevent this kind of attack, but that's
| just a guess.
|
| It may be useful to have an option to opt-out your search from
| cache.
| RadiozRadioz wrote:
| Mullvad does have the happenstantial advantage that its
| userbase likely nowhere near as diverse as Google's, naturally
| following that the queries themselves are not as diverse. While
| Google fields requests across the full diversity of the globe,
| Mullvad's userbase likely skews toward middle-high income
| westerners with a STEM background searching in English. The
| types of queries these users are making are probably from a
| much narrower corpus of topics; I wonder what percentage of the
| queries revolve around privacy, Linux, software, typical hacker
| hobbies like woodworking, et cetera. This isn't to say that
| these are the only types of queries being made, but if you were
| to group Mullvad users into equivalently broad advertising
| cohorts, you'd probably end up with far fewer than Google's
| users.
|
| The interests being more heterogeneous results in more similar
| queries, which would increase the proportion of cache hits.
| Whether this is enough to help make the strategy viable is
| another matter, but I do think it's worth noting.
|
| I also wonder about the complexity of the queries themselves.
| The more technical users would probably use more complex
| combinations of operators, but they're also more likely to
| search by keyword rather than natural language.
| KRAKRISMOTT wrote:
| But people who actively use VPNs are not necessary those with
| a search history that follows a short tail distribution.
| Mullvad gets a good chunk of its revenue from Firefox and
| other white labels too.
| zjnevnf wrote:
| [dead]
___________________________________________________________________
(page generated 2023-06-20 23:01 UTC)