No PII or privacy leaks found in Cure53’s Infrastructure audit

Mullvad

We invite you to read the final report of the first security-focused audit on Mullvad’s infrastructure, completed in December 2020.

As Mullvad exists to protect users and their data, we are rather happy with independent auditor Cure53’s statement, “The security awareness and overall security posture should be regarded as rather good, as expected Cure53 were not able to discover any Personally-Identifiable-Information attached to Mullvad’s end-users.”

The audit report is available on Cure53’s website.

Full article

Three signals of a more privacy-friendly messaging app

Mullvad

Does your messaging app truly respect your privacy? Here are a few simple questions to ask to get a helpful answer. Plus, we tell you which messaging tool sends us all the right signals.

When a friend visits your home, you probably take for granted that your conversations are private. And the idea of someone keeping track of when you come and go, who visits, and how long they stay is something only found in a gripping thriller, right?

Now that most of our interactions have gone online, how do you know that your digital communications and encompassing habits are also private? Here are few ways to tell if a messaging app is privacy-friendly.

Full article

Linux issues resolved in latest desktop release (2020.7)

Mullvad

The newest version of the Mullvad VPN app for desktop fixes a number of bugs experienced by Linux users.

What’s new

This release is also available for Windows and macOS but it only contains bug fixes for Linux.

Download the app

Download the Mullvad VPN app. If needed, we’ve got help guides for installation and usage.

Know of someone unable to access our website? Point them to Mullvad’s onion address on Tor or to Mullvad on GitHub.

Full article

Big no on Big Sur: Mullvad disallows Apple apps to bypass firewall

Mullvad

Despite Apple’s changes to macOS with the release of Big Sur, we can confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.

Starting in Big Sur, the latest version of macOS released 12 November 2020, Apple excludes its own apps from the content filter provider APIs. As a result, any network monitoring and security software using these APIs is unable to detect and block traffic from Apple apps.

Mullvad does not use content filter provider APIs to secure the device. Instead, we use the Packet Filter (PF) firewall which is built into macOS. This is a packet firewall, not an application firewall, which means that it does not exclude packets from any apps, including Apple’s own apps.

In other words, our usage of the PF firewall does not allow Apple apps to leak when Mullvad VPN is blocking the Internet. We have verified this by observing the network traffic from outside of the Apple machine.

Full article

Your privacy is your privacy – updated policy

Mullvad

Our long-term goal is to not store any PII (Personally Identifiable Information). For this purpose we recently made two changes in our Privacy Policy and our No-logging of user activity Policy.

Decisions are hard to make. They always involve trade-offs. In our quest to distinguish ourselves as the most privacy-focused VPN, we often weigh “privacy + ease-of-use” against “privacy + cool features”.

Full article

Linux under WSL2 can be leaking

We have found that you could be leaking your Internet traffic when running Linux under WSL2 (Windows Subsystem for Linux 2).

Our investigation has shown that these leaks also occur on other VPN software, and even though we do not have a solution to present for now, we feel the need to address the problem. As you read this we are working on a solution to this problem.

Recently, we got a report that said there were leaks from Linux under WSL2. Our investigations concluded that traffic from the Linux guest bypasses all normal layers of WFP (the firewall on the Windows host) and goes directly out onto the network. As such, all the blocking the app does in the firewall is ignored.

Network traffic from the Linux guest always goes out the default route of the host machine without being inspected by the normal layers of WFP. This means that if there is a VPN tunnel up and running, the Linux guest’s traffic will be sent via the VPN  with no leaks! However, if there is no active VPN tunnel, as is the case when the app is disconnected, connecting, reconnecting, or blocking (after an error occurred) then the Linux guest’s traffic will leak out on the regular network, even if “Always require VPN” is enabled.

How it leaks

WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking.

Other VPN software

We have tested a few other VPN clients from competitors and found that all of them leak in the same way. Therefore, this is not a problem with Mullvad VPN specifically, but rather an industry-wide issue that no-one, or very few, have addressed yet. The way Microsoft has implemented virtual networking for Linux guests makes it very difficult to properly secure them.

Full article

FAQ: New national security law – Hong Kong

Mullvad

We frequently get questions about HK and its new security law.
The most common question is “Why haven’t you already pulled out of HK altogether?”, but some customers emphasize the need of servers in HK and voice their concern that we might withdraw.

Our VPN service, as well as our relays and bridges, can be used for many reasons and in many different ways. However, if you have privacy concerns, it might be good to choose a server location in a jurisdiction YOU prefer. Also consider using Multihop. Deciding on a location could be based on jurisdiction, network quality, blocking and throttling, and many other factors.

For instance, you can use our bridge service with Singapore as an entry location and the U.S. as an exit location if that’s a combination that fits your needs. Alternatively, you can use the Multihop function in WireGuard. The traffic will be encrypted from your computer to the exit server, and the bridge or WG server in the middle will just route traffic to the exit node without being able to decrypt it. Depending on your threat model, using two locations with different jurisdictions might be beneficial.

Results available from audit of Mullvad app

Mullvad

We invite you to read the final report of the independent security audit performed on the Mullvad VPN app.

As stated in the report, “The results of this May-June 2020 project targeting the Mullvad [app] are quite positive.” The audit was performed on the five supported platform versions of the app: desktop version 2020.4, Android version 2020.5-beta1, and the iOS test flight version of 2020.3.

The auditors “could only spot seven security-relevant items. Moreover, penetration tests and audits against application branches of Mullvad exclusively pointed to issues with limited severities, as demonstrated by the most impactful flaw scoring as Medium only.”

Six testers from Cure53 performed the audit over the course of 20 days.

Read the report

The final audit report is available on Cure53’s website.

For full transparency, the initial report is also public. This is the version that was initially presented to us. After a discussion with the auditors about the use of certain terminology and requesting that they specify which app versions had been audited, they adjusted the report and produced the final version.

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Upgrade your app

Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released new versions for all platforms:

  • Windows, macOS, and Linux: 2020.5
  • Android: 2020.5-beta2
  • iOS: 2020.3.

Download Mullvad VPN to get the latest version.

Overview of findings

Of the seven issues found, two were classified by the auditors as “Medium”, two as “Low”, and the remaining three as “Info”. The auditors did not find anything that they would classify as dangerous or critical, and according to the report, “Mullvad does a great job protecting the end-user from common PII [personally identifiable information] leaks and privacy related risks.”

We fixed five of the seven issues and merged them before the final report was finished and sent to us. The remaining two are items that we do not deem as serious problems nor are they a threat to us or our users. Furthermore, we have no way of patching those two as they are out of our control.

Full article

Mullvad VPN Android app available on F-Droid!

Mullvad

Our Android app is now available through yet another distribution channel: F-Droid.

It was the plan all along to offer the Android app via three different distribution channels. It was first made available on our website as a standalone installer APK in version
2019.8-beta1 on 2019-09-19. It was then made available on Google Play in version
2020.4-beta1 on 2020-03-31. And now, finally! Catering more to the Open Source community, we are available via F-Droid with the recent 2020.5-beta2 release.

The app is still classified as a beta due to stability issues on some devices and versions of Android. But it gets better with every release, and we are pretty close to making a stable release now.

Full article

Mullvad VPN assessed in external security audit new beta version (2020.5-beta2) available

Mullvad

An independent security audit of the Mullvad VPN app was recently completed. Based on the auditors’ findings, we’ve prioritized our improvements accordingly and released a new beta version for desktop and Android.

Here are the new beta versions:

  • Windows, macOS, Linux: 2020.5-beta2 which you can download on our website or wait until we release the next stable version, which we always recommend that you have.
  • Android: 2020.5-beta2, to be released shortly.

During the assessment, auditors from Cure53 found nothing that they define as critical and were “unable to compromise the [app].”

Why you should care about VPN audits

An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.

Final audit report coming soon

We will publish a link to the audit report and an overview of the findings when it becomes available on Cure53’s website.

Full article