Interview with Mullvad VPN

8

Interview with Mullvad VPN

0)Please tell us, what is your role (in the VPN company, where do you stand, owner, marketer, advertiser etc)?
My name is Fredrik Strömberg. I own 50% of Amagicom AB which is the swedish company operating Mullvad. The other 50% is owned by my colleague Daniel Berntsson. I do everything from customer support and economics to penetration testing, security reviews and development.

1) Does Mullvad VPN keep any logs, IP Addresses, Timestamps, Bandwidth caps, Traffic or other data?
No, nothing related to our customers’ usage of Mullvad. Neither their traffic nor metadata such as IP addresses, timestamps or anything like that is logged.

We do log things like how much traffic each server is shuffling so that we can do better load balancing.

2) What type of Encryption do you use?
We use OpenVPN with 128 bit Blowfish for the tunnel, and 2048 bit RSA for establishing it. We also use perfect forward secrecy.

Of course this is not the extent of our traffic protection. Our optional but recommended client also includes things like connection block should the tunnel go down, DNS leaks protection, protection against IPv6 leaks, and Teredo leaks. Furthermore, our client uses obfsproxy for traffic obfuscation when it detects that the tunnel is cut due to handshake matching using deep packet inspection.

3) Where are your servers located and what jurisdiction do you operate under?
Our servers are located in Sweden, The Netherlands, Germany and the U.S. We operate from Sweden, where our company is incorporated.

4) How do you generally handle requests from law enforcement and copyright agencies?
We tell them the truth; That we don’t log our users’ activities, that IP addresses are shared between many customers at every moment, and that anonymous internet is mostly a good thing for society, and is here to stay.

5) Do you have access to all your servers, and does the datacenter you use log?
No, not all of them. We only have physical access to our swedish servers, which we also own and physically handle ourselves. All other servers are dedicated. We don’t use virtual servers. We’re also very careful with where we purchase or place servers. We’ve met all our data center suppliers away from the keyboard.

To our knowledge none of our data centers log our traffic.

6) Does your service support bittorrent?
Yes. We only block tcp port 25 (because of email spam).

Check out the official Mullvad VPN website here!

About Author

Brandon Stosh is the founder and CEO of www.freedomhacker.net. Stosh is a cyber security researcher and professional consultant who strives to provide reliable news on cyber-security based topics.

8 Comments

  1. If they would up their encryption and get better support these guys would be pretty good as they have a great privacy policy. The problem is their updated encryption, srsly? 128bit blowfish and SHA1? Like update your encryption. You’re charging 80$ a year and the encryption is pretty low and the support is terrible. I asked a few different questions using different email addresses to test it out and only got one reply and didn’t get any on the other emails and it’s been like 2 weeks. I asked another questions out their encryption on friday and have yet to get a reply yet. It’s a shame as i would have paid them that 80$ if they would have had better encryption.

  2. Is 128 bit blowfish and SHA1 enough? That’s a good question. Is it safe for most people? Probably. If not 128 bit blowfish, and SHA1, then what do you recommend?

    • Personally I do not believe that it will be sustainable. Encryption needs to be amped up to the max right now, and no company should settle for less. Personally, I always go for the highest security available. I recommend (I am quoting this from CryptoStorm
      auth SHA512
      # data channel HMAC generation

      cipher AES-256-CBC
      # data channel stream cipher methodology

      replay-window 128 30
      # settings which determine when to throw out UDP datagrams that are out of order, either temporally or via sequence number

      tls-cipher TLS-ECDHE-RSA-WITH-AES-256-SHA
      # implements PFS via TLS 1.2, natively, thru ephemeral Diffie-Hellman key creation
      Source: https://freedomhacker.net//interview-with-cryptostorm-is-vpn/

      Only because its very intensive, and I know CryptoStorm to be one of the most secure providers of internet services on the internet.

    • It is enough, yes. SHA1’s weaknesses do not impare security in the way used here, and blowfish is a tried and true algorithm, even if it’s old. It also has a key schedule so well made that it has been repurposed for the famous bcrypt “hash”. Now compare this to AES256 which has an infamously bad key schedule (to the point where some people even recommend AES128 over it). The biggest problem with blowfish is that it uses 32-bit blocks, which means that it starts to weaken after about 32 gigabytes of encrypted data is are sent with the same key. Mullvad re-keys blowfish after one hour, however, so that is no longer a weakness.

  3. They have backdoors their server is in the U.S. they may say Sweden and the Netherlands and so on.
    C:\Program Files (x86)\Mullvad\obfsproxy the U.S. will be watching everything you do.

  4. When doing research on how to have my equipment and personal data more secure I got a pop-up from Google warning me that everything I type in my research is perused and made note of for numerous reasons, which I won’t get into. This really ticks me off! In the past I have had a couple of credit cards hacked into resulting in thousands of dollars I was made responsible for, and just recently had my verizon account hacked with the most expensive phones purchased, and the last thing was my facebook account being hacked into. Really???!! To top it off, my ISP stops my internet service when I try to set my PC to a PTP protocol and when I do research on how to secure stuff I get this message from Google? Something is definitely not right here!

    • Hey Red, it sounds like you may have some malware on your PC. You might want to try and get that taken care of ASAP. There shouldn’t be any popups on Google and if your accounts are getting hacked. Also your ISP could have cut off your net if the attackers were committing malicious activity. Yikes!! If you need any help let us know!

Leave A Reply

Send this to friend