Exit IP VPN servers mitigation rollout
117 points
2 hours ago
| 5 comments
| mullvad.net
| HN
john_strinlai
1 hour ago
[-]
it should probably link to this: https://mullvad.net/en/blog/exit-ip-fingerprinting-between-v...

which is the blog post, rather than a list of exit servers

related to this post: https://news.ycombinator.com/item?id=48143880

reply
opem
1 hour ago
[-]
The page already contains link to both of these resources
reply
john_strinlai
53 minutes ago
[-]
right. but one of those resources contains much more context than the other, making it much more suitable for the submission link.
reply
mjevans
1 hour ago
[-]
I'd really like some version of E.G. Librewolf configured to spoof the exact SAME information no matter who's using it. Like standard resolution for a 1080p monitor, the same GPU profile, Allow device timing stuff to work but with a fixed profile etc.

Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.

reply
okso
1 hour ago
[-]
The Mullbad Browser? https://mullvad.net/en/browser
reply
gruez
13 minutes ago
[-]
Or tor browser, where all the features came from. You can also enable it on firefox with privacy.resistFingerprinting enabled.
reply
akszt
21 minutes ago
[-]
Honestly pretty interesting disclosure.

Most people think switching VPN servers completely resets correlation, but subtle infrastructure patterns like deterministic exit-IP allocation can still create linkage signals without actually exposing identity.

The fact that Mullvad openly documented it instead of silently patching it is probably the best part here.

reply
j027
1 minute ago
[-]
This sounds like some LLM to me
reply
willis936
43 minutes ago
[-]
Is this at all related to Wyden's recent congressional warning? Are any other VPN providers speaking up on this?

https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_g...

reply
john_strinlai
35 minutes ago
[-]
it is a direct response to this disclosure: https://tmctmt.com/posts/mullvad-exit-ips-as-a-fingerprintin... and nothing to do with american politics
reply
willis936
3 minutes ago
[-]
And what evidence do you have that this May 14th disclosure has nothing to do with Wyden's March warning? If you remember your history you'll know Wyden tried to shake the Snowden revelations out before the Snowden revelations.

Dismissing Wyden's remarks as "american politics" is near equivalent to dismissing the entire notion of VPN security.

https://www.washingtonpost.com/politics/after-years-of-obscu...

reply
john_strinlai
52 seconds ago
[-]
>Dismissing Wyden's remarks as "american politics"

its a letter signed by american politicians, addressed to an american agency, about american citizens.

no scare quotes are needed around american politics.

reply
andrewstuart
1 hour ago
[-]
Do VPNs pay retail ISPs for exit points?
reply
TkTech
1 hour ago
[-]
No, not usually. Few ISPs are willing to risk blacklisting.

Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.

reply
tiffanyh
16 minutes ago
[-]
I see DataPacket.com have VPN clients.

Does anyone know if this is any issue for non-vpn users of datapacket.com?

https://www.datapacket.com/case-study/nordvpn

reply
gruez
10 minutes ago
[-]
>Does anyone know if this is any issue for non-vpn users of datapacket.com?

Probably not that much worse than other VPS providers with trashed IP reputations, eg. digital ocean, vultr, ovh. If you're blocking bots, the first thing to block is any datacenter ip ranges, not just known VPN servers.

reply
r_lee
52 minutes ago
[-]
why is this downvoted? I'm not aware of a single ISP that would willingly let VPN providers use their ip blocks for their exit nodes
reply
dtech
1 hour ago
[-]
Not retail ISPs, but many extensions and free VPNs route VPN traffic through the connections of those who use them.
reply
joxdosba
1 hour ago
[-]
This isn’t correct, the residential IPs are a completely separate and vastly more expensive product.
reply
giobox
1 hour ago
[-]
One such extension, https://www.tuxlervpn.com/faq/:

> Will other users of tuxlerVPN be able to connect using my IP address?

"When you use our free residential VPN, you automatically agree to add your IP address into the community pool. This means that you are trading your own IP address in return for the ability to connect via the IP addresses of other users. You can opt out of this by purchasing our premium subscription; once you upgrade to the premium version, your IP address will be removed from our community pool."

reply
preinheimer
41 minutes ago
[-]
I mean, most “residential proxy” providers are selling access to hacked devices, or sneaky plugins

https://medium.com/@xianghangmi/resident-evil-understanding-...

Technical paper: https://ieeexplore.ieee.org/document/8835239

reply