- cross-posted to:
- privacy@lemmy.world
- cross-posted to:
- privacy@lemmy.world
Even if you have encrypted your traffic with a VPN (or the Tor Network), advanced traffic analysis is a growing threat against your privacy. Therefore, we now introduce DAITA.
Through constant packet sizes, random background traffic and data pattern distortion we are taking the first step in our battle against sophisticated traffic analysis.
You must log in or register to comment.
The Chinese Great Firewall (GFW) has already been using machine learning to detect “illegal” traffics. The arms race is moving towards the Cyberpunk world where AIs are battling against an AI firewall.
I have some first hand experience with this. Brand new XMPP server, never before seen by anyone in the world, blocked within about 12 hours. Wireguard VPN on AWS lasts for a few hours on some networks, more on others. Never longer than a few days though.
From China?
I was there in 2017 or 2018 and set up a Shadowsocks server before I went with whatever the latest mitigations were that I could find at the time. My server wasn’t completely blocked, but ended up getting throttled to hell after a few days.
That’s one of the reasons why I love Mullvad, they actually care about their customers, not just about their bottom line
I wonder how much of a bottom line they actually have given how cheap their service is.
Mullvad is 5 bucks a month and never has promos.
Weigh that against Nord which often has a year for like 15 bucks…
But Mullvad is one of the few that actually seems to care about privacy.
Oh wow, I had no idea Nord could go that cheap. To me €5 a month felt really inexpensive.
I feel like every week someone on Lemmy says they would use mullvad except it’s too expensive. It’s refreshing to see somebody say oh yeah that’s fine.
€5 a month for a VPN is expensive compared to others? I always saw Mullvad as one of the least expensive options other than like protonvpn and very few other open source ones. Most VPNs are hella expensive
Personally I use Mullvad because it’s simple, very usable, open-source, and I can trust it the most (not to say some of the other open-source privacy-oriented options aren’t trustable). Ever since I got into programming, I’ve only ever used completely open-source options when I had the chance – if it’s not open source, I won’t use it. I make very few exceptions, like for games, because open source isn’t as successful there for the most part
I suppose it’s all a matter of perspective. When put next to a lot of other subscription services (like Netflix 😩) it’s pretty cheap. Compared to other VPNs maybe not so much? I’ve honestly never looked at a VPN-only service before, like Nord etc. as VPNs have never been something I’ve prioritised.
Still, knowing what little I know about Mullvad, €5 a month for a VPN that prioritises privacy seems fair to me. Again, it’s less than any of the streaming services and if privacy is important then it seems a fair price to pay.
I think with all things globally, we apply an intrinsic sliding scale. Down to how many hours of labor that represents for us. So if $5 is a few minutes of labor fine. But if it’s 5 hours of labor then people are less likely to jump on it.
Oh yes, absolutely. I am privileged to be middle-class (which I can appreciate even more as I grew up a povvo bitch) in Sweden where €5 while not nothing (for me in my economic situation) is a reasonable expense for an interest. I could rent a film for that money, or take the bus to the nearby town. I also happen to know people for whom €5 is a significant sum of money, so like previously said it depends entirely on your perspective.
I’m pretty sure they are profitable, considering they were founded in March of 2009. You can’t really run a company without profits for 14 years, right? Just routing network traffic isn’t that expensive after all. They are the only ones being honest about it, other VPNs charge way more because they only want to extract money from their customers.
Cheers. Network related stuff isn’t my forte so I really have no idea about the costs. I just figured that the moment you start adding a decent amount of users the costs will go up, and €5 seems like a really fair price.
It’s actually the other way around, the more users you have the cheaper everything eventually becomes
Economy of scale?
Yes, there’s no reason this wouldn’t apply to a VPN provider. It’s also the reason NordVPN or Surfshark is so incredibly cheap.
They have lots of users -> They can pay lots of money for advertising -> They get more users -> Everything becomes cheaper -> They can pay more for advertising
You get the point
If only they didn’t bend the knee to the five eyes and drop port forwarding
They got rid of port forwarding to improve the reputation of their IP ranges. That makes it less likely for Mullvad users to get blocked by CDNs like Cloudflare and Akamai when visiting websites. If you want port forwarding, just use AirVPN or rent a VPS and use that. Not sure what you’re talking about, but Mullvad is based in Sweden, which is not a part of the five eyes alliance. It’s a part of 14 eyes, but Sweden has very strong privacy laws, Mullvad even has an entire page about privacy legislation in Sweden: https://mullvad.net/en/help/swedish-legislation
They also have a page that explains how Sweden being part of the 14 eyes alliance doesn’t really affect Mullvad: https://mullvad.net/en/blog/5-9-or-14-eyes-your-vpn-actually-safe
Their office was also raided by prosecutors last year, and they weren’t able to seize any customer information, because Mullvad doesn’t store anything about their customers: https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised https://mullvad.net/en/blog/update-the-swedish-authorities-answered-our-protocol-request
you don’t even have a “real” user account with them ffs. I think if they really wanted to fuck people over they’d have introduced mandatory email linked to accounts long ago
Yup, and you can pay using crypto or cash if you want, and you’ll never need to let them know who you are, where you live, etc. All they care about is that your account number gets paid, and that’s it.
You could always tunnel a publicly routable IP address over your VPN… I.e. https://tunnelbroker.net/
5 eyes shit is dumb pop security anyway. As if the CIA can’t rent colo space in Kazakhstan and market you some extra spooky VPN.
Still waiting for Defense Against the AI Dark Arts to drop
DAIDA
?
Harry Potter reference.
And Dumbledore’s AIrmy for when they forbid DAAIDA as an anti-terrorist measure
I love these guys. Let’s see if somebody can just bootstrap the FOSS framework directly on TCP to work on the internet without a VPN. Fantastic project
Those words sound cool and mean literally nothing
Bootstrapping See the Application section specifically.
FOSS = Free/Open Source Software TCP = Transmission Control Protocol VPN = Virtual Private Network
These words mean a lot actually. Pretty basic terms when it comes to the internet.
That means the same as fossing the tcp so it bootstraps your privacy.
See I can sound like a bot too. Or a journo.
I think they meant the comment as a whole doesn’t really make sense, it’s a bunch of technical terms kind of shoved together. If you understand it can you explain what it means?
Yes, the individual words have meanings, as words tend to do. Those words, in that order, form a NCIS, two people typing on the same keyboard, level word salad that has so little real world relevance that it tips soundly into the absurd.
NCIS?
Here is an alternative Piped link(s):
https://piped.video/kl6rsi7BEtk?si=VK0Mn-Ld2mVW85ev
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
I’m afraid just generating random traffic from your IP address won’t do anything against traffic flow analysis. Because most internet traffic is point to point, people who are interested in the flow, just follow the traffic moving between various points. So if you’re sending extra traffic to other random sites, it doesn’t interfere with point-to-point flow analysis.
In the context of a VPN, because all of your traffic is encrypted, you have to work harder to determine what traffic is going where. Because all traffic is going from your network to another virtual network. So an outside observer just sees the size and frequency of traffic but not the destinations. In this context since they don’t see the destinations, it makes sense to add random traffic flows, because that’ll obscure the signal that the observers are looking for.
Considering that VPNs are Point-to-point too (home->VPN), I was wondering if one could use DAITA with TCP directly instead of having to use a VPN. Imagine if TCP had DAITA baked in.
Even if you baked in variable packet size into TCP. It would be trivial for anybody monitoring network flow, to see you who you’re talking to. There would be no ambiguity.
The only reason this makes sense for a VPN, is there’s a lot of traffic bundled together, so a third party doesn’t actually know where your traffic flow is going.
Consider the example if you ran your own personal VPN endpoint. So you were the only user on the VPN. Even with randomized traffic flow injected into your VPN connection, it would be trivial for any third party who’s monitoring traffic flow to know that traffic is yours. Because you’re the only VPN connection talking to the VPN server. This thought experiment applies when you don’t have a VPN at all.
If I were to send packets to a single entity over time, I’d have no use for DAITA. I agree with you on this.
However, let’s say that I run a bunch of VPN endpoints across VPSes, and the entity trying to track me doesn’t know about all of these IP ranges. I could be renting from a colo, the cloud and even a a bunch of friends who have their ports open. If I were to mix this in with my usual internet traffic, it becomes significantly harder for third-parties to figure out what I’m doing connecting to all of these different IPs. A state actor could put the resources behind it, but the average third-party will have a hard time with it. I can certainly see use-cases for it.
I think we’re mixing up vocabulary.
Every IP you talk to is visible to anybody monitoring your network. The sale of net flow data is commonly acknowledged by ISPs. So every computer you talk to is common knowledge for sale.
In your scenario, let’s say you have five VPN connections set up to go to five endpoints that you control. But if nobody else is using those same endpoints. Your net flow data still exposes exactly what you’re doing. There’s no ambiguity. Your traffic is plainly obvious to anybody observing the network. Even if those VPN connections are adding randomized traffic onto the links.
Except that I will not necessarily be connecting to the exact same IPs over time, just going to do so in specific ranges which the VPS/colo owns. There’s plenty of people who are going to be renting VPSes and will have their traffic originate from the same IP range as mine, which means that if everybody using TCP had their traffic anonymized like so, the third party wouldn’t actually know that MigratingToLemmy specifically was connecting to AWS at a certain time and from a certain location, so to speak. This hypothesis doesn’t include correlation through other data in the threat model. But it could definitely prevent correlation with traffic across locations, which is similar to what Mullvad states
I’m sorry no. This will not help you avoid flow analysis
No port forwarding really kills the utility though - I mainly use the VPN to do port forwarding (e.g. for video games, Plex, etc.) as my ISP is shit.
Like I’m not worried about state-level de-anonymisation, I just want to be able to share services remotely and have a minimum level of anonymity.
Port forwarding removed because hosting threatened to kick mullvad out. Lot of shit hosted through that. No hosting, no vpn, so needed to remove to continue operate.
ProtonVPN has it though, which is what I’m using now.
Port forwarding means torrents. People using a VPN to torrent likely have much more traffic, especially those that seed (which is why they want port forwarding). Not enabling port forwarding means mullvlad can operate at a higher profit to cost ratio, and less risk.
That’s what mullvlad say. It’s not necessarily the reason why they don’t offer port forwarding.
It was always possible for them to continue allowing port forwarding. They could use separate servers for those that want port forwarding, stopping any impact port forwarding had on those customers.
Hum… this was one of the original reasons I signed up with them. I totally missed them dropping support. I’m not mad about it because I don’t torrent much anymore, but it’s still a pretty lame excuse.
I want all my services supporting maximum fuckery at all times as a matter of general principle.
Any alternatives that you know of?
Torrenting works fine with Mullvad in my personal experience, and will pretty much up to my current ISP speed limits (which is 200Mbps download).
Can’t really guarantee you that it will be as good if you’re hosting your own seedbox over their VPN (then again if you’re doing that you should probably pay for a proper seedbox hosted elsewhere) but if you’ve downloade something and the just leave it seeding, it seems fine.
I can’t honestly say I’ve ever had much trouble with it either. No trouble receiving files at least… there wasn’t much outbound traffic, but that could just have been a lack of interest :-)
I’m happy with Mulvad’s service and now that the initial shock and indignation is wearing off I’ll probably stick with them.
Besides I read about their new traffic obfuscation and I’ve got to give that a try. We need proactive innovation like that, now more than ever.
I personally like AirVPN. Pretty good speeds depending on the server. You can port forward and have up to 5 devices connected simultaneously. Make sure you’re using the Wireguard protocol.
Only issue is that Eddie (their GUI) kinda sucks. Works okay on Linux, and probably same on Windows. The Android one just really sucks.
I personally just download the wireguard configs to use.
Thanks for the tip, I’ll check them out.
ProtonVPN has it, and Wireguard support.
Thank you. It’s good to know I have a few options.
You should be using a seedbox to torrent in this age. Let the company run their business, if they don’t want to be a part of the group that allows torrents, so be it.
If so easy to fix issue, why not make company and fix it?
There are plenty of other options in the market, including ones with port forwarding. It’s a very saturated market.
That sounds strange given that Mullvad works fine for torrenting in my personal experience and even up to quite a good speed (it can use the full 200Mbps download speed from my ISP)
Also modern NAT will do deep packet inspection on common well known protocols to automatically adjust the port of your machine listed on any “here I am” protocol messages being sent out from your side to be an actual port on the VPN Router and to have an internal association of that port in the Router with the actual port in your machine so that connections of that port can be sent to your own machine and the actual port in it that are used.
It’s only the pure listenner services (such as webservers and e-mail servers) were the port is pre-defined by convention and not a variable one sent out on any “here I am message” that require explicitly configured port-forwarding on the VPN Router side, plus because the port is fixed by convention for each type of service (such as port 25 for SMTP and port 80 for HTTP), off all the clients connected by VPN to that VPN Router at any one time, only 1 will be able to get that specific port.
You need port forwarding to connect on torrents. Your able to torrent because everyone you torrent from has port forwarding enabled. If you want to access more seeders, and more commonly leechers you need port forwarding. This is useful for people using private trackers that want to maintain a ratio.
I can download at the maximum rate my ISP supports and I can seed after downloading (probably only to those clients which my own client has connected to).
However I cannot seed in a brand new session during which I did not download that specific torrent (as I just tested).
I expect this is because, as I explained, the NAT implementation actually tracks which IP addresses your client connected to and through which VPN Router port that went so that subsequent connections from those IPs to that port get sent to the right port in your own machine, but it doesn’t support uPNP/NAT-PMP port forwarding so the bitttorrent client cannot configure on that VPN Router a static port-forwarding so that it can listen for connections from any random client.
So if I understand it correctly it totally screws self-hosted seedboxes and if you want to give back to the community you have leave it seeding immediatelly after downloading and it’s not going to be seeding anywhere as fast since its limited to peers connected to during the dowload stage.
How does port forwarding help with videogames?
Opens up your NAT for matchmaking
I host a server, I forward the port, my friends can connect to the open port on the VPN side.
My ISP does not offer port forwarding.
Someone else pointed out Tailscale; I’ve had luck with free tier VPS+WireGuard.
I have an Oracle one which has worked well. Downside is I did link my CC, because my account was getting deactivated due to inactivity (even using it as a VPN and nginx proxy for my self hosting wasn’t enough to keep it “active”). But I stay below the free allowance, so it doesn’t cost.
That said: as far as anonymity goes, it’s not the right tool. And I fully appreciate the irony of trying to self-host to get away from large corporations owning my data…and relying on Oracle to do so. But you can get a static IP and VPS for free, so that’s something.
You can use Tailscale for this
Alternative maybe i2p or tor network. Or make vpn to anon vps and host from there.
Zerotier could also work for you
How about defense against dhcp option 121 changing the routing table and decloaking all VPN traffic even with your kill switch on? They got a plan for that yet? Just found this today.
Don’t you control your dhcp server?
The Option 121 attack is a concern on networks where you don’t.
Exactly where you’d want a VPN. Cafes, hotels, etc.
True that. Hadn’t thought of that as it’s not my typical VPN use case.
I’m not sure what a VPN provider could do about that though, they don’t control the operating system’s networking stack. If the user or an outside process that the user decides to trust (i.e. a dhcp server) adds its own network routes, the OS will follow it and route traffic outside of the tunnel.
The defenses I see against it are:
- Run the VPN and everything that needs to go through the VPN in a virtualized, non-bridged environment so it’s unaffected by the routing table.
- Put a NAT-ing device in between your computer and the network you want to use
- Modify the DHCP client so that option 121 is rejected
Edit: thinking about it some more, on Linux at least the VPN client could add some iptables rules that block traffic going through any other interface than the tunnel device (i.e. if it’s not through tun0 or wg0, drop it). Network routes can’t bypass iptables rules, so that should work. It will have the side effect that the VPN connection will appear not to work if someone is using the option 121 trick though, but at least you would know something funny was happening.
Of course but you don’t control rogue dhcp servers some asshat might plug in anywhere else that isn’t your network
Love they called the defence framework “Maybenot”.
I swear the defense against the dark arts teacher just keeps getting weirder and weirder.
I can tell you that this exists way before AI, I wish that there was more awareness earlier but it’s good that now its starting
So it’s like a VPN-busta-busta?
What if they have a VPN-busta-busta-busta though?
Then we have to wait til they drop the legendary VPN-quad-busta
I use Mullvad really good, love how they don’t care who you are and can actually maintain complete anonymity even in payment.
Propably going to be banned soon for some stupid reason if gets popular, like free speech is allowing the terrorists make bears cry or something.
Windscribe had something similar already? Not exactly this, but they had a feature to add other random traffic to your network specifically to work against systems like these.
So… Tor?
Not just tor. Tor plus random traffic.
Let’s say across your VPN you always sent one megabyte per second of traffic even if you had nothing to say. And then everybody connected to the VPN endpoint did the same thing. Then it gets very difficult to actually follow the traffic flows of the encrypted packets. You don’t see a large chunk of data passing through the network
