Available for Mac. Download today.
Thanks for reaching the bottom — not everyone makes it.
I’m incredibly lucky to have the help of a crack(ed) team of privacy optimists to build Obscura.
Among us, we’ve served on the Nix RFC Steering Committee, implemented the 64bit random number generator for the Go standard library, fixed critical vulnerabilities for hardware security tokens, won bounties for Monero bugs, and contributed to Bitcoin for reproducible builds.
But while privacy and digital sovereignty in some worlds has made leaps and bounds, VPNs have been left behind; peddling privacy based on promises instead of privacy baked into the architecture.
So we’re taking our skills to build Obscura: a VPN you can depend on to get the most out of our glorious digital commons – the internet. It’s the VPN we’ve always wanted to use, and it’s the kind of privacy we believe everyone should have access to.
Thanks for reading – ping me at carl@obscura.net for any questions, and I’ll see you on the free and open internet. 🏄
Cheers,
Carl Dong
I fight for the users.
Read the original article
Comments
Just to note here - with Mullvad you can pay via gift card that you can find at various retailers (to get a one-time code that you can use to create an account). Of course they can see your IP address but there is no payment/contact information on the system.
(Carl from Obscura here)
Totally! Mullvad is _the_ pioneer in this space, and we look up to them. This is why they were our top pick for being an exit hop provider!
By VladVladikoff 2025-02-2014:254 reply Hey Carl, sorry to hijack the thread but I have a question for you. Being the operator a small website (5M views/month, 200k users), I am often plagued by targeted cyber attacks. Over the years many of these come from privacy enhanced networks (eg Tor, Mullvad, etc). I have approached Mullvad many times with abusive user reports which they seem to simply ignore. How do you plan to address this in your product? Will you simply allow bad actors to abuse the internet via your service? Or do you have some plans to address this issue?
If the abuse is serious enough, pursue legal avenues. Otherwise, these types of companies shouldn't be unmasking users based on a random persons assertion that someone is bad. That would be an abuse vector itself.
By VladVladikoff 2025-02-2014:373 reply I am not asking them to. I am asking them to do a better job of bad actor detection and banning. Their current stance seems to be “ignore all packets, log nothing”. In my opinion they should be doing some amount of AI based abuse detection. This should be possible without violating user privacy.
By echoangle 2025-02-2015:42 How would you get training data for the AI without logging packets?
By Technetium 2025-02-210:54 AI is not the answer for most things, but it's especially not the answer for this. Basic packet filtering is all there should ever be.
By yjftsjthsd-h 2025-02-2014:501 reply > I have approached Mullvad many times with abusive user reports which they seem to simply ignore.
What would you like them to do? Considering that AIUI they outright don't log or monitor users at all, I can't think of anything they could do with your reports.
By VladVladikoff 2025-02-2015:402 reply Yes that is the crux of the issue. However many times when I reported bad actors to Mullvad the attacks were multi day attacks that were ongoing. It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account. However I believe even this approach is far to manual and invasive. I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
The issue is that VPN providers have zero motivation to do this, because a non-zero percentage of their user base is literally paying them BECAUSE they can use the service to attack other servers with a level of anonymity. If the VPN providers were to combat this issue it would negatively impact their revenue.
By yjftsjthsd-h 2025-02-2015:581 reply > It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account.
In other words, to break the fundamental premise of their product and identify traffic to a user.
> I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
Not without, again, creating an entire system which exists only to record traffic and tie it back to users.
Basically, both of your suggestions amount to "stop providing the product that is their entire business model", because the whole point is that they go out of their way to avoid having the information that you want them to use.
By mmooss 2025-02-2023:02 They don't have to tie it back to an individual, only to an account or, if they respond quickly enough, to a set of activities or traffic pattern.
By Imustaskforhelp 2025-02-2016:04 Lets face it man , they can't do anything.
they can't have AI detection or any other thing to help you. Simply put they can't help you. If they have to , then they aren't that private.
And they are in the business of privacy.
I wonder why threat actors are abusing your website ? I think you have also used cloudflare anti DDOS ? so the problem isn't DDOS , then what exactly is the problem ? are they signing up and abusing your free service or something like that ?
I can understand that concern, and I think in the future some version of [Privacy Pass](https://privacypass.github.io/) will allow for site operators to differentiate between normal vs. abusive users without relying on IP reputation (which is more unreliable anyway since CGNAT is a thing).
By VladVladikoff 2025-02-2015:45 We typically don't ban IPs for the very reason mentioned here (CGNAT is a very real thing and we have many users who share IPs). However we do ban IP ranges associated with VPNs that we see an excessive amount of abuse from. I might be an outlier on the internet, but if you take the stance you have outlined above, that you will effectively do nothing to combat the level of abuse from your network, you inevitably hurt your honest users because some web services will be unavailable to them via your VPN.
By shanusmagnus 2025-02-2014:36 What would you suggest?
By k1tanaka 2025-02-213:35 As a long term user of Mullvad, I appreciate when new companies try to innovate on existing ones while acknowledging their value. While I have no interest in changing VPNs right now, I will keep an eye on Obscura. Hope you the best
In theory, there could still be a possibility to track through the retailers who bought which one-time code (or have particular buyers be sent particular codes). But Mullvad also simply accepts cash by mail.
There's a new privacy focused entitlement proving thingy now. The first implementation is by cloudflare I believe but Kagi also just went live with it. The name escapes me at this mobile moment.
careful not to mail them from close to home, or have any handwriting, or leave any fingerprints
Doesn't matter if you use Windows / Mac because it will ping their services before you jump on the VPN and it will know the before IP and the IP after. :)
Well, the 'after IP' is an IP shared with tends or hundreds of thousands of other people.
But yes the use case for a VPN is pretty narrow. E.g. not wanting your ISP to mess with your traffic and decreasing chances of detection of torrenting
By staticelf 2025-02-2510:27 Well your computer usually gives away more clues than just the ip so it's pretty easy to fingerprint you online.
By Imustaskforhelp 2025-02-2015:561 reply You can't prove it. Apple isn't open source.
And with the recent Debacle of Snooper's Law apple e2ee backdoor.
Let me tell you something. A company is asked for a backdoor and they are forced to not tell anybody about it.
The only reason why it was leaked was because of whistleblower. And so , who knows if they have already signed such thing with the NSA or UK already but for their mac's and other devices
Hell, I honestly believe the NSA does not need a backdoor anyway. They have some absolutely frightening people working for them. I believe some of the best of the best.
I do not believe there is such thing as privacy from such organizations. If they want you bad enough, they will get you. Don't have a reason? They'll make one.
By Imustaskforhelp 2025-02-2019:411 reply Snowden was right after all.
Probably, but no telling.
Do you remember the "Heartbleed" exploit in SSL many years ago? There were allegations that the NSA knew about and used that exploit for many years before the public ever knew about. However, that is not exactly an easy statement to confirm nor deny.
Edit: I also wanted to add something I remember from a talk I saw with a person who once worked for the NSA. He was intentionally only talking about surface-level concepts, but he did mention that the one thing the NSA has, that most do not, is unlimited time and patience.
He said something along the lines of how they can just sit and watch a server, for example. Say that the server is on version 1.0.0 of whatever. Well, the NSA can find an exploit in version 1.1.0 and keep it under wraps. All they have to do is just wait. The second the server is upgraded to 1.1.0, then boom, they're in.
He also used the example of BYOD ("bring your own device") in workplace settings. Say they cannot can entry into somewhere. Well, if they can compromise someone's personal device, then they can just wait. The second the personal device connects to the network they want/is in close enough proximity to the network they want, then boom, they're in.
Be it one second, one hour, ... 10 years, etc.. They can wait. All it takes is one brief instance of a hole in the defense.
Truly some boogeyman level stuff, but I just hope they use their powers for good when possible. Though, I imagine plenty of other countries also have similar "arms race" abilities, which does complicate matters.
Some days, I just want to get a cabin in the woods, and get away from all this dystopian technology.
By Imustaskforhelp 2025-02-216:24 You want to live in a cabin in the woods , I kind of am.
While I was writing this message , I was roaming out side in the street , my street isn't developed, so there is a lot of empty space 2 sides of my house.
I saw a peacock flying & sitting in front of my house. It was so majestic. It's wings when they fly , the sound they produce is such majestic that it touches your mind.
The solution isn't a cabin in the woods , the solution is living in such remote area like I live , seriously I am not that far away from the main town , but still this place is so nice I just realized but development would come , and houses would get built. Then there would be no more peacocks flying in.
I really get what you are feeling. But I believe that getting away from dystopian technology is far more easier by degoogling with grapheneos or getting a dumb phone like me & linux with sandboxing each applications ,I do think that we can get far away , like they would need to find a bug in such things like qemu , pledge , flatpak etc. though I think they might already have found a bug in some version and like you said, are waiting.
The only solution I can find is to read the source code of these sandboxing applications on linux and to never update it / it should be such that doesn't require updates , a completely minimal sandboxing solution.
How can we imagine they use their powers for good , when the president has handed things over to oligarchy who want maximum profits. What benefit do they get from using their power for good ? None. I am sure that they are using the power of both good and evil.
By Imustaskforhelp 2025-02-2016:011 reply Also I had read somewhere about a really strange conspiracy theory which really made me question if we can really be against government and big tech (since "lobbying" is made official) but if 5 eyes (the billionaires?) really wanted (heck only if UK + australia wanted , australia police is given the ability to remotely plant data in nation's interest and uk also is getting apple to force data to be leaked in the apple ecosystem and who knows what else. Its only a matter of time that they put 2+2 together (or they have?) and use it to plant CSAM (yes NSA has distributed CSAM for the purposes of catching people , so I wonder if such 5 eyes also have these , please hackernews moderators just because I have mentioned CSAM , don't remove this comment I suppose)
and carrying CSAM is a serious offense and you will get into jail for it. and the jail prisoners aren't kind to CSAM convicted prisoners and they would bully them immensely , maybe even cause them to suicide or just make their life hell.
OK, story time.
I have friend/old-coworker that left my current employer for our state's version of the FBI. While no worker in his agency handled CSAM cases full-time, they all have to do rotations.
There is a lot he could not tell me about the work he did, and how they managed the detain suspects. But I do remember him telling me that he witnessed things that he thought were not even possible. Considering we were both developers, I take his word for it.
Anyway, I once asked him, "What is stopping you all from beaming CSAM on a person's computer, and then targeting that individual?" He paused for a second and said, "Well, we would never do that..." I asked again, "Sure, but what is stopping you all from doing that?" He said, "Well, nothing... but we wouldn't do that..."
Right then, my heart had this sinking feeling. While he is probably right, it did instill a sense of "Well, you never know..." in me. Do I believe most people convicted of CSAM are guilty? Absolutely. Everyone? Perhaps not. Still, good luck convincing a tech illiterate jury of your peers that "the government did it to me!" As far as I am concerned, once charged with such crimes, one is guilty until proven innocent.
I have always believed that if 'they' want you bad enough, then they will get you. By 'they', I mean any of the powers that be -- government, organized criminals, etc..
By Imustaskforhelp 2025-02-2019:39 Dude , I am not kidding , but this gave me so many goosebumps.
Goosebumps on my f'ing face.
And I was thinking this on 5 eyes level but you are saying a single country can do that?
When I had discovered that conspiracy theory which I now believe is true to some degree.
I then used to think, what if they want you to believe that you hold a chance. They don't want you to know they can get you as you are saying it. They want to give you the illusion of freedom. They will target their opposition , journalists with this if all goes south. There are also secret courts.
May I ask , if they can always get you why don't they use this in making their opposition go poof. If I am being extra conspiracist now , is it that they want you to give the freedom b/w 2 systems both of which don't change things really that much. Both political parties are kind of the same thing
but dude what the actual fuck.
They can use csam to break general encryption by saying it's bad for children etc, they can use csam to punish those they want.
I am now seriously wondering if I even have real tangible choice in the government.
I am now wondering if I am literally living in 1984. What if these wars and shit are just a distraction , yes they happen but...
Dude I have come to a realisation, I am seriously living in 1984. Reward is given to those who comply , those who aren't skeptics , skeptics are brushed off as conspiracist.
By buttercraft 2025-02-2019:15 You can also mail them an envelope full of cash last I checked.
Interesting concept. The blog has a lot more details[1].
One comment/question about the exit nodes. Can someone correct or validate my thoughts:
It’s a WireGuard tunnel from the user to Mullvad, so while Obscura can’t see the user traffic, couldn’t the Mullvad exit node see the traffic, and using knowledge of the users WireGuard public key, associate all that users traffic with that key? So even if they can’t associate it with an IP, they could still potentially identify and track you.
This assumes they use a customised version of WireGuard to somehow log & associate each decrypted IP packet against the users public key.
(Carl from Obscura here)
This is actually quite an interesting point that we’ve been discussing internally.
Right now Obscura rotates your WireGuard key on every “Connect”, but in a future release we will start caching (persist) your WireGuard keys on your client. When we flip that switch, we will also enable recurring key rotation and add a button in the UI for manual key rotation. This rotation would make it harder for Mullvad to track a user across the same key. (Not that they would anyway)
All of this is available for folks to verify at on our GitHub repository: https://github.com/Sovereign-Engineering/obscuravpn-client
By yardstick 2025-02-2018:47 Thanks for the reply, and glad to know it’s something you’re already thinking about!
Thanks! that blog post had a thread here:
Trust, 2-Party Relays, and QUIC - https://news.ycombinator.com/item?id=43016574 - Feb 2025 (33 comments)
(Carl from Obscura here)
You’re absolutely right, we fixed it and forgot to push to prod XP
By vidyesh 2025-02-2013:40 Hey Carl, good to know is already fixed! While you are at it, please setup wildcard redirects too. Instinctively, I went to /blog assuming it would be a blog page but it isn't.
By gchamonlive 2025-02-2011:59 And it's not even that hard if the page is built in a sane way, which for the simplicity of the blog should be a no brainer to go for simplicity.
I have my blog hosted at omg.lol and while I had to support mobile by myself, it was really really simple.
Here is my blog: https://xd1.dev
Here is the code for the blog's responsive layout: https://github.com/gchamon/xd1.dev/blob/main/css/responsive-...
No injection, no build, just plain inline linking https://github.com/gchamon/xd1.dev/blob/10b98ddb37a9786ca8fe...
It's insane to me that this even has to be pointed out with such a relatively simple page, and then I looked at the source; it screams "I'm gonna just bang something out in [popular framework] without knowing basic HTML/CSS and let the world suffer from my <div> rot."
I hate modern web development.
By vidyesh 2025-02-2013:32 I agree. Its not that difficult to just have a max-width of 90% for the content or just add some padding to the inner container.
I also think people skipping over learning some basic CSS fundamentals also end up skipping over basic UI/UX needed for accessible websites, something every web developer should have some awareness about.
Complete reliance on CSS frameworks does not magically make the websites accessible,it gets you 90% there.
Also /blog leads of 403!? Wildcard redirects are not that difficult to setup either.
Also, Obscura can collect metadata on when you use the service, how much data you send/receive, etc.
Even if Mullvad doesn't do it, someone else might. Mullvad is, I expect, now a valuable target because it is the VPN service of choice for so many people concerned with security. Does Mullvad have the budget and expertise to protect itself against determined, highly-resourced attackers?
Finally, is it possible for a third party, intercepting traffic between Obscura and Mullvad, to identify the public key used to encrypt it? I don't think so - the only way to validate a signature is with both keys; that's kind of the point. But maybe there is an attack I'm unaware of?
By ijustlovemath 2025-02-206:331 reply Mullvad is near the cutting edge on zero trust deployments; allowing user traffic to pass thru, with guaranteed no logging, assumption of compromise guiding system architecture, etc. Nobody can withstand a nation state, not even other nation states, so I feel like they're doing the best that can be reasonably expected of them
By ignoramous 2025-02-2010:551 reply > Mullvad is near the cutting edge on zero trust deployments
What is "zero trust deployments"?
By ijustlovemath 2025-02-2012:481 reply Meaning they're achieving their privacy goals without any inherent trust in their systems (eg no databases of user info, etc)
By ignoramous 2025-02-2013:351 reply > no databases of user info
Depends on the payment method. Accounting is mandatory in Sweden.
That "some information" according to Swedish Accounting Act (bokföringslagen): "Every transaction, including customer payments, must be supported by proper documentation such as invoices, receipts, and payment confirmations."As a customer of [payment] services, these entities would allow us to request this information if we chose to do so. In short, your payment actions with these two methods are not anonymous and the GDPR and other relevant data protection regulations may apply if you are making a payment by credit card, PayPal, Swish or by bank wire. The data must be kept for the statutory retention period described in applicable local laws such as the Swedish Accounting Act (some information must be stored for seven years from the end of the fiscal year).https://mullvad.net/en/help/no-logging-data-policy / https://archive.vn/qkvD3
By ijustlovemath 2025-02-2015:071 reply Sure, but if privacy matters to you, you have the option of buying credit anonymously and applying it to an anonymized account number. And if your threat model includes nation states, you're definitely not buying anything with a credit card. I also think if you're after payment details, there's more lucrative targets, eg Stripe.
By ignoramous 2025-02-2016:091 reply OK. I was just wondering about your "zero trust" (aka "no database of user info etc") comment in the face of those and other Swedish laws that apply to Mullvad, is all.
What you're now telling me is only if I, as a user, don't give Mullvad my info, they wouldn't have to store that. I mean, that's one way or one way of looking at it, alright.
By sdht0 2025-02-2117:28 Another way of looking at it is that Mullvad has gives their users the ability to do that, as compared to so many other "top" VPNs.
Timing attacks are notably not a part of Tor's threat model, i.e. they are a real concern: https://support.torproject.org/about/attacks-on-onion-routin...
By Imustaskforhelp 2025-02-2016:082 reply hmm. that is interesting , would you mind sharing some solution , what if I add some insane latency (I know unusable but if it prevents timing attacks)
my conspiracy spidey sense is sensing something fishy...
Maybe timing attack is not part of .onion addresses ?
By woofcat 2025-02-2019:24 Mixnet would be a solution. Like what you described, have inbound packets held for some period of time and released as a group so that you cannot as easily correlate the inbound and outbound traffic.
The downside is that it gets much slower, and feels 'bad' as an end user. Each packet takes longer.
By conradev 2025-02-2020:23 The only solution I know of is essentially to do "bandwidth burning" where you inject a bunch of fake traffic as noise. I don't know how you'd do that within the constraints of this system.
By dongcarl 2025-02-2014:41 (Carl from Obscura here)
> Does Mullvad have the budget and expertise to protect itself against determined, highly-resourced attackers?
I think Mullvad is actively working on [System Transparency](https://www.system-transparency.org/), which will help a lot.
> Finally, is it possible for a third party, intercepting traffic between Obscura and Mullvad, to identify the public key used to encrypt it? I don't think so - the only way to validate a signature is with both keys; that's kind of the point. But maybe there is an attack I'm unaware of?
I had asked this question a long time ago on either a noiseprotocol or wireguard IRC channel, and the answer is no, a third party intercepting traffic between Obscura and Mullvad, WON'T be able to identify the public key used to encrypt it.
> somehow log & associate each decrypted IP packet against the users public key.
Mullvad only needs to associate each decrypted IP packet against an assertion that the packet was paid for. I assume each Obscura node would have a public key, but not associated with a user.
They notably offer this service for Tailscale (as an add-on) and I imagine that it works similarly (on the backend)
Yeah my thinking is even if they don’t have the users IP, knowing and seeing all the traffic associated with a specific public key would allow them to build a profile of the user.
Eg based on the specific sites visited, payload sizes potentially, domains looked up, etc you’d be able to characterise the person. Especially so if anything they did was not encrypted, or they have their own vanity domain (for emails or anything else).
> Mullvad only needs to associate each decrypted IP packet against an assertion that the packet was paid for.
The idea of Obscura is by using two middlemen (them + Mullvad) that neither party can figure out who the end user is. So I’m looking at Mullvad from the perspective of: if they were evil, what about this solution are safeguard protecting the end users privacy. And my conclusion is they’d still be able to break the users privacy in the same way as knowing the users IP, just without the IP.
By conradev 2025-02-2020:44 In Tor, individual websites get individual circuits to prevent this sort of profiling, and I think Obscura would need to do the same for the same level of anonymity.
What happened if some government agency were to order both Obscura and Mullvad to log a certain user or certain activities? Wouldn't it be possible to combine those logs? If it isn't: would that change if Obscura was ordered to also use a separate Mullvad account for a specific user/IP?
Governments do not even need any of the providers to comply, they can access global NetFlow data. This is conveniently not discussed by any commercial VPN provider.
By pinecamp 2025-02-2012:23 Thanks for pointing this out. I wasn't aware of NetFlow. I don't use IVPN, but I found this writeup informative:
https://www.ivpn.net/privacy-guides/isp-netflow-surveillance...
Okay, but this is a given if you don't run your own ISP. Your ISP can also see that you connect to Tor. Your data is still encrypted.
It ultimately depends on your threat model. But assuming a state actor has access to NetFlow data, an attack could work like this:
* State actor determines that an IP belonging to a VPN company had a session on example.com around t1-t2
* You -> VPN server at t1
* VPN server -> example.com at t1+latency
* More traces from both sides until around t2 as you browse the site
By correlating multiple samples, and accounting for latency between you and the VPN server and delay introduced by the VPN itself, they would be able to get decent confidence that it was you.
By Imustaskforhelp 2025-02-2016:061 reply Basically when you go at the point of state threat actors. Things get real spooky. The censorship , the what not.
I feel sad that we have given governments such major accesses in the name of unification.
We need more decentralization at the political level & economical level as well (like most money goes to your city , then state , then at the country , very nominal amount)
Let city decide what it wants with major town hall discussions.
Town halls where only people with an agenda to push or retired and bored people show up?
By Imustaskforhelp 2025-02-2019:10 You can change that much easier than changing something at the national level
By thrwaway1985882 2025-02-2014:262 reply The threat actor most use to talk about this is a global passive adversary: a threat actor who can see all relevant traffic on the Internet but who can't decrypt or adjust the traffic.
This adversary would have the ability to ingest massive amounts of data and metadata[0] it acquires from tier 1 ISPs all over the country[1] and the world[2]. They'll not see raw HTTP traffic because most everything of interest is encrypted, but can store and capture (time, srcip, srcport, dstip, dstport, bytes).
From there, it's a statistical attack: user A sent 700 kilobytes to a VPN service at time t; at t+epsilon the VPN connected to bad site B and sent 700 kilobytes+epsilon packets. Capture enough packet flows that span the user, the VPN, and the bad site and you can build statistical confidence that user A is interacting with bad site B, even with the presence of a VPN.
This could go other directions too. If bad site B is a Tor hidden site whose admin gets captured by the FBI and turns over access, they'll be unmasking in reverse – I got packets from Tor relay A, which relay sent packets at time-epsilon to it, (...), to the source.
There's very little you can do to fight this kind of adversary. Adding hops and layers (VPN + VPN, Tor, Tor + VPN, etc.) can only make it harder. It's certainly an expensive attack both in terms of time consumption, storage, and it requires massive amounts of data, but if your threat model includes a global passive adversary, game over.
[0] https://en.wikipedia.org/wiki/XKeyscore
By thrwaway1985882 2025-02-2017:46 I'm bearish on introducing noise[0] to resist traffic analysis, and I'm exceptionally bearish when the only layer managing noise injection is "a for-profit entity that can be legally compelled to do things"
But every layer helps; I'd feel more than happy torrenting over Mullvad alone, and I'd definitely use it as an additional layer of defense with other tools to keep me private if my threat model needed to consider stronger risks.
Could they go to synchronous packet transfer and static payloads?
- users only ever talk to nodes in 8kb chunks, and they TX/RX 12 packets per second.
- nodes only talk to each other in 128kb chunks. Up to 8x / second, no lower than 1x/second
By thrwaway1985882 2025-02-2016:38 Synchronous packet transfer only solves the problem if you build a truly constant rate network. Traffic monitoring works when variances exist; your flow has to be fully homogeneous to provably secure against it. That means in your model your users would need to transmit and receive exactly 96kbps at all times when on net, and your nodes would talk to each other at 1024kbps at all times when on net. Otherwise, consider A->onion1->onion2->B – an attacker could potentially see the flow from onion1->onion2 decrease to 1 PPS sec when A isn't talking, and increase when A is.
Truly constant rate anonymity networks dramatically add resistance to passive traffic analysis, but they move users from a low-latency/high-throughput network to 56k dialup speeds :) Not only does this suck so most people won't use it, but the people who do chose to use it will glow neon bright to adversaries. The use of the system will be a strong indicator that, even if you don't know what the user is doing, the user is doing _something_ interesting.
And even if there was desire, these networks are intrinsically limited in size and scale if they want to maintain constant rate. Herbivore[0] is an interesting proposal in this space - use a DC-net partitioned into smaller cliques to give in-group anonymity but mass participation. And most use chaff packets – A has nothing to send so sends encrypted random data to maintain the constant rate guarantee... I'm trying to find the paper I read that suggests a global passive adversary who goes "hands on" in the network could use a combination of watermarks generated through packet dropping/artificial queues + knowledge of which packets are chaff to build a trace, but I'm struggling. If I do I'll drop it here.
For fun, go check out https://groups.google.com/g/alt.anonymous.messages – this is probably the classic example of a (very) high-latency but very strong anonymizing mix network.
[0] https://www.cs.cornell.edu/people/egs/papers/herbivore-tr.pd...
Could you protect against NetFlow analysis by pushing a bunch of noise over the VPN tunnel at all times? I'd assume it would at least make the analysis significantly more challenging.
By thrwaway1985882 2025-02-2017:04 Some of the prior works in this paper[0] address noise in anonymity networks, but in general: you either add noise at the link level which malicious nodes can identify & ignore, or you add noise by injecting fake chaff packets that are dropped somewhere inside the network which are statistically identified when you look at packet density across the network.
This might or might not extend to VPN nodes depending on your threat model - I'd personally assume every single node offered to me by a company in exchange for money is malicious if I was concerned about privacy.
Honestly, paying for a VPN is just purchasing slow internet speeds at a premium.
https://www.youtube.com/watch?v=9_b8Z2kAFyY
Just use Tor.
