alt.hn

5/25/2026 at 5:45:11 PM

Exit IP VPN servers mitigation rollout

 https://mullvad.net/en/help/exit-ip-vpn-servers-mitigation-rollout

by Cider9986

5/25/2026 at 6:33:54 PM

it should probably link to this: https://mullvad.net/en/blog/exit-ip-fingerprinting-between-v...

which is the blog post, rather than a list of exit servers

related to this post: https://news.ycombinator.com/item?id=48143880

by john_strinlai

5/25/2026 at 8:48:55 PM

That blog post is a perfect example of when RFC5737 should be used.

https://datatracker.ietf.org/doc/rfc5737/

by Arrowmaster

5/26/2026 at 5:20:35 AM

Nice. But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples. One of those "standards" that have been a great idea, but lack practical relevance.

by usr1106

5/26/2026 at 3:44:47 PM

> But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples.

How does that matter? The point isn't that the reader should know that "oh, this is a reserved address". The point is that there should be no room for the address that's actually being used by someone to end up being used incorrectly just because it showed up in some random documentation.

Much like how you probably wouldn't be thrilled if your phone number was used as an example in some random documentation somewhere.

by scbrg

5/26/2026 at 5:53:39 AM

> But unfortunately these addresses are hard to remember and "nobody" recognizes them when reading examples.

Mmm.

It's pretty easy to put three IPv4 /24s on a sticky note on your monitor. I think it's not unfair to say that if one can remember every fact related to one's job, then one has a job with a very, very small scope.

Also, this is another great reason to use IPv6. The v6 documentation prefix is '2001:db8::/32'... plenty of space for example subnets and easy to remember.

by simoncion

5/26/2026 at 10:25:46 AM

For me it's the opposite: I usually misremember 192.0.0.0/8 as being entirely private, so for 192.0.2.0/32, I usually assume that the example given is supposed to be a private v4 address/network.

by lxgr

5/26/2026 at 8:16:18 AM

Anyone who writes technical documentation about networking knows the key ranges, and at least TEST-NET-1 (192.0.2/24) is pretty easy to remember. You only gotta look it up a few times, instead of being sloppy and justifying so with “no one cares anyway”.

It partly because attitudes like that is why software is a mess. Too few people care about correct semantics, everyone is satisfied with whatever sticks. From lists for sets, to tag soup instead of markup, and so on - all the way to modern code slop.

</rant>

by drdaeman

5/25/2026 at 9:14:46 PM

On a side note, buttons icons on this page won't load without javascript. I cannot comprehend what would justify such decision.

by Insimwytim

5/25/2026 at 9:46:14 PM

Without justifying it, the reason is simple. They are using a front end framework (bootstrap) that many developers use/understand that also supports 99.9% of browsers.

Running a browser without javascript that you still want graphics to display (so not a screenreader or text-based-browser), is part of the .1% they are willing to disappoint.

Do I think it is overkill? Sure. Do I still use jQuery at work even though the vast majority of its once handy features are now baked into JS in the browser by default? Of course.

by jermaustin1

5/26/2026 at 4:33:55 AM

How do you jump straight from JS to screen reader or text based browser? What happened to HTML+CSS viewer? Isn't reading an RFC the perfect poster child for an activity that ought to consist of viewing a noninteractive document?

by fc417fc802

5/27/2026 at 6:43:36 AM

> What happened to HTML+CSS viewer?

S in https stands for "script". /s

by hulitu

5/25/2026 at 11:40:04 PM

It’ll be a run-on effect of whatever framework they are using, and they very justifiably don’t want to bother catering to you. Having JS disabled in 2026 and complaining about sites not behaving is simply a performative act.

by UqWBcuFx6NV4r

5/26/2026 at 12:45:15 PM

2015: It's a SPA blog because my employer forced me to do it that way, I didn't want it.

2026: It's a SPA blog because I very justifiably don't want to bother catering to you. Having JS disabled in 2026 and complaining about sites not behaving is simply a performative act.

by GoblinSlayer

5/26/2026 at 1:34:24 AM

It’s basic self defense. Who runs around the web in 2026 allowing random JS? Might as well be licking seats on the subway.

by lazide

5/26/2026 at 9:13:19 AM

> Who runs around the web in 2026 allowing random JS?

Within a rounding error, 100% of people on the internet.

by Telaneo

5/26/2026 at 7:11:49 PM

It’s a lot higher pct when you count vpns with JS filtering, ad blockers, etc.

by lazide

5/27/2026 at 12:33:34 AM

Even then, they're using disallow lists. If you go on a random web page with novel JS, then that'll still be run.

The only people working of allow lists are the people running NoScript and the like, and those truly aren't running random JS. But those people are a rounding error compared to the greater internet.

by Telaneo

5/26/2026 at 2:02:13 AM

If you trust your browser it's fine, and if you don't then both CSS and SVG are significantly more risky.

by lmm

5/26/2026 at 4:07:43 AM

This isn't true at all.

Anything SVG does maliciously, it does by containing JavaScript, so SVG's worst case is a subset of JS's.

by margalabargala

5/26/2026 at 4:30:54 AM

Remind me again what the ratio of browser sandbox escapes coupled with full RCE is between JS, CSS, and SVG?

by fc417fc802

5/26/2026 at 2:16:01 AM

> then both CSS and SVG are significantly more risky.

how???

by sysguest

5/26/2026 at 6:00:17 AM

>and they very justifiably don’t want to bother catering to you

Considering they are one of the very few sites and VPNs that allow sign up without JS your claim is verifiably false. They also collaborate with and develop there own tor browser fork which has the highest rate of non JS user.

by akimbostrawman

5/26/2026 at 12:30:24 AM

[flagged]

by sroussey

5/26/2026 at 8:27:07 AM

What "buttons icons"? When I set the "javascript.enabled" preference in Firefox 151 to "false" and reload the page for RFC 5737, I get a "Javascript disabled? Blah blah blah blah." complaint near the top of the page. I do not get

* the useless-to-me "document history" bar graph at the top

* the automatic switch to Dark Mode(TM) that I don't care about

* functional pull down menus at the very tippy top of the page that are entirely unrelated to RFCs that I give zero shits about

The "without javascript" version of the page seems to me to be otherwise identical. Amusingly, the "Email authors", "IPR", & etc buttons switch to the pages they reference notably faster with Javascript disabled.

What broken things were you seeing that I haven't mentioned? Were you using Chrom(e|ium)? Safari?

by simoncion

5/26/2026 at 3:57:04 PM

> I set the "javascript.enabled" preference in Firefox 151 to "false" and reload the page

Do it the other way around - disable javascript first, clear cache/open incognito (maybe close/open browser after that just for good measure), then go to the page.

If you load it with javascript first - buttons icons stay loaded after you disable it.

by Insimwytim

5/27/2026 at 5:29:14 AM

The only thing that I don't do in Firefox's "Private Browsing" mode is play a handful of stupid little in-browser games that save progress in a cookie or whatever. I even have Firefox set up to open in "Private Browsing" by default. Here's what I did just now:

1) Quit Firefox

2) Opened Firefox

3) Visited 'about:config'

4) Set 'javascript.enabled' to 'false'

5) Quit Firefox

6) Opened Firefox

7) Re-visited 'about:config' and verified that 'javascript.enabled' is still set to 'false'

8) Visited <https://datatracker.ietf.org/doc/rfc5737/>

It's still exactly like I reported it was. The "Manage browsing data" thing accessed through Firefox's regular settings dialog doesn't indicate that there is any data saved by any ietf.org subdomain, and when I watch the Network pane, a ctrl+shift+f5 reload of the RFC5737 page indicates that the page loads everything from an ietf.org subdomain... so the saved resources from one of the like eight domains in that list aren't relevant.

by simoncion

5/28/2026 at 9:46:16 PM

Fascinating.

I use NoScript, not 'javascript.enabled' setting.

I checked more closely and here is what appears to be missing:

  Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.ietf.org/dt/12.65.2/ietf/bootstrap-icons.5b9cac4e.woff. (Reason: CORS request did not succeed). Status code: (null).
Bootstrap icons.

  Block javascript - icons won't load.
  Allow javascript - icons load.
  Block javascript again - icons load, unless tab is closed and then opened again.
This behavior has been observed previously.

I tried to selectively block css to see how it's tied to javascript.

  Block javascript, block css from static.ietf.org - icons won't load, page layout is broken.
  Allow javascript, block css from static.ietf.org - the icons won't load, layout is fine.
Evidently, with javascript blocked, layout css loads fine, but bootstrap icons only able to load when javascript is not blocked.

'javascript.enabled' setting seem to has no effect on icons. However, unlike NoScript, it does not provide any domain separation/granularity.

by Insimwytim

5/26/2026 at 4:03:39 AM

Are you in 2006 or 2026?

by ernsheong

5/25/2026 at 7:03:06 PM

The page already contains link to both of these resources

by opem

5/25/2026 at 7:26:06 PM

right. but one of those resources contains much more context than the other, making it much more suitable for the submission link.

by john_strinlai

5/26/2026 at 8:35:24 AM

The post you preferred was submitted before. And had not much new information. The rollout was the news. The link was correct.

by pseudalopex

5/26/2026 at 3:44:44 AM

Maybe it's just me, but I'm incredibly surprised by their prompt reaction to this. As a user, I was already preparing to deal with this myself.

Wow, is this how things were before bureaucratic behemoths took over the tech industry?

by m132

5/26/2026 at 4:42:11 AM

This is just how things work when there’s much less overhead. Which is typically the case for smaller companies.

by stingraycharles

5/26/2026 at 12:13:49 PM

[flagged]

by Predaxia

5/26/2026 at 11:07:24 AM

When you have tens of thousands, or hundreds of thousands of employees, your organisational culture and policies inevitably change to limit the impact -- good or bad -- of one individual or a small team.

by dannyw

5/25/2026 at 7:00:11 PM

I'd really like some version of E.G. Librewolf configured to spoof the exact SAME information no matter who's using it. Like standard resolution for a 1080p monitor, the same GPU profile, Allow device timing stuff to work but with a fixed profile etc.

Effectively, stop spoofing random data, start spoofing still useful but not for finger printing data.

by mjevans

5/25/2026 at 7:03:39 PM

The Mullbad Browser? https://mullvad.net/en/browser

by okso

5/25/2026 at 8:05:47 PM

Or tor browser, where all the features came from. You can also enable it on firefox with privacy.resistFingerprinting enabled.

by gruez

5/25/2026 at 8:22:02 PM

> You can also enable it on firefox with privacy.resistFingerprinting enabled.

Not the same thing.

I use both Firefox and Mulllvad Browser side-by-side on a regular basis and in practice Mullvad Browser is far more aggressive in its privacy preserving measures to the extent that you do sometimes stumble across websites that are "broken" in Mullvad Browser but work fine in Firefox, for example the animated map features on the Ventusky website (which, IIRC, breaks because Mullvad is more aggressive at blocking JS graphics functions).

by traceroute66

5/26/2026 at 3:01:57 AM

This is already what LibreWolf does for most of its fingerprinting protection, including resolution, which you call out. It already works, LibreWolf is the only browser besides Tor I’ve found that actually defeated fingerprinters in some of my testing. Is there something that’s currently randomized that you think should be binned or homogenous?

by kqp

5/25/2026 at 8:46:31 PM

If you us Mullvad browser, which has built in Mullvad proxies, this isn't an issue because it doesn't use wireguard.

The browser also has a cool feature in the browser extension called Random mode. This gives you a different IP for each site, improving your privacy.

by Cider9986

5/26/2026 at 12:30:11 AM

It's not going to be an issue for most things which have been properly thought out as they will have proper isolation between servers which should have separate identities. Reusing the same VPN for all servers and relying on an eventual expiry before the IP changes is fundamentally not a great approach to rely on for isolation.

by charcircuit

5/25/2026 at 8:46:46 PM

You can probably also use it on regular Firefox.

by Cider9986

5/25/2026 at 10:04:09 PM

Which you absolutely shouldn't use, because just like Tor Browser before, a vulnerability in the browser can be immediately escalated into decloaking your real IP. Ideally the proxying doesn't even happen on the same machine.

by stefan_

5/25/2026 at 10:23:43 PM

One possible mitigation might be to run your system (or just the browser/certain apps) sandboxed to only communicate with the IP/ports mullvad uses for VPNs.

by ranger_danger

5/26/2026 at 4:39:45 AM

You absolutely shouldn't do that because a vulnerability in the kernel can be immediately escalated into decloaking your real IP. /s

(TBF this is presumably why parent specified that proxying ought to happen on separate hardware.)

by fc417fc802

5/26/2026 at 7:19:20 PM

> a vulnerability in the kernel can be immediately escalated into decloaking your real IP

Not necessarily IMO... if you create a network namespace that can only communicate with mullvad, and then run the VM inside that... even owning the entire VM and escaping it doesn't help you... you would now have to exploit the host kernel as well, which to me is basically just as good as it being separate hardware in the first place.

by ranger_danger

5/26/2026 at 7:28:51 PM

By the time someone has pulled off a VM escape I think it's safe to assume they're akin to a state level actor and a network namespace isn't going to stop them.

That said, did you perhaps miss the /s tag?

by fc417fc802

5/27/2026 at 5:19:49 AM

My threat model does not include state level actors, I don't think it's feasible for people to adequately protect themselves from most of them.

by ranger_danger

5/25/2026 at 10:38:13 PM

"Absolutely shouldn't" is silly.

- Browser vulnerabilities are non-trivial.

- Mullvad browser's proxy feature only works if you're connected at the OS level, which helps mitigate browser level exploits.

Compared to any other off the shelf solution, Mullvad browser provides a good balance of usability & privacy.

Compared to something like you're describing, I agree it's worse.

by joskvw

5/25/2026 at 10:50:19 PM

What threat model should you use Mullvad browser in? What threat model should you avoid Firefox-based browsers?

Please talk in terms of specific threats instead of fearmongering. For people wanting to avoid surveillance capitalism, which is a very common threat, I think Mullvad Browser is a fantastic choice.

For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.

by Cider9986

5/25/2026 at 11:41:03 PM

> For journalists targetted by nation states, perhaps it would be better to use Brave or Chrome inside of Qubes.

Curious why Chrome/Brave is recommended? I don't think any modern browser is better for anti-fingerprinting like the Firefox-based ones, including TOR and Mullvad Browser? Don't install random extensions outside the defaults and you're doing a lot better than a Brave/Chrome install if you want a usable internet.

by prophesi

5/26/2026 at 1:07:48 AM

I mentioned those because they are more focused on security than privacy/anonymity.

Chrome takes security a lot more seriously than Firefox, but Firefox does more for privacy. It would depend on the specific person, whether they are more worried about zero days or more worried about being identified.

Zero days for chrome will cost more than zero days for Firefox because Chrome takes security more seriously, there are more exploit preventions.

Brave is based on chromium and has a good update schedule, but it has some regressions like allowing manifest v2. Chrome is going to have the best update schedule.

Vanadium is the only browser that improves on Chrome's security.

(Don't get your opsec advice from HN)

(I learned this from GrapheneOS)

by Cider9986

5/26/2026 at 8:01:05 AM

> Zero days for chrome will cost more than zero days for Firefox because Chrome takes security more seriously

They may cost more for Chrome, but it needn’t be because Chrome takes security more seriously; Chrome’s greater market share alone would be enough to account for this.

Not that I’m denying the overall conclusion. Just this bit of reasoning.

by jcgl

5/26/2026 at 6:21:24 PM

Well with qubes your security comes from VM isolation, so wouldn't that make using a gecko browser safer? If a browser exploit gets through the browser its stuck in a disposable VM with nothing else on it. Also the mullvad client is on another proxy netVM

by radical_halogen

5/26/2026 at 9:36:05 AM

I've always assumed that when I am logged in to a website like Hacker News and I switch VPN endpoints, Hacker News now gets to see that I am a VPN user and track me between the IPs. I mean being logged in to something obviously negates a large amount of anonymity but switching servers while logged in really gives away the VPN usage, right? Or do large web services already keep up to date indecies of all common VPN IPs?

by Schlagbohrer

5/26/2026 at 7:03:01 PM

I think the attack looks more like this:

1. I log into service X with account A1 via Mullvad from country C1.

2. I log into service X with account A2 via Mullvad from country C2.

If the service wanted they can calculate how likely it is that A1 and A2 are the same WireGuard key. If you only use one exit server this probability won't be very precise. But the more exits you use the more accurate it will be even if the sets of exits are distinct between the two accounts.

If the egress IPs were assigned randomly all that service X would know is that these were both Mullvad users but the IPs alone wouldn't allow them to correlate the two users further than that.

by kevincox

5/26/2026 at 10:07:40 AM

It's very common for people to switch networks many times a day anyway so it's not obviously a VPN user - even when switching countries to some extent.

by buttscicles

5/26/2026 at 3:29:16 PM

Can you elaborate? I assume they're talking about switching networks while using the same site, when you have a user fingerprint from cookies or request paths. That does make VPN usage obvious.

I have been confused by this mitigation because switching networks while using the same service is pretty much always a VPN. But maybe I'm not aware of another case where that would happen?

by Capricorn2481

5/26/2026 at 4:36:22 PM

for example: getting into your house and your phone starts using your wi-fi instead of a mobile network (or the other way around)

by miki_mq

5/26/2026 at 5:13:21 PM

Using your phone on a train would be hopping from tower to tower. Going to be swapping IPs endlessly.

by fckgw

5/26/2026 at 6:39:44 PM

I'm very desktop minded so I didn't think of this. I forget people are using VPNs on their phone.

by Capricorn2481

5/25/2026 at 6:45:28 PM

Do VPNs pay retail ISPs for exit points?

by andrewstuart

5/25/2026 at 6:56:23 PM

No, not usually. Few ISPs are willing to risk blacklisting.

Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.

by TkTech

5/25/2026 at 8:02:58 PM

I see DataPacket.com have VPN clients.

Does anyone know if this is any issue for non-vpn users of datapacket.com?

https://www.datapacket.com/case-study/nordvpn

by tiffanyh

5/25/2026 at 8:08:34 PM

>Does anyone know if this is any issue for non-vpn users of datapacket.com?

Probably not that much worse than other VPS providers with trashed IP reputations, eg. digital ocean, vultr, ovh. If you're blocking bots, the first thing to block is any datacenter ip ranges, not just known VPN servers.

by gruez

5/25/2026 at 7:27:07 PM

why is this downvoted? I'm not aware of a single ISP that would willingly let VPN providers use their ip blocks for their exit nodes

by r_lee

5/26/2026 at 4:08:08 AM

Mullvad in particular has a page that lists the ISPs they use (in a few cases their own servers at a datacenter), although they don't list the datacenters (sometimes you can get this info from the ISPs).

https://mullvad.net/en/servers

They also have a document that lists some of their practices around the servers, such as not using shared servers:

https://mullvad.net/en/help/server-list

I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).

by joveian

5/25/2026 at 6:57:34 PM

Not retail ISPs, but many extensions and free VPNs route VPN traffic through the connections of those who use them.

by dtech

5/25/2026 at 7:02:23 PM

This isn’t correct, the residential IPs are a completely separate and vastly more expensive product.

by joxdosba

5/25/2026 at 7:06:14 PM

One such extension, https://www.tuxlervpn.com/faq/:

> Will other users of tuxlerVPN be able to connect using my IP address?

"When you use our free residential VPN, you automatically agree to add your IP address into the community pool. This means that you are trading your own IP address in return for the ability to connect via the IP addresses of other users. You can opt out of this by purchasing our premium subscription; once you upgrade to the premium version, your IP address will be removed from our community pool."

by giobox

5/27/2026 at 7:17:21 AM

It says that, but doesn’t actually do it. Just like Hola/Luminati used to.

You don’t want to route the non-paying traffic through slow and valuable residential connections you can sell, you’ll rent a few fast dedicated servers to do so.

Residential proxies sell for around $1/GB, nobody is running a free or cheap VPN service on that. The idea is preposterous

by joxdosba

5/25/2026 at 10:14:45 PM

Some VPN providers don't even have exit nodes in the country they're claiming. Instead they'll have their IPs registered to the respective countries in GeoIP databases.

This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.

by hnlmorg

5/26/2026 at 6:52:03 PM

IPInfo did a report on this: https://ipinfo.io/blog/vpn-location-mismatch-report

From our side we noticed a VPN provider had a location we'd been trying to get, but had been unable to, so we started digging to find their provider. Long story short the server purportedly in some middle east country was actually 3ms away from our server in Berlin.

by preinheimer

5/26/2026 at 2:33:33 AM

Mullvad doesnt do that, but "ExpressVPN" absolutely does

by sammy2255

5/26/2026 at 5:18:28 PM

Does this affect people using the socks proxy feature? I generally connect to the same Mullvad server over wireguard (not their client) and then use different servers for socks proxy as exits.

My clanker says no because socks proxies have all one IP per server but I don't know whether to trust it.

by blfr

5/26/2026 at 5:41:31 PM

No it doesn't affect people using the proxies. You can even see it in the demo, which I really don't understand how it knows that you are using wireguard vs a proxy.

When I use a proxy it says like 99% of mullvad users,and when I use wireguard it's between 0.5 and 5%.

(https://tmctmt.github.io/mullvad-seed-estimator/)

by Cider9986

5/26/2026 at 10:27:11 AM

I wish Mullvad would focus on censorship breaking. These days anything that doesn't implement something along the lines of AmneziaWG/Xray/Shadowsocks/Outline feels like a waste of time, sadly.

by Anonyneko

5/26/2026 at 11:06:29 AM

What makes it a waste of time? A reputable VPN provider that offers a pretty reliable service and has every indication of having a competent security team is worth something in itself; not everyone using Mulled wants to set up / debug potentially complicated systems either.

by dannyw

5/25/2026 at 7:25:52 PM

[flagged]

by StackExpress

5/26/2026 at 4:23:26 AM

[dead]

by immanuwell

5/26/2026 at 3:51:43 AM

[flagged]

by dartharva

5/25/2026 at 7:57:27 PM

[flagged]

by akszt

5/25/2026 at 8:17:30 PM

This sounds like some LLM to me

by j027

5/25/2026 at 8:33:27 PM

Just flag and move on.

by captn3m0

5/25/2026 at 7:50:58 PM

[dead]

by rjhy2020

5/25/2026 at 7:36:07 PM

Is this at all related to Wyden's recent congressional warning? Are any other VPN providers speaking up on this?

https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_g...

by willis936

5/25/2026 at 7:43:43 PM

it is a direct response to this disclosure: https://tmctmt.com/posts/mullvad-exit-ips-as-a-fingerprintin... and nothing to do with american politics

by john_strinlai

5/25/2026 at 8:15:17 PM

And what evidence do you have that this May 14th disclosure has nothing to do with Wyden's March warning? If you remember your history you'll know Wyden tried to shake the Snowden revelations out before the Snowden revelations.

Dismissing Wyden's remarks as "american politics" is near equivalent to dismissing the entire notion of VPN security.

https://www.washingtonpost.com/politics/after-years-of-obscu...

by willis936

5/25/2026 at 8:34:55 PM

Mullvad has explicitly given their reasoning. That's the evidence. Now the burden of evidence is on you to show that these things are connected since you are the one challenging Mullvad's claim.

by jnovek

5/26/2026 at 3:45:28 AM

It could be two things at once, and OP was just speculating and trying to add to the conversation.

by asixicle

5/25/2026 at 8:18:17 PM

>Dismissing Wyden's remarks as "american politics"

its a letter signed by american politicians, addressed to an american agency, about american citizens.

no scare quotes are needed around american politics.

(mullvad is swedish)

by john_strinlai

5/25/2026 at 8:30:59 PM

And would you classify Snowden's revelations the same?

The pattern is "Wyden rings the bell about a dragnet and then we learn the details about it". It just seems like an extraordinary claim with no extraordinary evidence to say that "person warning about VPN compromises has not motivated any of Mullvad's recent security work". Just provide that evidence for your claim.

by willis936

5/25/2026 at 8:34:44 PM

>It just seems like an extraordinary claim

what? it's not extraordinary at all. mullvad has a long history of being very security conscious. they do not wait for american politicians to direct their security work. i will stress again, mullvad is a swedish company.

feel free to read the co-founder's HN comment right here: https://news.ycombinator.com/item?id=48145679. they found out about the issue via the blog post, looked into it, and fixed it. end of story. (it says as much in the first line of mullvad's blog post too...)

by john_strinlai

5/26/2026 at 11:09:39 AM

The burden of proving two events are related is up to the accuser, and rough time correlation isn't any evidence in itself.

by dannyw

5/26/2026 at 3:59:52 AM

You need to give evidence that this has something to do with Wyden's March warning first.

by eipi10_hn