I’ve been using the Mullvad VPN for the past 6 months or so and have recently been trying out the browser. I’ve read all the literature on the their own website, and I appreciate some of their business practices (no account needed, you can pay in cash).
I understand of course that by using a VPN, you’re placing trust in that company. However, I get the impression that people seem to trust Mullvad more than many of the other VPN offerings.
I’ve heard some references to the founders’ solid “track record”, but I have a hard time finding any information about either of them. What were they doing before Mullvad? How were they able to fund the beginnings of the business?
In NYC where I live, there are ads for Mullvad plastered all over every subway car and bus in the city. How do they justify this expense?
If anyone has answers to these questions with supporting documentation, I’d love to see it.
IVPN and ProtonVPN are also fairly well trusted, equally I’d say. The rest is marketing.
Well it’s not as many as the Nords and Kapes can afford they do TV adverts in 65 countries. VPNs are a lucrative business. Having said that we believe that marketing is important when it accurately portrays what a VPN can and cannot do, and that is one component of our criteria.
Speaking of Mullvad’s marketing, when you disconnect from their Linux app it says “disconnected and unsecure”. to me that sounds misleading and against the criteria below:
Use responsible language: i.e., it is okay to say that a VPN is “disconnected” or “not connected”, however claiming that someone is “exposed”, “vulnerable” or “compromised” is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider’s service or using Tor.
You should trust no one.
All those VPN companies will tell you that you must have a VPN even if you don’t need one.
The truth is even Mullvad wants you to use their VPN 24/7 because that’s how they make money.
I’m trying iVPN and Mullvad at the moment, leaning towards iVPN.
Support is awesome, they answered in under 5 hours over Easter.
Where as Mullvad hasnt replied at all yet.
Maby the mail endet up in there spam or something else is going on. Sent it again today and I’ll wait. Since I don’t have to buy a plan with both to have a reasonable price.
What else iVPN has going for them is (read the whole page) honesty:
What Mullvad has going for them:
But then again I find the “unprotected” on thier page kind of misleading.
Since I’m using a VPN while visiting it
One place where Mullvad is better is they offer IPv6 native connections. Some cellular providers for only offer IPv6 single addresses and then use 464XLAT:
The client uses a SIIT translator to convert packets from IPv4 to IPv6. These are then sent to a NAT64 translator which translates them from IPv6 back into IPv4 and on to an IPv4-only server. The client translator may be implemented on the client itself or on an intermediate device and is known as the CLAT (Customer-side transLATor). The NAT64 translator, or PLAT (Provider-side transLATor), must be able to reach both the server and the client (through the CLAT). The use of NAT64 limits connections to a client-server model using UDP, TCP, and ICMP.
The smart way – IPv6 only + 464XLAT
The 464XLAT strategy is the preferred option, providing further improvement on all previous options. IPv4 is offered as a service over IPv6 for all applications (DNS and non-DNS). As in the case of the previous options, this approach has several advantages. IPv6-only networks are simpler to deploy, operate, and manage. An address management solution is required only for IPv6 addresses. Plus, there is no impact on scale, charging, and roaming because only a single bearer with a single stack is required. For IPv4-only, non-DNS applications, IPv4 packets are translated to IPv6 packets by the UE and translated back to IPv4 packets by a central CG-NAT64, which is deployed behind the PGW. MNOs benefit from the increasing ratio of IPv6-to-IPv4 Internet traffic. Cost reductions are achieved by bypassing the CG-NAT64, which IPv6 enables. This solution requires support of the customer translator (CLAT) on the UE device. An advantage is that the solution works with websites and applications that are IPv4-only, IPv6-only, or that support dual stack. The offered service is never inferior.
Probably wouldn’t notice any extra latency but it’s nice to think your packets are going through less complex layers of translation.
You should judge a VPN provider based on how they’ve dealt with court orders (if allowed to publish that, sometimes they receive gag orders) and whether they’ve been audited. Other than that, you have to take them at their word.
I can tell you right now there is not a single VPN provider that per their ToS permits anything illegal or malicious. In fact every ToS, AUP, and Privacy Policy I’ve ever read states that they will cooperate with valid court orders and that using their services to do anything illegal is strictly prohibited.
So unless you’re Assange, Snowden, Mitnick, the Unabomber, or Adrian Lamo… You got nothing to worry about.
I strongly disagree that this is misleading (or even just marketing). It is descriptive and useful information in context.
I think you may be misinterpreting the word “unsecured” (an accurate and relevant description in the context it was used). Saying something is unsecured is not the same as saying something is insecure.
Mullvad is not using language any stronger than every major web browser (when a connection is encrypted Firefox/Chromium/Safari UI reports that it is a “secure connection” when the connection is not encrypted, the UI reports that the connection is “not secure”.
In both cases, this is just consumer-friendly language to communicate whether the connection is encrypted or not. Which is relevant information in the case of either a web browser or a VPN.
All VPN recommended by Privacy Guides are audited (to ensure the server side is secure and private) and open-source. This is as certain as you can get to trustworthiness.
This is because the killswitch will block all connections, even if it can’t connect to VPN (if you are offline for example). In that case it will be secure (disconnected).
About the Mullvad vs IVPN vs Proton debate, it comes down to
Proton : Mainstream private VPN, NordVPN but better
Mullvad : Radical privacy with good defaults and few options
IVPN : Radical privacy with lot of customisations and enhanced account security.
They have a really strong and consistent track record, they’ve built a good reputation over that past 15 years. They are one of the OGs in the privacy space (Proton, Privacy Guides, even PTIO are young by comparison). Possibly the only VPN that was a top recommendation 10-15 years ago (Mullvad, Boleh, AirVPN), and remains a top recommendation today (Mullvad, IVPN, Proton, Windscribe)
They seem genuinely focused on making good, smart technical decisions, genuinely committed to both privacy and open source. It genuinely feels like security and privacy are core considerations for nearly every decision Mullvad Makes.
Mullvad has a very straightforward , no-nonsense business model, and pricing structure.
Like the other listed VPN’s they are audited and open source, and have transparently handled court orders in a responsible way.
None of this is meant to imply Mullvad is better than any of the other recommended VPNs. I’m just sharing some thoughts on why Mullvad has the reputation it does, particularly with people that have been involved in the privacy space for a long time. Most of the tools and services that are recommended today, did not exist >10 years ago, and many of the recommended tools today won’t be around or recommended 10 years in the future. Privacy products that stand the test of time are somewhat exceptional.
I think this is likely just a “bug” where the person who wrote the code for the message on the website was simply a different person to the one who put the status message in the app. Maybe someone would like to raise a bug on their github. Make sure to include screenshots to compare the two cases.
They’re likely going to want the two messages to be consistent.
I don’t really care what language they use, but I actually think the current language makes sense in context. The app and website are referring to somewhat different things.
In the case of the app, the message communicates 1 of 3 things:
The connection is:
Secured (encrypted tunnel is established)
Unsecured (encrypted tunnel is not established)
Blocked (encrypted tunnel is not established and internet access is blocked)
Because they are referring to the connection the language they use seems reasonable and descriptive, and because it is a connection between their client software and their server they can conclusively determine the status of the connection and they don’t have to account for other VPN providers.
In the case of their website, they can’t conclusively say whether someone is using some other VPN or not (and the language of “secured”/“unsecured” is also more confusing and less correct in that context (because he connection is secured between Mullvads client and their VPN server, not between your browser and Mullvad’s website).
For me this is not too big of a issue…
(Made it bold to get the point across, still considering using them. See rest of Convo)
More that support hasn’t replied yet. But like I said I’ll send a DM here.
I hope they do get back to you soon. But if I were in your position, I might just choose IVPN considering you’ve had such a positive experience with them so far, and they are also a recommended choice (especially if price isn’t so important to you, or if multi-hop doesn’t matter).
edit: also, why your screenshot shows more info than the other screenshots is because you are on their test page, (mullvad.net/check) whereas the other screenshots are of their homepage (mullvad.net)
Well actually it comes down to if the wife and the daughter want to get onto the plan as well.
Then the price for iVPN would be a bit pricey for the pro plan.
But, like I (and you) said. Experience has been positive from the start.
Ah yeah, I forgot that the “cheaper” (still a bit above average) plan only allowed for 2 devices. Even for me as a single individual that is insufficient. But I don’t think IVPN intends to be the cheapest option or best value, and I I don’t think that is a bad thing. I think that that higher price tag is probably partially responsible for the great customer service you have experienced.
Personnaly I emailed Mullvad and got an answer in less than a day. Anyway, this debate is pointless. Start using Proton, IVPN or Mullvad and you can’t go wrong.
