Very interrestting. They fixed the vulnerability of overflows, and a Windows specific one.
Other vulnerabilities are privacy-related, including minor leaks of the tunnel. This has already been remedied on Linux and they asked Google to fix it on Android.
Last words
Mullvad is very happy with the quality of the audit performed by X41 D-Sec. X41 managed to find issues in our code that previous audits missed, which shows that there is great benefit in having audits performed by different companies. This is not meant as criticism against the previous audit companies. The app is too big to realistically look into every aspect and detail in a few weeks. We have always had the explicit tactic to use a different third party auditor for every audit, to get different sets of eyes from people with different skills and mindsets every time.
Slightly off topic but how does PG evaluate if an auditor, such as X41, is trustworthy or not?
I have no doubts that this is a legit audit but, anytime audits come up I do wonder what the process is for telling if the audit meets the “security audits from a reputable third-party firm.” requirement?
Maybe it’s just me, but I feel as though the word reputable almost speaks for itself? If an auditing company has been around for a while and demonstrates an ability to find serious vulnerabilities in the software they review, then they would be considered trustworthy. It would be difficult for an incompetent actor to present themselves as a competent one in this context. Hopefully, that helps.
Maybe I am misunderstanding what you mean but from what I can tell most users would not be able to name two auditing companies let alone evaluate based on reputation. In my mind, none of these companies have reputations that speak for themselves.
I am not sure that’s true, auditing is a notorious marketing tool in the VPN space. Take PureVPN and their “always on” audit from KPMG as an example.
How many users are able to look at KPMG and X41 and have any clue which is a “reputable” service?
I feel there has been a misunderstanding on my part. In terms of auditing whether a VPN provider keeps logs, I don’t have a good answer for what makes an auditing company trustworthy. I was referring to audits like the subject of this topic, which audit the security of a company’s products/services. In that case, I still feel that demonstrating an ability to deliver results indicates they are at least somewhat competent. This specific audit caught potential vulnerabilities which had been present for years despite previous audits, which for me adds to this company’s credibility.
Yeah. I meant how does PG tell if the company providing the audit is reputable? It seems like something that would be important to the VPN criteria.
My assumption is most users just read the conclusion at the end of the audit and have no clue if the audit itself is technically sound, which means there needs to be some level of trust in the company providing the audit.
Sounds reasonable to me. I think from a criteria perspective it would be nice to hear from @staff about how they do it but, this sounds reasonable.
I do wonder if its appropriate to re-evaluate these groups every so often and if there is a process to do that. A company like Kaspersky Labs comes to mind, where they have all the accomplishments you could want from a company in their field but could also be considered untrustworthy.
It has always been interesting to me that there is seemingly so little known about auditing companies for most users while audits are a minimum criteria for VPNs, so it always interested me on how PG looks at those companies.
Was not going to respond, as I agree with you and I have probably veered the original post a bit off topic but, I do want to say your view is just as important and I think anytime someone offers how they evaluate an issue, gives perspective to the rest of the community.
Would also be interested in seeing if someone like @ruihildt could provide perspective on how Mullvad chooses an auditor.
I would love to be a Mullvad customer. But unfortunately that’s out of the question for me because they don’t support port forwarding. That’s what I call a poor feature set.
Their customer support, for me personally, was super accomodating and even gave me a refund and extra time on my subscripton even though I had said I was leaving as port forwarding was a need.
Proton, another PG reccomendation, offers it if you need it.
You can also use Quantum to really reduce the annoyance of their ephemeral port forwarding implementation.
I think if you are willing to look outside of PG reccomendations, AirVPN offers the best implementation of port forwarding while also being a reasonable choice in terms of privacy. Just to be transparent, I used AirVPN for 18 months after moving on from Mullvad, before switching to Proton this year.
