This looks interesting, could it be useful for Obscura?
1 Like
Unfortunately the only thing you can do right now is to allow or deny URLs, not selectively route them through a VPN vs. not. See Apple docs here. I hope they expand on the functionality!
The next evolution of this improvement would be to expand this to allow for more creative ways to manage network traffic. I have hopes for that addition and improvement by Apple.
But glad to hear that youāre looking into this actively already.
1 Like
Update: We just released our iOS App!
App Store link: āObscura VPN on the App Store
Would love to know what yāall think 
Ping for folks whoāve publicly indicated interest: @baby_bat, @g92o4k73la
Fun little video we made: 
5 Likes
MPRs are just as flawed as VPNs.
You have to trust that Mullvad and Obscura arenāt sharing data and working together to deanonymize their users.
MPRs would only be safe if many providers and volunteers hosted servers, none of the providers control both an āentry modeā and an āexit nodeā, and the providers were selected at random. Tor is the closest thing to this.
Advertisements for double, triple or multi-hop VPNs are meaningless.
Unless the user builds their own custom VPN chain by carefully choosing different VPN providers, operated by different companies, then they are fully trusting only one provider. But even in that case, the user would still lack route randomization.
Given Mullvadās track record I highly doubt theyād do that.
Not to mention Tor nodes arenāt immune from malicious nodes and deanonymization.
VPNs/MPRs do have valid use cases when using untrusted, insecure public wifi networks while traveling which I do extensively, plus there was an FTC report from october 2021 that laid out exactly how in america, ISPs sell our data to data brokers and profile us from said data so yes, I trust mullvad and obscura to not be doing that with my internet traffic and I trust them overall significantly more than I trust american ISPs.
It depends entirely on an individualās threat model but decrying VPNs as entirely useless because they wouldnāt protect one threat model doesnāt mean theyāre not useful for another
3 Likes
Would a third party audit of Obscura alleviate any concerns over this?
Not at all. Weāve had multiple discussions over this. Audits are meaningless once the server code has changed. Itās not inconceivable that a provider would configure their servers to stop logging for the duration of the audit then start logging everything again once the audit is complete thereby fraudulently passing as no-logs. Real world examples and server hacks might add more trust in a provider if the hackers or authorities couldnāt get any data since the providers at least werenāt prepared (unless the attack was staged).
Audits donāt determine how secure or trustworthy something is. They can reveal issues that can be fixed therefore improving security, but they donāt prove something is secure.
1 Like
What would actually convince you for something to be trustworthy?
Seems like you have your own rationale for everything, even something normally considered normal and legitimate. Also seems like youāre disagreeing on principle but you have not yet mentioned what you consider a solution for this āconcernā.
For a VPN, nothing. VPNs are full of leaks and do not hide activity from your ISP. Security experts do not recommend using VPNs.
The only thing VPNs are useful for are P2P activities and connecting safely to public Wi-Fi. But remember that no provider is trustworthy. And your encrypted data will be decrypted one day.
I think youāre conflating and misattributing info you found to the ones recommended on PG with the vast majority of ones that are poorly made.
And as someone who has this level of mistrust and no nuanced understanding of why or how select VPNs can in-fact and indeed be superior and uphold the promises and claims they make, thereās nothing I think can be said here to make you understand this on the level of logic for why youāre wrong.
You do you. Thanks for sharing those links.
Tor (and related tools) have had CVEās too so Iām not sure what your point is?
Your source literally references Mullvad VPNās defense against this, though Iām not sure if that feature is available in Obscura yet.
Iām disappointed Whonix is misrepresenting these quotes. If you just read the quotes, theyāre clearly talking about issues specific to anonymity and marketing, something which is already acknowledged and dealt with by Privacy Guides.
Tor is still too slow for many tasks, only works with certain internet protocols, and is frequently blocked by servers across the internet. There are many more use cases than just the ones you listed for why someone would use a VPN service instead.
This has nothing to do with VPNs and entirely to do with which cryptography is used. As far as I know, Tor has yet to switch to quantum-secure cryptography whereas some VPN providers (like Mullvad) have had it for years. If anything, this is currently a pro for VPNs and a con for Tor. (Unless Tor has recently added it without me hearing about it yet.)
Luckily for us, the supposed accomplishments made in quantum factorization were recently debunked in a paper published earlier this year, so Iām not so sure if quantum computers will ever truly pose a threat to hypothetically quantum-vulnerable cryptographic algorithms.
2 Likes
When you connect to for example Mullvad, youāre not trusting only Mullvad, but the ISPs and jurisdictions of all the servers you connect to.
Counting CVEs is not an accurate measure of security or privacy. Itās how those CVEs are handled and how quickly theyāre patched that matters.
Do any other providers have this? And Mullvadās DAITA feature requires the use of their client.
Iām not sure how well AI-guided traffic analysis works against MPRs, Iād be interested if @obscuracarl had any comments on whether Obscura is currently vulnerable to it and if thereās any plans to address it. Nymās ādVPNā seems to support something similar with their mixnet and users have been asking Proton to add it, so weāre hoping theyāll follow suit.
The connection is fully encrypted with Wireguard for example. So, why is anything more important? Nothing can be intercepted other than inferring traffic volume patterns at best of all Mullvad users connecting to one country and those servers. Not one entity knows who you are with any PII. Not Mullvad nor those ISPs or jurisdictions you mention.
What even is your argument here? That Mullvad canāt or should not be trusted?
I think you have a flawed understanding or atleast a belief of how VPNs work, how to best evaluate them, and in the end will come down to trust. I guess there is no arguing with one who canāt or doesnāt want to see why absolutely no VPN should be trusted.
1 Like
As the Whonix website points out, there are criteria on which trust can be established (with no certitude, but this is the principle of trust, you have to trust them, it is not trust-proof).
VPN s also serve the purpose of escaping geo-blocking or network blocks, and prevent IP-based fingerprinting.
Access denied. Disable your VPN.
Sorry. VPNs are not permitted on this network.
so can Tor.
1 Like
We actually got one already, just need to update our website to publish thisā¦
Lots of posts above, Iāll make a few points below.
We built Obscura to be a VPN thatās:
- More private than SPRs (by being an MPR)
- Suitable for everyday use
Point #2 is quite important to us, as we believe the more you can use a privacy-friendly tool, the more privacy-value you get out of it.
I fully agree that depending on your security model, you may want to use Tor or a ādecentralized VPNā instead, but they come with severe usability/performance penalties. I wouldnāt use Tor to make video calls, for example, but I use Obscura every day to make video calls.
Within the bounds of ābeing suitable for everyday useā though, we want to make sure that we are a substantially privacy-friendly option. Nothing is ever going to be perfect for all security models, and we will never claim to be perfect for all security models.
Whatās interesting about this is that QUIC-based obfuscation is one place where the more usable option is also the more private option. Our obfuscation gets around network blocks quite well, and is better for usability becauseā¦ itās frustrating not being able to use the VPN you paid for at all 
P.S. If you havenāt yet, Iād encourage all to read @emās article here: No, Privacy is Not Dead: Beware the All-or-Nothing Mindset - Privacy Guides
6 Likes
Sorry if this has been asked before but are there plans to add other providers as exit hops or is the plan to just have Mullvad as a partner for now?
Look forward to the updates on this.
1 Like