Mullvad: We have successfully completed our migration to RAM-only VPN infrastructure


Very exciting! Just pushed the updated to the Techlore VPN Chart


What exactly does this means?

Security theater if you ask some. Doesn’t mean much if your threat model involves state actors: Cold boot attack - Wikipedia

1 Like

I think this article by Mullvad explains it well.


I’m sorry, that’s a whole lot of fluff, and leaves some important stuff to imagination. Such is very typical of VPN companies, so I won’t blame Mullvad for it.

For example, they talk about verifying OS images before booting in, but what’s verifying the bootlader itself? And what inturn is verifying whatever verfiied the bootloader? This isn’t an easy problem to solve for hardware you don’t build yourself.

They also claim there’s no data to confesticate if servers are taken away; but that’s incorrect since RAM, even if volatile unlike disks, can leak data to a determined observer. I mean, there’s a reason Signal’s key retrieval setup (link) is as involved and multi-layered, as it is.

The end goal of “system transparency” is all well and good, but diskless doesn’t really address the core of it, even if it is a step in that direction. In fact, I don’t get what “system transparency” has to do with disks. I mean, boot your Host, run your inits, boot your Guest, and hide the disk from it. That’s diskless, too, even if not physically, it is guaranteed by software (recall that the software can’t be tampered with since its “signed” and “verified”).

I may be wrong, but their blog post most definitely isn’t the best place to look for what diskless really means in the context of “system transparency”.

People whose threat model would entail state actors cold booting a VPN server shouldn’t be on anything less than Tails or Whonix-Qubes anyway.

You do realise that using protocols like WireGuard, not logging user traffic is in fact to thwart state actors?

Besides, how do you take Mullvad marketing this entire diskless thing? From their blog:

What does “without any disks in use” mean?

  1. If the computer is powered off, moved or confiscated, there is no data to retrieve.

Who has the power to confiscate those servers? Us? Or, the State? Mullvad, just like other VPN providers, aren’t immune from over the top marketing.

In fact, I’d argue that folks are better off using TLS with ECH or HTTP/3 over QUIC, or OHTTP, along with ODoH in the near future. When browsers enable these new protocols, many consumer VPNs will be made redundant.

Yes, but you can’t get physical access to VPN servers in order to perform cold boot attacks and still blame it on Russian or North Korean hackers…

My point is, it is all security theatre :slight_smile:

Of course, you’re free to disagree. I’m okay with that.

I don’t know why you feel the need to push this narrative. As you can read from the blog post, there are other benefits to moving to diskless infrastructure, such as “having fewer breakable parts” or making it easier to set up and upgrade package versions on servers. So, clearly, this is not all “security theatre.”

Also, Mullvad has never argued that this is a response to some state attack, which is something you are saying. Furthermore, Mullvad has never said that their VPN service would protect you against these kinds of attacks in the first place. Again, you’re putting words in their mouth.

When it comes to marketing, I think Mullvad is one of the best and most ethical in that regard, and if there is something that definitely doesn’t describe Mullvad, it is the word “fluff.” Have you ever investigated other VPN companies, such as Nord? I think your criticism would fit them better.


It’s not a perfect solution, there are still plenty of ways to leak information about the sites you’re visiting which are unavoidable, simple things like correlating IP addresses to websites. This forum for example is hosted on an IP address which doesn’t host anything else. In that case it doesn’t really matter how much information you encrypt, if your ISP sees you establish a connection to they can still be fairly confident you’re visiting here.

Encrypted Client Hello is going to provide a privacy benefit when visiting sites hosted on platforms like Cloudflare—where thousands and thousands of sites share the same IP addresses—which is why Cloudflare is pushing it so hard. In that situation though, you’re essentially turning Cloudflare into your de facto VPN provider more or less, except it’s a VPN that only covers certain websites which are Cloudflare customers.

There will still—probably always—be a use-case for a VPN which all of your traffic is tunneled through.


Within limits, for the web, with OHTTP and ODoH, the ISPs can’t know where a client is connecting to. Add QUIC or ECH and that’s the end of that.

For IP routing, MASQUE also looks promising. I’ve already integrated the ODoH client in an app I co-develop, and I’m looking forward to implementing serverless OHTTP and ODoH proxies anyone can self-host.

Yes, but not for Internet egress, I don’t think. Tailscale-style networks / VPNs will be in vogue, sure. We’ll see, but it’ll be a while before folks realise the uselessness of most VPNs once the browsers start picking up QUIC, OHTTP and other standards IETF is working on, for Internet privacy and security.

ECH is all Mozilla, the last I checked. OHTTP is all Google. MASQUE is mostly Apple with Cloudflare contributing. ODoH is all Cloudflare.

Btw, Address Agility (sharing IPs) has nice anti censorship properties (ex).

I’ve explained why it is theatre, but I guess you read right past it?

For instance, their employees can still SSH to their diskless servers. So, you’re one key compromise away from whatever purported benefits diskless brings in terms of security. All the other points about how their infrastructure is suddenly easier to maintain is deflection, one which I care naught about.

They talk (on their blog) about protection against whoever is confiscating their servers legally from their data centers. Who are these powerful entities, I wonder.

This is the first line on their homepage: Mullvad believes in a free internet. Free from mass surveillance and censorship. Free from big data markets and authorities mass monitoring your every step.

I am an ex-AOSP developer, and I witnessed first hand how they drummed up a recent Android VPN API vuln that wasn’t. Of course, they are not immune from fluff. In another instance, they claim only Swedish Laws apply, but then they use PayPal and Stripe who will 100% comply with local laws. One can leverage their cash-payments to work around that, but they conveniently leave that out from their FAQ because… reasons. I notice such all-true (but conditions apply) statements on marketing material of most VPN providers.

Seems like you might have? Feel free to start a new thread. I am here for the education.

No, I did read your earlier comments, but I just didn’t agree with them. Also, saying that Mullvad’s claims about other benefits regarding diskless servers are just a “deflection” is just ridiculous. If you honestly believe that, I don’t think there is anything I can say to convince you otherwise.

Yes, and yet it doesn’t say that a VPN would fix all of these issues. In fact, they say on the same page that “when protecting your online privacy, no single-step solution exists. Instead, it is about changing your habits and using certain tools.” I think that they are stating that earlier comment on their website because they honestly believe in that as a company and want to be a part of the fight. When considering the history of Mullvad and the advocacy they have done for people’s privacy rights, that wouldn’t surprise me at all.

I think this was first reported to them by an audit firm, and Mullvad’s blog post was very professional and acknowledged that this vulnerability probably doesn’t concern the majority of the users. Again, I don’t know what they could have done better in this situation.

Making a huge deal about how Mullvad doesn’t disclose information regarding payments made with PayPal or Stripe in their FAQ seems to be only reflecting your own personal issues with Mullvad as a company. If you really want to find out this information, you can easily find it in the relevant section here. And again, I don’t know what they could have possibly done better to satisfy your needs. It seems like whatever they do, you have something negative to say. Here is what they disclose regarding this issue:

“These kinds of companies log everything. For that reason alone, it is out of our control that they have records showing which people have paid us money (i.e. processing of personal data)… In short, your payment actions with these two methods are not anonymous and the GDPR and other relevant data protection regulations may apply if you are making a payment by credit card, PayPal, Swish or by bank wire.”

Yes, I have, and no, I definitely don’t want to start a new thread about them because it is already common knowledge in the privacy community that if you’re choosing a VPN, Nord is one of the companies you should avoid, and Techlore has a VPN chart where you can find more information regarding this. However, I can gladly give you an example of their “fluffy” marketing when they made a similar statement regarding their move to RAM servers.

In the context of “security”, yes it is a moot point to make.

They should say that at the top, right next to where they ask for monies :wink:

Make sshless servers; that’s easier than diskless (I have ran both those kinds of servers). But I also know that you can’t give up ssh that easily if you want to retain a level of control over the servers. A super hard thing to chew at, from my experience.

That’s the thing. It isn’t on the homepage or on pages where they talk about how diskless will thwart whoever comes to confiscate their servers without acknowledging that there are still plenty of kinks in the armour. Or, may be, if we ask folks at Mullvad, they’d agree there are loop holes… because I’d expect them to know what they’re talking about.

Again, my point is, over the top marketing about diskless. Or may be, over the top hype by other folks than Mullvad themselves.

I am not arguing they could do things better or worse (I mean, sshless was a better first step than diskless, but whatever; not my money, and not a customer either). They indeed seem like they are not the baddies. Just that I don’t consider them the second coming of Jesus of Nazareth.

In fact, there’s nothing to argue about. I agree with most of your points about facade of integrity that Mullvad has managed to present. I just don’t agree that they’re beyond reproach or fluff or what have you.

1 Like

OHTTP isn’t intended for general purpose HTTP internet traffic. MASQUE might be, but it’s not really clear to me why it’s anything other than a fancy proxy.

General purpose HTTP applications such as web browsing are not in scope for the Oblivious HTTP protocol. Broad applicability is limited by multiple factors, including the need for explicit server support of the protocol. In contrast, transport-level proxies such as HTTP CONNECT or MASQUE are a more appropriate mechanism for those use cases, as they allow connecting to unmodified servers.

It appears as if most (all?) OHTTP implementations involve the OHTTP Gateway and Target being operated by the same entity. In which case the only real separation is being provided by the Relay, which is exactly the same privacy protection a traditional VPN already provides. Maybe it is possible for the Gateway to be operated independently from the Target, which would create a privacy solution more similar to Apple Private Relay, but that doesn’t seem to be the common implementation.

I guess the part that is not clear to me is how these new tunneling technologies actually provide a new privacy advantage over what VPNs are already providing. I also am not sure that it’s particularly relevant to say that VPNs are useless when your proposed solutions don’t exist in the real world, and won’t for quite some time.

1 Like

OHTTP is meant specifically for HTTP traffic, but it needs buy in from both the server and the client (like the text you quoted points out). Firefox and Chrome are both implementing it, so like 99% of the clients are covered. Server side of the equation needs relays (could be volunteer run as opposed to owned by a central authority like VPN companies) and gateways (run by web admins / CDNs).

MASQUE isn’t just a transport-layer protocol. It is a full-fledged VPN protocol (spec).

The advantage is the browsers will come with OHTTP built-in (much like DoH).

With MASQUE, the client identities can be anonymous (spec), though that technique could very well be adopted by other VPN or proxy protocols (like Apple has with Private Relay and Google has done with its One VPN). I co-maintain an open source implementation, but it is specific to the proxy I run and use (also open source). I need to clean up the code, write some docs, and make it generally consumable. Some day…