Security

Mullvad Review: Solid Security and Privacy, But Swedish Jurisdiction is Concerning – CNET


Mullvad is a Swedish-based, independently owned, open-source VPN provider that puts security and privacy above all else. Every other VPN provider says it does as well, but Mullvad goes to great lengths to convey that it genuinely does put security and privacy first. 

Like

  • Average speed loss only 23%
  • Kill switch always enabled
  • Open-source

Don’t Like

  • 14-Eyes jurisdiction (Sweden)
  • Not ideal for international streaming
  • No live chat support

The apps are simple in design and easy to use, yet offer sufficient customization options to keep experienced VPN users happy. And Mullvad offers all the security and privacy features you need to stay safe online. 

It’s a fast, user-friendly VPN that easily holds its own against the big-name VPN providers. Overall, I was impressed with Mullvad’s commitment to privacy, security and transparency, and its straightforward, no-nonsense attitude — but the provider’s Swedish jurisdiction makes it a risky choice for anyone with critical online privacy needs.  

Speed

  • Average speed loss: 23%
  • Number of servers: 836
  • Number of server locations and countries: 68 locations across 38 countries

Mullvad is fast — it blows the competition out of the water. You can usually expect to lose about half of your regular connection speed when you connect to a VPN. But Mullvad only slowed me down 23% on average when I tested its speeds in April 2022. 

I tested Mullvad’s servers in New York, the UK, Australia, France, Germany and Singapore, using the OpenVPN protocol. 

My total average speed without the VPN was 364.92 Mbps, and my total average speed connected through Mullvad servers was 278.72 Mbps. That 23% speed loss is far better than the 58% speed loss we recently calculated with IPVanish or the 52% speed loss with ExpressVPN. Surfshark, with its 17% speed loss, still ranks as CNET’s fastest VPN.

I averaged 340.84 Mbps to Mullvad’s New York servers. My average speeds dropped when connecting to the UK, where I averaged 310.58 Mbps, while my average speeds to the European servers in France and Germany came out to a slightly faster 314.23 Mbps. Speeds to Australia were impressive, where I averaged 269.4 Mbps, even though I was connecting to a server located on the other side of the globe. My average speeds to Singapore registered the slowest at 158.54 Mbps — still impressive considering the distance from my location. 

Overall, Mullvad is one of the fastest VPNs I’ve ever tested, and can provide more than enough performance for just about any online activity like streaming, video calls or gaming.     

Security and Privacy

  • Jurisdiction: Sweden
  • Encryption: AES 256-bit, Perfect Forward Secrecy
  • DNS leak protection and kill switch: Enabled by default and can’t be disabled
  • Red flag: Doesn’t issue annual transparency reports

Mullvad takes security and privacy seriously. The VPN requires precisely zero personal information to sign up and use its service — not even an email address or username. When you create an account, Mullvad generates a unique, random 16-digit account number that you use to sign in. 

Mullvad says it doesn’t log any of your activity when you use the service. Your connection timestamps, IP addresses, DNS requests, bandwidth and traffic are never logged or stored by the company, according to its no-logging of user activity policy. If true, it means none of that can be traced back to your account number and nothing you do online when you use Mullvad can be traced back to you personally, since none of your personal information is connected to your account number. Unfortunately there’s no way to verify with 100% certainty if a VPN company’s no-logs claims are accurate.

Although Mullvad says it doesn’t log user IP addresses, when you connect with Wireguard, your IP address is temporarily stored in memory during the connection. Wireguard deletes the data when a server is rebooted or the Wireguard interface restarts, but Mullvad takes it a step further and says it removes and reapplies the peer if no handshake has occurred within 600 seconds. (That’s when your device and the VPN server exchange encryption keys, establishing a secure connection.) “Doing so removes the public IP address and any info about when it last performed a handshake,” Mullvad says

Mullvad’s latest independent security audit was conducted by German cybersecurity firm Cure53 in May and June of 2020, and it concluded that Mullvad “does a great job protecting the end user from common PII leaks and privacy-related risks.” 

That said, Cure53 did note in its report that Mullvad’s Android app “leaks the static, internal IP addresses assigned to the account to the Android’s syslog.” 

Mullvad says it didn’t issue a fix for this issue because the logging is done by the Android operating system and there’s no way to fix it. Mullvad also says that “all Android VPN apps are subject to the same type of leak.”

“This issue was discussed with Mullvad and there is no meaningful mitigation for this issue because Android OS itself logs this metadata,” Cure53 said in its audit report. “Mullvad does not deem it a sensitive leak given the overall access needed to a device, in order to leverage and extract the log files.”

Mullvad tells me a new audit is scheduled for this year, but didn’t offer a specific ETA on its release date.

The company is in the process of transitioning its fleet of servers to a RAM-only diskless infrastructure. This will help prevent user data from being stored on Mullvad’s servers because there’s no disk on which to save it. Out of Mullvad’s current server fleet of 836 servers, 163 are fully owned and maintained by the company, meaning they’re out of the control of any outside entity. The servers that Mullvad owns are labeled on its server page, so you can decide if you want to use a Mullvad-owned server or a rented one.   

When I opened Mullvad’s website using Brave, the browser identified zero trackers or ads. Mullvad says in its cookie policy that its website only uses cookies essential for providing certain services. Exodus similarly found zero trackers and just four permissions, none of which were deemed dangerous.        

My DNS leak tests also came back clean for Mullvad. I detected no leaks whatsoever, which indicates the VPN works well to keep your online activity hidden from your ISP and anyone else who may want to snoop on your connection. Mullvad’s built-in DNS leak protection is enabled by default and can’t be disabled.

The built-in kill switch is also enabled by default and cannot be disabled. Mullvad’s kill switch worked flawlessly during my testing. 

I was impressed that the kill switch automatically kicked in as I switched between server locations in the app, meaning that my connection was properly protected even as I jumped from server to server. That’s a much more secure solution than what most other VPNs offer. When you want to jump from one server to another using ExpressVPN, for example, you get a pop-up warning that says “your internet traffic may be unsecure during reconnection.” 

Mullvad employs the industry-standard AES 265-bit encryption, which is virtually uncrackable and in line with the encryption used by the top VPN providers

Mullvad flaunts an air of transparency throughout its website and communications, yet the company doesn’t issue an annual transparency report or have a warrant canary. Mullvad told me that it doesn’t publish an annual report, and didn’t indicate that it has any plans to do so in the future. That means that we don’t even know how many subpoena requests the company has received, or which countries and agencies they might have come from. Mullvad also said it doesn’t have a warrant canary because Swedish law doesn’t necessitate the use of one. Mullvad being opaque on these two points is a massive red flag.

Mullvad VPN AB is based in Sweden and owned solely by its founders Daniel Berntsson and Fredrik Strömberg. The company’s Swedish jurisdiction is a cause for concern. Sweden is a member of the 14 Eyes intelligence sharing alliance and its government is aggressively expanding its mass surveillance programs.

Mullvad is a VPN that outwardly seems genuine in its commitment to protecting its users, but isn’t a VPN I recommend if you’re in a situation where your online privacy is a critical consideration due to its Swedish jurisdiction and its cagey attitude surrounding questions about a transparency report and warrant canary.

Customer Support

  • Live chat: No
  • Email support: Yes
  • Knowledge base: Yes

Mullvad’s customer support offering is rather bare-bones compared to other VPNs. While more and more VPNs nowadays offer live chat support, the only way to get in touch with Mullvad’s support team is via email. That said, I was impressed with how it only took a matter of minutes for Mullvad’s support team to respond to my initial emails — and those responses were helpful, friendly and knowledgeable. 

However, when I tested Mullvad’s support during off-hours with a more in-depth line of questioning, the response took 17 hours to land in my inbox, suggesting that support isn’t offered 24/7. The response I got from Mullvad’s customer support after my in-depth questioning was considerably less helpful, unfortunately, than the responses I previously received.  

If you’re looking for answers when support isn’t available — or doesn’t care enough to answer your questions — Mullvad offers a decent knowledge base filled with FAQs and guides that could help you with what you’re looking for.

Cost

  • Flat fee of around $5 a month
  • Payment options available: credit card, PayPal, bank wire, Bitcoin, Bitcoin Cash, Swish, Giropay, Eps transfer, Bancontact, iDEAL, Przelewy24, cash
  • 30-day money-back guarantee
  • Apps available: Windows, MacOS, Linux, iOS, Android, Firefox

Mullvad’s pricing is refreshingly straightforward. You’ll pay a flat fee of €5 (approximately $5) a month, whether you want to use the VPN for one month, a year or a decade, according to Mullvad’s pricing page. I’d like to see more VPNs embracing this flat monthly fee, but alas, none of our top recommended VPNs offer this type of pricing structure. Most VPNs’ monthly plans run upwards of $10 to $13 a month because they try to push you towards signing up for longer-term subscriptions with bigger discounts the longer you commit to the service.    

With Mullvad, you can add as much or as little time to your account as you want, whenever you want — meaning you never have to be locked into any long-term subscription plan. We don’t recommend signing on with any VPN service for more than a year at a time, anyway, given how rapidly the VPN space is evolving.

Mullvad also gives you a ton of flexibility in terms of your payment options. You can pay with Bitcoin (at a 10% discount) or even mail cash in an envelope for ultimate anonymity. Mullvad also accepts payment via major credit cards, PayPal, bank transfer, Swish, Giropay, iDeal and a handful of other payment options. You’ll need to use a credit card or PayPal if you want to set up a monthly recurring subscription to Mullvad, otherwise you’ll need to add time to your account manually using any of the other payment methods.

I was able to unblock Netflix, but not Disney Plus, when connected to Mullvad’s US servers from Europe. This suggests that Mullvad may not be the best choice for streaming compared to ExpressVPN or Surfshark. But you can feel free to test your preferred streaming service because if you’re not satisfied with the service, Mullvad offers a 30-day money back guarantee on non-cash purchases.



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.