A week or so ago, a blog post was posted in this Community calling out Mullvad for using GMail as their email provider. Wasn’t the greatest blog post in the world and didn’t approach Mullvad for comment or explanation. Anyway, looks like Mullvad heard about it and responded.

  • Snot Flickerman
    link
    fedilink
    English
    6510 months ago

    Mullvad doesn’t mention a blog post, I think this has been in the works a lot longer than that blog post was.

    These servers run from RAM, with fully encrypted disks mounted to store the backend PostgreSQL database. We cannot fully run our servers from RAM due to requiring a persistent database, but that was a trade-off we had to make.

    These servers run the same OS and kernel configuration as the rest of our infrastructure that runs from RAM, and we have had this service audited pre-production by Assured AB. The issues found by Assured have since been resolved.

    Auditing takes time, as does fixing issues found during audits. This wasn’t in response to a blog post. This was because Mullvad is a company that is trying to do right by their customers (a shocker, I know).

    • LerajeOP
      link
      fedilink
      English
      1610 months ago

      Yep, could well be. I ain’t knocking Mullvad at all .

    • @[email protected]
      link
      fedilink
      910 months ago

      So either Mullvad told a fib and got the email thing fixed within 24 days, or they actually were working on it earlier. Either way, not bad.

  • Tom
    link
    English
    1010 months ago

    What I find kind of strange is that they have used Gmail before. Feels not to be the best decision for a VPN service which offers anonymous access.

    Even better that they have switched now.

    • LerajeOP
      link
      fedilink
      English
      1110 months ago

      I think they probably did it at first as its quick and easy to set up. And they did strongly recommend anyone mailing them encrypted the emails. I would also assume it was always the plan to self host them but it was the least important part of the whole system so they left it until last to address.

      • @[email protected]
        link
        fedilink
        210 months ago

        I don’t think that’s a good argument though. Any other email provider is as easy to set up an account with and is more privacy friendly: proton, skiff, posteo. If they made a big blunder like that, I can only expect them to use other big tech stuff in the background like google DNS servers etc. Unti someone points it out