mullvad / mullvad-browser

Privacy-focused browser for Linux, macOS and Windows. Made in collaboration between @torproject and @mullvad
https://mullvad.net/browser
1.33k stars 25 forks source link

Leta Improvements #46

Closed username81237 closed 1 year ago

username81237 commented 1 year ago

Short Term

First thanks for making Leta, I think it's awesome however I have a few critiques.

Having to enter the account number every time I open the browser is poor UX. One idea would be to have the extension or browser cache it and skip the login.

Alternatively, the DNS servers could resolve Leta to an internal address on the VPN LAN. This way the web server would see the client's internal IP address which (as per the database structure explained here and shown below) can be mapped to the account number. This would prevent the client traffic leaving the mullvad network and remove the need for users to enter their account number all the time.

account number | pubkey    | tunnel address
xxxxxxxxxxxx   | xxxxxxxx  | x 

With this design, if I were running Mullvad VPN on my router then any device on my network regardless of browser type would be able to use Leta smoothly without needing to enter the account number. This is particularly useful for platforms like iOS with safari where a Mullvad extension (with caching feature) wouldn't be possible.

I don't know if the mapping of internal IP addresses to account numbers is as easy with OpenVPN but having auto-login for Leta when using WireGuard would be just another reminder for people to move to the superior protocol.

Long Term

It would be a dream-come-true if anonymous authentication was introduced to Leta along with the removal of the IP block. Tor has over 3 million daily users and I'm sure they all would agree that trying to make a google search with it could be used as an effective psychological torture technique. The endless stream of maximum difficulty captchas with 10 second image fade-ins is enough to break even the most resilient minds. Being able to use Leta with the Tor Browser would be a considerable UX improvement as the alternative Tor friendly search engines just don't perform anywhere near as well as google.

If Leta was opened up to Tor it wouldn't be acceptable to require users to provide an account ID for many reasons but thankfully the year is 2023 and we have an ocean of zero knowledge proofs and cryptographic tricks to satisfy the requirements of this system. Cloudflare developed a protocol called privacy pass and it fits this scenario perfectly. It allows a server to issue clients a token with a fixed number of usages. Most importantly - the proof sent by the client when redeeming this token is cryptographically unlinkable to the token the server originally issued. The Mullvad browser extension could take in the account number and use it retrieve one of these tokens from the Mullvad server. When the user wants to perform a search the Mullvad extension operates like the privacy pass extension and uses the previously acquired token to authenticate the search.

There would be some challenges to address, such as how to allow the extension to be used on multiple browsers with the same Mullvad account ID. They wouldn't be able to use the same "token" as they need a channel to share the client secrets and inform each other which ones are spent. Rather the extension would allow the user to request a token with X amount of spends. This way I could have the extension on 2 browsers, and request a token with 30 spends on one and 10 spends on the other. With a total of 40 spends issued so far, the server would allow issuing more token(s) with a total of 10 spends for the rest of that day so if I ran out on one browser/device I could just request more.

Because the redemption tokens are cryptographically unlinkable it means users can safely and anonymously get high quality search results instantly on Tor without even needing to trust Mullvad. Given the nature of Tor I'm sure many of the 3,000,000+ daily users already have a VPN or would considering buying one, if this feature materialized it would surely be well received and a strong selling point for Mullvad.

ruihildt commented 1 year ago

Thanks, your feedback has been forwarded to people in charge of Leta's development.

Please send Leta related feedback directly to support@mullvad.net, as this is the issue tracker for the Mullvad Browser.