Add the ability to trust a network for local network sharing

[K4LCIFER]

Issue report

Operating system: Arch Linux

App version: 2021.6

Issue description

Add the ability to allow network sharing only on certain networks. Currently you can only fully allow or fully disable local network sharing; however, there could be certain networks that an individual trusts that they want to always allow. For example, I trust my home network, so I want to be able to always connect to the devices on that network, but if I head out onto a public network, I don't want to be discoverable on that network.

[faern]

I think this is hard to implement in a secure way for the same reason it's hard to have a list of networks where the VPN should stay off. See my motivation here: https://github.com/mullvad/mullvadvpn-app/issues/1884#issuecomment-654255046

It can of course be done in a less secure manner and we warn users about the dangers of this. But so far, the demand seems low, so it has not been a priority.

[Superpigdots]

@K4LCIFER oh wow yes I agree! I have been using Mullvad VPN for just a few weeks now and my top and pretty much only irritation that almost immediately came up for me was that there is no way to trust a certain network. So every time I go to print a document at home, I forget that "local network sharing" it is toggled off and have to go turn it on. That is not a huge deal. What is a huge deal is when I leave my house after that and use a public network: I regularly forget that I turned it on and now I'm possibly exposing access to my IP to others on that public unsecure network, as far as I understand it. That severely negates the entire point of using a VPN since local network public wifi is probably the number one attack vector for bad actors and one of the number one reasons for me to use a VPN in the first place.

@faern I understand the dilemma though: how does Mullvad securely log network recognitions without also compromising user anonymity? I mean, Mullvad's whole thing is "zero logs ever". I really don't know if that is possible. But what is totally possible is a nested toggle like, "turn off local network sharing after this session" that is toggled on by default. To be honest, that is probably super simple to implement and would have zero privacy/logging data issues. I, for one, would thank Mullvad soooooo much to add such an option. Also, such an option would seem to only further compliment Mullvad's commitment to user privacy and safety since, as I mentioned before, accidentally leaving that, "local network access" toggle on is a major privacy and security risk for users, especially if users forget that setting is on (like I always do) and are thinking they are protected by a VPN on the local network, throwing some caution to the wind as to which networks they utilize and etc.

[faern]

how does Mullvad securely log network recognitions without also compromising user anonymity?

This is not the issue at all. Our no logging policy applies to our servers. The app of course has to persist settings and the account number and all of that locally on your device to function properly. In the same manner we can locally on your device store which networks you deem secure.

The problem is that there is no good and reliable way to determine which network is which. We can store the SSID and BSSID of the access point you are connected to. But that is very easy to spoof. Nothing stops a malicious person from setting up a wifi with the same name and BSSID as your trusted network. If you then connect to this wifi, the app would apply the trusted network settings and you would be equally exposed as forgetting the settings on, with the major difference that you would believe you were secure.

A related feature we are going to implement rather soon is "Anti privacy settings" which is an in app warning that will show up whenever you have enabled a setting that could potentially compromise your privacy. Local network sharing is an example of this. This means that whenever you have local network sharing on the app icon and GUI would show a little warning icon, reminding you that your device is not in the fully protected mode.

[Superpigdots]

@faern Aaaah, that makes sense then. I still feel though that the implementation of such a compromise risk warning may not serve the purpose of this particular dilemma well. Either, the warning will be some sort of tray notification or something that I would easily overlook between one session where I turn on local network sharing and the next one, two, three, or etc sessions on other networks where I have forgotten to toggle that back off... or it will be such an annoying warning that I and your other users will quickly learn to hate it and complain about it.

In my opinion, the risk of accidentally leaving that local network sharing toggle on to leave my device more vulnerable to x number of random networks is greater than some devious and devoted hacker personally targeting me, managing to figure out the name of a commonly used network I utilize where I happen to add it as trusted to my Mullvad VPN, spoof that network, and then go x number of additional steps to compromise my device. Also, trusted networks would basically be my house and no other network. This is likely similar for most of your users; it's not like people go around allowing trusted network status to any old random wifi connection; they need a reason to go out of their way to do so (i.e. adding a printer or scanner) with a properly designed user interface security.

So again, I would suggest that Mullvad either add a trusted network feature (you've pointed out that security shortcoming here) or develop a specific and simple sub-toggle under the "local network sharing" toggle that says something like, "Turn off local network sharing after this session" (which would be auto toggled to the on position for the highest security user interface). This second option really seems rather simple to implement and would save lots of users from security compromises.

I suspect that I am one of the rare users of Mullvad that has actually taken notice of this potential security risk of forgetting that this setting is toggled on. Knowing how non-security minded/complacent most people are, most of your users probably toggle it on one day to add a printer and then never think twice after, leaving them open to trusting devices on literally every network they ever use every day of using Mullvad after that. This seems like one of those things where this is one of the most wanted features by your users but they just don't know they want it. Case in point, I just realized during this very session that I had left that toggle on for probably two weeks now after traveling abroad to a third world country, with a high rate of hacker events, and after using multiple networks there...

[faern]

Thank you for the feedback and ideas. Yes, we are aware that it's not optimal to forget potentially dangerous settings on. That's why we want to add a system where you directly on the main view of the app can see a summary of all enabled settings that could potentially compromise you. Meaning local network sharing would be in that list. So you would see it directly on the main view.

"Turn off local network sharing after this session"

The downside with this is that it complicates the settings view (more toggles) and it's hard to define what a "session" is and describe it to the user. Is it one tunnel? What if you remain on the same network and the tunnel suddenly drops and reconnects due to temporary network issues. Should the setting then toggle off? Or do we need to monitor which wifi you are on and toggle it off when you change access point? That's technically a bit harder and to me not ideal for the user either.

[Superpigdots]

@faern I see your dilemma in the UX but, to be honest, I only ever use this setting to connect to a printer or scanner on the network, do my few tasks for a few minutes, then finish. I suspect that most of your user base is the same. I would suggest it just be per tunnel and accept that it may disconnect without user activity or with tunnel connection complications; maybe add a toggle disclaimer? You're right, it isn't foolproof by any means, but at least it adds the option for more security for those who desire that. I was always under the impression that Mullvad placed the highest priority on user security and privacy, which would trump adding another toggle.

But again, I think adding that security checkup feature is a step in the right direction; it just doesn't seem like it would solve my particular issue in this case, since forgetting that toggle is on and not having a habit of checking that setting every time I log off/on is the same result as forgetting to open the Mullvad app to check that security checkup notification.