search

mullvad / mullvadvpn-app

The Mullvad VPN client app for desktop and mobile
https://mullvad.net/
GNU General Public License v3.0
5.05k stars 337 forks source link

[Feature request] DAITA should probably not allow me to set a custom MTU #6652

Closed kubrickfr closed 1 month ago

kubrickfr commented 2 months ago

I have checked if others have suggested this already

Feature description

DAITA allows me to "hide" my traffic from pattern analysis, which is great! But what if I have a custom MTU value set? What if I'm the only one using a particular value of, say, 1321? What's the point of injecting fake traffic and padding all my packets if, in the end, I'm the only one using that MTU?

Alternative solutions

DAITA or not, I have always considered non-standard MTUs to be Mullvad's privacy's Achile's heel when it comes to traffic analysis, deviating from the default should come with a big warning, you don't even need AI to track people with that. Another solution/track is that Mullvad should really, really, push for Socks Proxy usage with DAITA (or when a user changes their MTU) as it makes everyone's exit traffic come out with a MTU of 1500.

Type of feature

Operating System

kubrickfr commented 2 months ago

A nice little tool to check how third parties see your MTU: https://www.speedguide.net/analyzer.php

Serock3 commented 2 months ago

Thanks for the feedback! It's a fair point actually and I have brought it up with our DAITA developers. We need to discuss if there's a good solution that doesn't prevent user from configuring their MTU if that's what they need to get a working connection, perhaps a warning in the GUI when using non-default value?

kubrickfr commented 2 months ago

I don't know what the distribution of MTUs look like, maybe you have some statistics about it? But if, as I think it is, more than 95% of people have the default MTU, one shouldn't be allowed to use DAITA with a custom MTU, it's just wasted bandwith and security theatre.

I have not written "a peer reviewed and published paper", so this is just my opinion. And my opinion is that DAITA is great, but when you enable it, it should only allow traffic to (and from) the SOCKS5 proxy, period. And if the proxy is configured to have generous buffers, and the client throttles you a few % of the traffic on the Mullvad server, then you can have whatever MTU pleases you and you're probably fine.

Serock3 commented 1 month ago

We have decided to close this issue for now, as we need to work out a good tradeoff between the extra anonymity of consistent MTU values and lowered connection quality. We will continue to investigate this internally and we may open the issue again if it becomes relevant. Thank you for bringing this to our attention.

Ewarren7 commented 3 weeks ago

You bring up a good point on analysis based on MTU. Being able to set it with DAITA was useful though for being able to actually use DAITA on an ISP that provides a lower MTU connection.

Maybe if it could have a default low and normal MTU option that could help low MTU blend in with others.

kubrickfr commented 3 weeks ago

1380, the default, is already really low. A normal default would be 1440.

As mentioned here, if you have to specify a lower MTU, use the SOCKS proxy to blend in.