Mullvad exit IPs as a fingerprinting vector
A detailed analysis published on Lobsters reveals that Mullvad VPN's use of static exit IP addresses creates a fingerprinting vector that can compromise user privacy. The researcher, tmctmt, explains that while Mullvad assigns shared IPs to multiple users, these IPs remain constant for extended periods, allowing an observer to link a user's sessions over time. By monitoring traffic patterns and correlating them with exit IPs, an attacker could identify repeat visits to the same services or track user behavior across different sites. The post notes that this issue is not unique to Mullvad but is a common trade-off in VPN design: static IPs improve performance and reduce CAPTCHA triggers but reduce anonymity. The researcher suggests that users seeking higher privacy should consider VPNs with rotating exit IPs or use Tor. Mullvad has not yet responded to the findings. The analysis includes practical examples of how an attacker could exploit this vector, such as by setting up a website that logs visitor IPs and timestamps, then cross-referencing with known Mullvad exit IP ranges.
VPN users relying on static exit IPs may be trackable across sessions, undermining privacy expectations.