Skip to content

Mullvad audit

Noted by on his .

Mullvad’s recent audit by Assured AB was a bit concerning to me. Fail2ban and user-writable scripts running as root is not the sort of thing I’d expect in a service whose only job is to provide a secure relay.

Avoiding and guarding root should be Sysadmin 101 material.

I recommend any amateur Linux admins read audit reports like this. While some low-priority recommendations are a but cargo-cultish, most advice is pretty solid. Frankly, much of this is the sort of thing a good admin should catch well before a proper audit.


This site supports Webmentions, a backlink-based alternative to traditional comment forms.

Publish a response on your own website and share the link here to send me a webmention! Include a link to this page's canonical location for it to be accepted.

Webmentions received for this post appear in the following list after I approve them. I sometimes send Webmentions to myself on behalf of linking sites that don't support them. I replace broken links with Wayback Machine snapshots, if they exist.

Toggle Webmentions

This comment may have major formatting errors that could impact screen reader comprehension.

Like I'd understand this on a personal server or something but if you advertise running everything in-memory for security reasons but still run user-writable programs as root then someone's priorities are off.


While I would agree that some recommendations/findings are good and I should even look if my product complies, I am particularly triggered by the compilation flags. "Do some lobbying with the upstream" is idle talk. "Hello Python Debian package maintainers, I know many skilled security folks already asked for the PIE flag over the last decade, and all the Debian core packages use it, but please, can you add it? I've been told it is bad to not have it and I need it because some securit…

Feel free to contact me directly with feedback; here’s my contact info