Mullvad browser audit
I audited Mullvad Browser: why does the browser contact the following endpoints?
What I did for this test:
- downloaded the browser,
- extracted it,
- ran it with no interactions, in other words leaving the browser window alone for about 5 minutes.
I did not open any web page or did anything... I can tell that github is probably used for Ublock... But the rest stinks.
I ran the Browser in an ad-hoc network namespace to make sure that this traffic only comes from Mullvad browser.
I see google, cloudflare, fastly... edgecast
also who is edgecast?
Do they have any sort of agreement with these companies? Do they tell their users about this?
[
{
"Address": "34.160.90.233",
"Bytes": "18209",
"Packets": "77",
"Port": "https",
"Rx Bytes": "5154",
"Rx Packets": "44",
"Tx Bytes": "13055",
"Tx Packets": "33"
}
dig PTR:
34.160.90.233. 352 IN PTR 233.90.160.34.bc.googleusercontent.com.
whois:
NetRange: 34.128.0.0 - 34.191.255.255
CIDR: 34.128.0.0/10
NetName: GOOGL-2
NetHandle: NET-34-128-0-0-1
Parent: NET34 (NET-34-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2021-01-08
Updated: 2021-01-08
Ref: https://rdap.arin.net/registry/ip/34.128.0.0
{
"Address": "34.160.122.198",
"Bytes": "95783",
"Packets": "94",
"Port": "https",
"Rx Bytes": "4388",
"Rx Packets": "48",
"Tx Bytes": "91395",
"Tx Packets": "46"
}
dig PTR:
34.160.122.198. 101 IN PTR 198.122.160.34.bc.googleusercontent.com.
whois:
NetRange: 34.128.0.0 - 34.191.255.255
CIDR: 34.128.0.0/10
NetName: GOOGL-2
NetHandle: NET-34-128-0-0-1
Parent: NET34 (NET-34-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Google LLC (GOOGL-2)
RegDate: 2021-01-08
Updated: 2021-01-08
Ref: https://rdap.arin.net/registry/ip/34.128.0.0
{
"Address": "45.83.223.217",
"Bytes": "26510",
"Packets": "105",
"Port": "https",
"Rx Bytes": "6706",
"Rx Packets": "58",
"Tx Bytes": "19804",
"Tx Packets": "47"
}
dig PTR:
NXDOMAIN
SSL CERT CNAME:
se-mma-cdn-101.mullvad.netname
whois:
inetnum: 45.83.223.0 - 45.83.223.255
netname: NET-31173-45-83-223
country: SE
geoloc: 55.5900 12.9955
language: sv
descr: 31173 Services AB infrastructure in Malmo, Sweden.
org: ORG-SA1601-RIPE
admin-c: ESAB1-RIPE
tech-c: ESAB1-RIPE
status: ASSIGNED PA
mnt-by: ESAB-MNT
created: 2022-04-15T15:31:08Z
last-modified: 2022-04-15T15:31:47Z
source: RIPE
organisation: ORG-SA1601-RIPE
org-name: 31173 Services AB
country: SE
org-type: LIR
address: Scheelegatan 9
address: 21228
address: Malmo
address: SWEDEN
phone: +46406181000
admin-c: ESAB1-RIPE
tech-c: ESAB1-RIPE
abuse-c: ESAB1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: ESAB-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: ESAB-MNT
created: 2014-07-21T14:00:47Z
last-modified: 2020-12-16T12:39:54Z
source: RIPE # Filtered
{
"Address": "95.100.111.208",
"Bytes": "12095",
"Packets": "103",
"Port": "http",
"Rx Bytes": "5350",
"Rx Packets": "55",
"Tx Bytes": "6745",
"Tx Packets": "48"
}
dig PTR:
95.100.111.208. 3415 IN PTR a95-100-111-208.deploy.static.akamaitechnologies.com.
whois?
inetnum: 95.100.104.0 - 95.100.111.255
netname: AKAMAI-PA
descr: Akamai Technologies
country: EU
admin-c: NARA1-RIPE
tech-c: NARA1-RIPE
status: ASSIGNED PA
mnt-by: AKAM1-RIPE-MNT
mnt-routes: AKAM1-RIPE-MNT
created: 2012-11-28T15:35:04Z
last-modified: 2012-11-28T15:35:04Z
source: RIPE
{
"Address": "104.26.15.96",
"Bytes": "5736",
"Packets": "26",
"Port": "https",
"Rx Bytes": "1921",
"Rx Packets": "15",
"Tx Bytes": "3815",
"Tx Packets": "11"
},
dig PTR:
NXDOMAIN
SSLCERT: NONE
WEBPAGE: Cloudflare
whois?
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2021-05-26
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/ip/104.16.0.0
{
"Address": "146.75.73.229",
"Bytes": "550105",
"Packets": "284",
"Port": "https",
"Rx Bytes": "9655",
"Rx Packets": "130",
"Tx Bytes": "540450",
"Tx Packets": "154"
}
dig PTR:
NXDOMAIN
SSLCERT: jsdelivr.net
whois?
inetnum: 146.75.0.0 - 146.75.255.255
netname: FASTLY
descr: FASTLY
geofeed: https://ip-geolocation.fastly.com/
org: ORG-FI26-RIPE
country: SE
admin-c: FRA59-RIPE
tech-c: FRA59-RIPE
status: LEGACY
mnt-by: RIPE-NCC-LEGACY-MNT
mnt-by: FASTLY
mnt-lower: FASTLY
mnt-routes: FASTLY
created: 2002-01-03T10:06:41Z
last-modified: 2022-02-11T15:12:28Z
source: RIPE # Filtered
{
"Address": "172.66.44.77",
"Bytes": "7986",
"Packets": "31",
"Port": "https",
"Rx Bytes": "2119",
"Rx Packets": "18",
"Tx Bytes": "5867",
"Tx Packets": "13"
}
dig PTR:
NXDOMAIN
SSLCERT: NONE
WEBPAGE: Cloudflare
whois?
NetRange: 172.64.0.0 - 172.71.255.255
CIDR: 172.64.0.0/13
NetName: CLOUDFLARENET
NetHandle: NET-172-64-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2015-02-25
Updated: 2021-05-26
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/ip/172.64.0.0
{
"Address": "185.199.110.153",
"Bytes": "74607",
"Packets": "102",
"Port": "https",
"Rx Bytes": "5370",
"Rx Packets": "49",
"Tx Bytes": "69237",
"Tx Packets": "53"
}
dig PTR:
185.199.110.153. 3650 IN PTR cdn-185-199-110-153.github.com.
whois?
inetnum: 185.199.108.0 - 185.199.111.255
netname: US-GITHUB-20170413
country: US
org: ORG-GI58-RIPE
admin-c: GA9828-RIPE
tech-c: NO1444-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-by: us-github-1-mnt
created: 2017-04-13T15:36:35Z
last-modified: 2018-12-14T10:48:39Z
source: RIPE
{
"Address": "192.229.221.95",
"Bytes": "6580",
"Packets": "64",
"Port": "http",
"Rx Bytes": "3110",
"Rx Packets": "34",
"Tx Bytes": "3470",
"Tx Packets": "30"
}
dig PTR:
NXDOMAIN
SSLCERT: *.github.io
whois?
NetRange: 192.229.128.0 - 192.229.255.255
CIDR: 192.229.128.0/17
NetName: EDGECAST-NETBLK-08
NetHandle: NET-192-229-128-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14153, AS15133, AS14210
Organization: Edgecast Inc. (EDGEC-25)
RegDate: 2013-02-07
Updated: 2022-07-11
Ref: https://rdap.arin.net/registry/ip/192.229.128.0
{
"Address": "194.242.2.2",
"Bytes": "50231",
"Packets": "269",
"Port": "https",
"Rx Bytes": "24073",
"Rx Packets": "161",
"Tx Bytes": "26158",
"Tx Packets": "108"
}
dig PTR:
NXDOMAIN
SSLCERT: gb-lon-dns-301.mullvad.net
whois?
inetnum: 194.242.2.0 - 194.242.2.255
netname: MULLVA-194-242-2-0
country: US
geoloc: 40.730610 -73.935242
org: ORG-MVA19-RIPE
admin-c: MVAA2-RIPE
tech-c: MVAA2-RIPE
status: ASSIGNED PA
mnt-by: PREFIXBROKER-MNT
created: 2020-12-10T13:03:25Z
last-modified: 2020-12-10T13:03:25Z
source: RIPE
{
"Address": "195.181.164.15",
"Bytes": "31587",
"Packets": "48",
"Port": "https",
"Rx Bytes": "2785",
"Rx Packets": "24",
"Tx Bytes": "28802",
"Tx Packets": "24"
}
dig PTR:
195.181.164.15. 3528 IN PTR 263888592.lon.cdn77.com.
whois?
inetnum: 195.181.164.0 - 195.181.165.255
netname: CDN77-LONDON-UK
country: GB
admin-c: DLTS1-RIPE
tech-c: DLTS1-RIPE
status: ASSIGNED PA
mnt-by: DATACAMP-MNT
created: 2017-08-23T08:06:12Z
last-modified: 2017-08-23T08:06:12Z
source: RIPE
role: Datacamp Ltd. technical staff
address: DataCamp Limited
address: 207 Regent Street
address: London
address: United Kingdom
nic-hdl: DLTS1-RIPE
abuse-mailbox: abuse@datacamp.co.uk
mnt-by: DATACAMP-MNT
tech-c: JP4750-RIPE
admin-c: JP4750-RIPE
created: 2014-06-23T09:09:30Z
last-modified: 2021-03-19T13:12:55Z
source: RIPE # Filtered
{
"Address": "213.230.210.231",
"Bytes": "116111",
"Packets": "105",
"Port": "https",
"Rx Bytes": "4214",
"Rx Packets": "48",
"Tx Bytes": "111897",
"Tx Packets": "57"
}
dig PTR:
NXDOMAIN
SSLCERT: carneross.com,
designbyfail.com,
ff.levine.org.uk,
funkypancake.com,
godswearhats.com,
imap.yoyo.org,
instinct.org,
jaykamins.art,
jaykamins.com,
jt.yoyo.org,
keziasimpson.com,
mainstreamfm.com,
masau.co.uk,
pgl.yoyo.org,
semaphore.yoyo.org,
webmail.yoyo.org,
www.carneross.com,
www.designbyfail.com,
www.funkypancake.com,
www.godswearhats.com,
www.instinct.org,
www.jaykamins.art,
www.jaykamins.com,
www.jeversteamlaundry.org,
www.jtapps.fr,
www.keziasimpson.com,
www.levine.org.uk,
www.mainstreamfm.com,
www.masau.co.uk,
www.rafjever.org,
www.yoyo.org,
yoyo.org
whois?
inetnum: 213.230.210.224 - 213.230.210.239
netname: MASAU-LTD
descr: Masau Ltd - v4
country: GB
admin-c: PB4421-RIPE
tech-c: PB4421-RIPE
status: ASSIGNED PA
mnt-by: LCH-MNT
mnt-lower: LCH-MNT
mnt-routes: LCH-MNT
created: 2014-10-20T17:31:58Z
last-modified: 2014-10-20T17:31:58Z
source: RIPE # Filtered
person: Phillip Baker
address: Netcalibre Ltd
address: Unit F53 Waterfront Studios
address: 1 Dock Road
address: London
address: E16 1AH
address: United Kingdom
phone: +44(0)2030262626
nic-hdl: PB4421-RIPE
mnt-by: LCH-MNT
created: 2004-10-06T10:21:16Z
last-modified: 2018-01-02T15:42:57Z
source: RIPE
]
Comments
Please share your thoughts about this document. The message will be encrypted with my public key and sent by email.