Mozilla VPN: security audit results and new features announced
Mozilla published the results of a security audit of its Mozilla VPN service last week. The organization unveiled new Mozilla VPN features last week as well.
We followed Mozilla's VPN solution loosely since it started to test the service back in 2018. The VPN, which uses the infrastructure of Sweden-based Mullvad VPN, launched officially in 2020 in select regions.
The latest security audit is the second review of the service since its launch. Mozilla asked the cybersecurity company Cure53 to audit the Mozilla VPN Qt6 app for all supported operating systems this time.
A team of security researchers identified seven vulnerabilities and eight miscellaneous issues. All vulnerabilities, with the exception of two, received a medium severity rating. One was rated critical and the other high.
The critical security issue affected Mozilla's VPN solution on Apple iOS devices only. According to the final audit report, it causes a leak of the WireGuard private key to iCloud under certain circumstances. The WireGuard configuration is stored within the iOS Keychain with an access level that includes it in device backups that are stored in the iCloud.
The security issue rated high could be exploited by rogue extensions to turn off the VPN connection.
The five medium vulnerabilities were found in various parts of the Mozilla VPN application. One could be exploited by malicious apps on Android to crash the Mozilla VPN app, another could cause a potential IP leakage during captive portal detection.
Mozilla addressed all seven of the identified security vulnerabilities and has published updates.
The eight miscellaneous issues have a severity rating of information, low and medium. There is only one medium rated issue that affects data on Android devices.
The full audit report is available on Mozilla's website.
Mozilla VPN new features
Mozilla announced a range of new features for Mozilla VPN. The first introduces a number of blocking options to Mozilla VPN. Users need to select Settings > Privacy features to see the available options. There, they find options to enable ad, tracker and malware blocking.
It is not a unique feature, as several VPN solutions support similar options. Nevertheless, the inclusion may be useful to Mozilla VPN users as it enables blocking options that don't rely on browser extensions.
The second improvement lists server recommendations that are measured specifically for the user according to Mozilla. These servers are "the highest-performing server locations", but it is still up to the individual user to pick one of the recommended servers or another server. Performance is important, but other factors, including the location, may also play a role in this regard.
Closing Words
Mozilla continues to improve its VPN service and runs regular security audits to make sure that security is high. The VPN is available for $4.99 if you pay annually, which is about the same price that Mullvad charges.
Now You: do you use VPN services?
Same with PIA and Nord.
Mozilla claiming it new, when it just more repackaing of the same ole stuff.
Never trust corporations. Never. They lie.
These “new features” have been available on Mullvad for a long time. The charts on their site lists the hostnames and content blockers which can be configured by enabling the appropriate server. I use “base.dns.mullvad.net” which blocks ads, trackers and malware, but changing the server to “extended.dns.mullvad.net” adds another content blocker namely social media. The charts can be found on the Mullvad site at: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
You can check your current configuration by going to this link: https://mullvad.net/en/check