Comment by conradev
> somehow log & associate each decrypted IP packet against the users public key.
Mullvad only needs to associate each decrypted IP packet against an assertion that the packet was paid for. I assume each Obscura node would have a public key, but not associated with a user.
They notably offer this service for Tailscale (as an add-on) and I imagine that it works similarly (on the backend)
Yeah my thinking is even if they don’t have the users IP, knowing and seeing all the traffic associated with a specific public key would allow them to build a profile of the user.
Eg based on the specific sites visited, payload sizes potentially, domains looked up, etc you’d be able to characterise the person. Especially so if anything they did was not encrypted, or they have their own vanity domain (for emails or anything else).
> Mullvad only needs to associate each decrypted IP packet against an assertion that the packet was paid for.
The idea of Obscura is by using two middlemen (them + Mullvad) that neither party can figure out who the end user is. So I’m looking at Mullvad from the perspective of: if they were evil, what about this solution are safeguard protecting the end users privacy. And my conclusion is they’d still be able to break the users privacy in the same way as knowing the users IP, just without the IP.