Comment by yardstick
Yeah my thinking is even if they don’t have the users IP, knowing and seeing all the traffic associated with a specific public key would allow them to build a profile of the user.
Eg based on the specific sites visited, payload sizes potentially, domains looked up, etc you’d be able to characterise the person. Especially so if anything they did was not encrypted, or they have their own vanity domain (for emails or anything else).
> Mullvad only needs to associate each decrypted IP packet against an assertion that the packet was paid for.
The idea of Obscura is by using two middlemen (them + Mullvad) that neither party can figure out who the end user is. So I’m looking at Mullvad from the perspective of: if they were evil, what about this solution are safeguard protecting the end users privacy. And my conclusion is they’d still be able to break the users privacy in the same way as knowing the users IP, just without the IP.
In Tor, individual websites get individual circuits to prevent this sort of profiling, and I think Obscura would need to do the same for the same level of anonymity.