Firefox’s free VPN won’t be using Mullvad’s infra though; it’s hosted on Mozilla servers around the world (if beta testing of the feature done in late 2025 tracks).

…oh.

How long before that data gets sold?

Data is encrypted over VPN tunnel by design.

The data is indeed encrypted, but both you and the VPN provider have the keys - that’s why they advertise no-logs policies, because they have access to the data you send, such as which website you’re attempting to visit.

Can a VPN provider do man in the middle attacks if they wanted to? Like sniff my /api/login calls and get my password? My gut tells me yes but I don’t know enough to be sure, I feel.

We had a proxy server at work that would route all internet traffic and scan for viruses, blocked urls or other traffic patterns, depending on your network rules. It did work on https and SSL traffic, because you had to accept the cert from the proxy server in your browser. So your traffic was encrypted between proxy and webserver, and proxy and your computer, but unencrypted on the proxy server itself. It would be similar with a VPN. Plus, if you control the browser you could just ship the required certs with the update…

So a VPN could basically sniff the Diffie-Hellman keys used during the exchange, recreate the key that browser and server use for HTTPS, and then decrypt all traffic sent through the VPN? Is that correct? And basically the same goes for any ISP or whatever else that’s acting as a node?