Firefox’s free VPN won’t be using Mullvad’s infra though; it’s hosted on Mozilla servers around the world (if beta testing of the feature done in late 2025 tracks).

…oh.

How long before that data gets sold?

Data is encrypted over VPN tunnel by design.

The data is indeed encrypted, but both you and the VPN provider have the keys - that’s why they advertise no-logs policies, because they have access to the data you send, such as which website you’re attempting to visit.

Can a VPN provider do man in the middle attacks if they wanted to? Like sniff my /api/login calls and get my password? My gut tells me yes but I don’t know enough to be sure, I feel.

We had a proxy server at work that would route all internet traffic and scan for viruses, blocked urls or other traffic patterns, depending on your network rules. It did work on https and SSL traffic, because you had to accept the cert from the proxy server in your browser. So your traffic was encrypted between proxy and webserver, and proxy and your computer, but unencrypted on the proxy server itself. It would be similar with a VPN. Plus, if you control the browser you could just ship the required certs with the update…

So a VPN could basically sniff the Diffie-Hellman keys used during the exchange, recreate the key that browser and server use for HTTPS, and then decrypt all traffic sent through the VPN? Is that correct? And basically the same goes for any ISP or whatever else that’s acting as a node?

No, not at all. You have 2 encrypted connections A to B and B to C, where B is the proxy server. The proxy server decrypts AB, sees the plaintext traffic to check against rules, then reencrypts the traffic with his own key and forwards it to B to C. Your browser on C sees the proxy servers cert for BC, and the website and proxy handle out a different cert AB. No encryption or cert is broken during the process.

I just woke up and I don’t fully comprehend what you wrote, but I thank you for your reassurance. 🙏

they were explaining what happens with a proxy server, but with only a VPN there’s no proxy server or other such decrypting middleman. but in short: TLS was made to protect against exactly this: the network between. only thing leaked is the domain you are connecting to