Firefox’s free VPN will offer 50 gigabytes of monthly data, which is pretty generous for a browser-based VPN. A Mozilla account is required to make use of it, which isn’t a hardship (they’re free), but is a point of friction some may wish to know upfront.
And how exactly do we know for certain that all that juicy web access data complete linked to whatever identifying information associated with a Mozilla account isn’t going to be sold?!
Processed by LLMs no doubt.
I loved Mozilla for years but trust nothing from them these days.
And an ai watchdog to keep you clean
Removed by mod
So they know it’s you all the traffic comes from?
Exactly. No thanks. Nothing is ever “free”.
If something is free then you are the product
Usable addition, and the fact that it is only in-browser is actually a merit in some cases. Firefox gets a lot of hate but is way more privacy centric out of the box compared to Chrome. AI is only opt-in and you can literally customize the entire browser using about:config. Mozilla also maintains the only real competing web engine (not considering Apple’s locked in ecosystem) and they are the reason browsers are open source these days.
AI is only opt-in
Not to take anything away from your overall point, which I completely agree with, but this may be a bit of a stretch. All of the “AI” buttons and features are - to my knowledge - on by default. They have made it a lot easier to change that to “off by default now and in the future”, which is very welcome, but “only opt-in” is, again, a bit of a stretch.
Please stop adding bloat to my browser. I have nothing against VPN, but it’s not a fucking core feature of a web browser. Put that stuff in an extension that I can install if I want.
They should make a “Firefox Core” which contains only the browser with basic features, and then make another version which contains all the “fun” stuff.
Isn’t that what extensions are for? This basically already exists. It’s a shame Mozilla doesn’t utilize it for this
Install LibreWolf then disable the cookie clearing and resistFingerprinting.
They need to separate gecko properly so we can build things using just the renderer.
It depends on the country you are living in. There are plenty of people with restricted and surveilled internet.
Sure, but do you think they’re going to allow Firefox if it comes with a built-in VPN?
Texas and Florida haven’t banned it yet.
Arguable
Firefox’s free VPN won’t be using Mullvad’s infra though; it’s hosted on Mozilla servers around the world (if beta testing of the feature done in late 2025 tracks).
…oh.
How long before that data gets sold?
-1 year
deleted by creator
The data is indeed encrypted, but both you and the VPN provider have the keys - that’s why they advertise no-logs policies, because they have access to the data you send, such as which website you’re attempting to visit.
Can a VPN provider do man in the middle attacks if they wanted to? Like sniff my /api/login calls and get my password? My gut tells me yes but I don’t know enough to be sure, I feel.
When you connect to a secure https site, then no. When you connect to unsecured http, then yes.
Firefox has its own cert store for https, and could theoretically impersonste other websites by adding their own and then sniff your traffic. But thats not how vpn providers typically work, and thered be huge backlash if they were to do that unprompted.
Generally not. Anything with authentication would be using HTTPS encryption. So there will be two layers of encryption: the VPN encryption and the web site’s HTTPS encryption. The VPN provider can’t replace the HTTPS encryption because your browser would identify it as being encrypted with the wrong certificate and it would block the connection.
Although…given that they control the browser, too, I suppose they could code it to remove those safeguards, but that would not go unnoticed for long.
When you use a VPN, it basically replaces your ISP as the intermediary who can snoop all your traffic, so the real question is who do you trust more: your ISP or Mozilla?
What I was thinking was that the VPN would be able to sniff the key exchange hand shake thing that HTTPS does in order to setup the connection, and use the data during the handshake to basically recreate the cryptographic key used for the connection later. So then it’d be able to just decrypt all traffic and reencrypt it again after passing through. Seamlessly to both ends.
Is that a thing in theory?
The SSL/TLS encryption used on the web is designed to prevent that type of attack. It’s called “asymmetric encryption”, because a different key is used to encrypt and decrypt data. So each side has both a private and public key. You can broadcast your public key, and then anyone can use it to encrypt a message that only YOU can decrypt, with your private key. The private key never goes over the network, so the VPN provider can’t intercept messages meant for you.
It’s possible to spoof the server’s certificate and make your browser think it’s talking to a real server when it’s not. However, this is difficult, because certificates follow a chain of trust, so they’d either need to compromise one of the certificate authorities (plausible for state-level actors), or compromise your web browser/OS so that it trusts a fake authority (definitely possible for a browser/OS vendor, but again, it would be noticed, especially in an open-source product like Firefox).
There are lot of enterprise products out there that perform this kind of “attack” so that businesses can monitor their network traffic. They do this by requiring adding their certificate authority to the list of trusted certs in the OS. This is often called “deep packet inspection”. If you try to use these products without adding their certs, your browser will throw a fit every time you load a site because it will see that the certificate doesn’t match.
assume the VPN provider is adversarial
now re-run your analysis
This is true regardless. HTTPS encryption keeps a man in the middle from seeing your URL. They just get the domain name, which is a lot, but it isn’t your credentials.
We had a proxy server at work that would route all internet traffic and scan for viruses, blocked urls or other traffic patterns, depending on your network rules. It did work on https and SSL traffic, because you had to accept the cert from the proxy server in your browser. So your traffic was encrypted between proxy and webserver, and proxy and your computer, but unencrypted on the proxy server itself. It would be similar with a VPN. Plus, if you control the browser you could just ship the required certs with the update…
So a VPN could basically sniff the Diffie-Hellman keys used during the exchange, recreate the key that browser and server use for HTTPS, and then decrypt all traffic sent through the VPN? Is that correct? And basically the same goes for any ISP or whatever else that’s acting as a node?
No, not at all. You have 2 encrypted connections A to B and B to C, where B is the proxy server. The proxy server decrypts AB, sees the plaintext traffic to check against rules, then reencrypts the traffic with his own key and forwards it to B to C. Your browser on C sees the proxy servers cert for BC, and the website and proxy handle out a different cert AB. No encryption or cert is broken during the process.
So if they were going to do an attack like this, they wouldn’t do anything like the DH attack you’re talking about, they’d have a custom CA in the browser’s SSL root store. That root cert means they can generate a certificate for any website you visit, and that custom root cert would be how they decrypt your traffic.
Afaik there isn’t a current attack on proper DH key pairings, but you can’t block the custom certificate path at the browser level without some serious server side work/client side JS to validate
If you have to install any closed-source software to use the VPN, the answer is oh hell yes, they can install a root cert. If they are clever they can remove it when you disconnect, so it will not be noticed by most people.
Even if they require no proprietary install, by definition the VPN knows every IP address you connect to. Even if you use DoH. Even if you use Quad9 DNS. The VPN knows you visited midwestsluts.com
If you want privacy, either spin up your own selfhost OpenVPN, or use the Tor nodes myself and other volunteers pay for, to make free for you to use.
Tor node operators can’t tell what site you are visiting (if they run an exit node they can see the site – but don’t know your IP; if they run a Guard/proxy node they can see your IP, but can’t tell anything about what sites you visit or what data you get)
the VPN knows every IP address you connect to
Joke’s on them, because half the web is behind CloudFlare now.
What if the gov has access to both tor nodes, cloudfare infrastructure and mozilla servers?
If anyone missed them removing the “we will never sell your data” from their promise to their users, this is clearly their next step in monetizing their users.
This is exactly my worry. Usually the reason a VPN is free is because they’re selling your data on the backend. No thank you.
“Free” as you pay with your data?
~~ No, Mozilla uses Mullvad as a partner, they’re a serious and nolog VPN provider.
https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised ~~ EDIT: Didn’t read the article, the free VPN won’t be using Mullvad apparently.
It doesn’t seem like it, or at least there’s zero evidence I’ve seen that this is the case. As the linked OMG Ubuntu article speculates, probably the main benefit financially is making users more likely to sign up to their paid VPN.
Aside: Based on their blog post, the service seems like a proxy rather than a VPN.
in which they hand it over to thier cash cow, google.
with a 50GB quota, I actually believe it’s free. I use 15-20x that much on an average month.
I’m sure that’s the condition, to use your data (that they protect of course) to better improve the browser. And I’m sure they are in a country where they don’t have to show logs (that I’m sure they don’t keep, yet somehow use your data).
They need to stick with just the browser, period. Stop trying to drift into other areas. Firefox has unfortunately gotten too heavy for what it should be, and adding even more features (good or bad) doesn’t help the core performance.
The other options out there have their pluses and minuses, but if Firefox keeps pushing people will live with the negatives of the browsers that seem to care about the browsing experience of their users.
Yep!
Firefox ftw. Thanks firefox for making my surfing great.
deleted by creator
I don’t trust mozilla though.
For everyone who thinks this is just gonna be a way for them to somehow sell your data, I don’t think so.
Think about it like this. You can buy a VPN plan for as little as $2 a month or less depending on the provider if you have a long-term commitment (e.g. 1-2 years). That pricing includes margin.
Firefox can essentially operate at lower prices than that, because they:
- Don’t have to charge themselves an extra margin
- Have an economy of scale since they’re not just one user paying for themselves, they’re a company paying for thousands at a time
- Cap their per-user cost well below what most users actually use. (I used over 300 GB of data in the last 30 days just on my PC, almost all through Firefox, with even more on Firefox on my phone.)
I would bet this would probably cost Mozilla less than a dollar per user per month, and that’s also assuming all those users are continuing to use the VPN service over time, maxing out their data limit, but refusing to pay for anything else after.
Meanwhile, Mozilla conveniently sells their own VPN service provided through Mullvad, which they make a profit on.
If a user cares enough to continue using the VPN because they want a VPN, they’ll blow through the data limit and be more inclined than the average user to pay for Mozilla’s option. (rather than going “I guess I’ll only care about my privacy for 5 days out of the month”)
If a user doesn’t care enough to continue using the VPN because they were just trying it out, but they chose to use Firefox because it had a free VPN bundled in, which sold them on it over another browser, Mozilla just paid less than an ad would cost for a conversion.
And at the end of the day, it also just helps keep up their reputation as a browser that respects your privacy, which makes it easier to promote the browser elsewhere, in ads or otherwise.
This feels more like a marketing ploy that’s likely to just save money on ad conversions for new Firefox users, and increase Mozilla VPN conversions, rather than something they’re gonna use to super secretly siphon off your data and sell it to advertisers.
I think it would be better to compare this offer to well-known VPN providers instead of all VPN providers, since the sketchiest ones tend to have the lowest prices. The two reputable ones I can think of, Proton and Mullvad, both cost over $5/month. But cost is only half of the picture: They’ve also earned their reputation through a lot of time, effort, audits, even government raids.
Regardless, you have some good points. Let’s take for granted that Mozilla will not attempt to share or sell user data with this free service, that it’s all above-board (a fair assumption): They still have to build their reputation from zero.
Then why are they not offering at least a low cost subscription? Why are they spending money on infrastructure and support but getting no revenue in return?
Either they are okay with losing even more money, OR they plan to enshittify.
For this and many many other reasons, it’s time to switch to a privacy fork like LibreWolf or WaterFox
Why are they spending money on infrastructure and support but getting no revenue in return?
I already addressed this in my comment. If you want me to expand on how they most definitely can make money from something like this, Mozilla:
- Gets revenue from their paid VPN service that already exists, and it would be a way to convert users to a revenue source, since the thing being taken away after the data cap is itself a VPN
- Gets donations, which more users with a good opinion of the browser will bring
- Has sponsored integrations, which pay money on a per-click basis, (e.g. AccuWeather integration where Mozilla gets paid if you click through to their website, pinned sites like Amazon that appear on the new tab page for new users) and ones that are influenced by overall number of Firefox users (e.g. Google’s deal to be the default search engine when you first install Firefox)
If this feature brings in new users, they can get revenue from any of these 3 sources, especially the sponsored listings. If this feature is just a benefit for existing users that might have already changed all their defaults and disabled sponsored content, it increases the chance of VPN conversions and donations, and increases the likelihood someone will recommend Firefox to a friend.
Either they are okay with losing even more money, OR they plan to enshittify.
Or they’re trying to get and retain users, which helps them make money from existing revenue options without having to make anything worse, while also providing a beneficial feature. I’m not saying there’s no chance they’ll enshittify, but I don’t think unconditional pessimism is the right move here.
For this and many many other reasons, it’s time to switch to a privacy fork like LibreWolf or WaterFox
I can’t speak to Waterfox myself, but I would agree with saying LibreWolf is a good idea if you care.
I just personally haven’t bothered switching since Firefox currently works fine for me, and anything they’ve done I dislike is fairly easy to just disable in settings and never see again.
Get out of here with your level headed take. The pitchforks already have been distributed and it has been decided Mozilla will sell the data asap! /s
Yeah, but they also added an AI feature that’s enabled by default that I never asked for.
And I normally advocate for Firefox. It’s been a good solid privacy focused browser for a while but now I’m starting to think maybe not as much.
Still better than the Chrome-alikes, but all the same I’ve switched to Librewolf. Problem is, foss mozilla teams like Librewolf are small and underfunded, and their ability to continue sanitizing and debloating the app forever is not garaunteed. A new vanguard FOSS browser project is needed, ideally one that continues the Netscape lineage of open and non-coercive web standards with a more durable and democratic organizational structure.
Absolutely
Ladybird alpha is schedueled for 2026. Hopefully that has a beneficial impact.
How is it better than something like Vivaldi
