diff options
| author | Linus Färnstrand <linus@mullvad.net> | 2025-07-22 17:29:04 +0200 |
|---|---|---|
| committer | Linus Färnstrand <linus@mullvad.net> | 2025-07-23 10:22:38 +0200 |
| commit | 27df064546d33c370f6c46fd817dbf816f5714dd (patch) | |
| tree | abc725501ded8bc7c8bc687c523a99495ba4468b /docs | |
| parent | 6ee9f98e90fd8fb7bad4e7670aed3a711ffbf317 (diff) | |
| download | mullvadvpn-27df064546d33c370f6c46fd817dbf816f5714dd.tar.xz mullvadvpn-27df064546d33c370f6c46fd817dbf816f5714dd.zip | |
Improve security docs around TLS connection to API server
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/security.md | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/docs/security.md b/docs/security.md index 0771b6b3d4..9f1f878822 100644 --- a/docs/security.md +++ b/docs/security.md @@ -130,11 +130,16 @@ forwarded. All other forward traffic is rejected. #### Mullvad API The firewall allows traffic to the API regardless of tunnel state, so the daemon is able to update -keys, fetch account data, etc. In the [Connected] state, API traffic is only allowed inside the tunnel. +keys, fetch account data and more. In the [Connected] state, API traffic is only allowed inside the tunnel. For the other states, API traffic will bypass the firewall. On Windows, only the Mullvad service and problem report tool are able to communicate with the API in any of the blocking states. On macOS and Linux all applications running as root are able to reach the API in blocking states. +All API connections use TLS 1.3 with certificate pinning. The app comes bundled with the +[Let's encrypt root certificate](../mullvad-api/le_root_cert.pem) and only accepts connections +with servers having a valid certificate issued to `api.mullvad.net` and signed with this +bundled certificate. + ### Disconnected This is the default state that the `mullvad-daemon` starts in when the device boots, unless |