Great browser re-write-reboot

[dngray]

Description

This is mostly a tracking issue, as this page has been out of date for quite some time. There are threads on here, the old privacytools issue tracker and the discussions tab such as:

Closes: https://github.com/privacytools/privacytools.io/pull/2081 Closes: https://github.com/privacytools/privacytools.io/issues/2184 Closes: https://github.com/privacyguides/privacyguides.org/issues/69 Closes: https://github.com/privacyguides/privacyguides.org/issues/243 Closes: https://github.com/privacyguides/privacyguides.org/issues/245 Closes: https://github.com/privacyguides/privacyguides.org/issues/246 Closes: https://github.com/privacyguides/privacyguides.org/pull/261 Closes: https://github.com/privacyguides/privacyguides.org/discussions/59 Closes: https://github.com/privacyguides/privacyguides.org/discussions/90 Closes: https://github.com/privacyguides/privacyguides.org/discussions/88 Closes: https://github.com/privacyguides/privacyguides.org/discussions/124 Closes: https://github.com/privacyguides/privacyguides.org/discussions/231

The new browser page is going to be more instructional and split into two main sections, Firefox and Chromium. Under that we anticipate a Desktop and Mobile subheading with specific recommendations and instructions for those recommendations.

General information will be before both sections.

Chromium based browsers

Desktop

Mobile

Gecko based browsers

Desktop

Mobile

Criteria

• Robust update mechanism
• Responsive development team that responds to security issues
• Existed for XX period of time (TBD)
• Open source

[freddy-m]

Responsive development team that responds to security issues

I'd be in favour of making a general requirement that all software needs a good vunerability disclosure protocal/bug bounty program.

We can use the open source guidelines from #24 :

Must be open source (unless discusssed on a case-by-case basis).

• Open development, where the community can take place in submitting pull requests, and see development of the project
• Active development (non-translation based updates within the past 4 months)
• F-Droid (if applicable) or Direct Download source (such as GitHub releases)

Otherwise seems pretty good 👍🏼

[dngray]

At this point I'm also thinking we'll strip the fingerprinting section as that is horribly out of date.

[TommyTran732]

Here is my proposal:

1. Remove all browser extensions - this includes things like ublock origin, containers, tosdr, and the like. Browser extensions provide additional attack surface and variations between different installations, making it easier to fingerprint the users. (Don't worry, I will have proper alternatives below)

2. Remove all firefox tweaks (will provide alternatives below)

3. Replace Firefox with Librewolf for desktop. Librewolf is kept very, very close to upstream (usually they have a release 1-2 days after upstream) and much more sane defaults (resist.fingerprinting and fission.autostart for example).

Librewolf already bundles in ublock origin and containers by default. This makes the recommendation for those extensions unnecessary, and there will be fewer variations between different Librewolf installations. It still should be noted that bundling in ublock origin weakens site isolation, but site isolation isn't even enabled by default upstream and most people would want an adblocker for convenience anyways, so there is little harm in recommending Librewolf over Firefox.

There are 2 outstanding issues that I have made on their GitLab: https://gitlab.com/librewolf-community/browser/common/-/issues/51 https://gitlab.com/librewolf-community/browser/common/-/issues/50

If these issues are resolved, Librewolf will be fairly resistant against fingerprinting as well. If we want more security, we can recommend a set of tweaks mentioned in https://gitlab.com/librewolf-community/settings/-/blob/master/librewolf.cfg, but quite frankly, it is pretty good as is by default. We should also recommend enabling OSCP queries for additional security. There is little harm in querying for OSCP since we already recommend that everyone uses a VPN anyways.

We don't even need to mention enabling HTTPS everywhere with Librewolf because it is already enabled by default.

4. Add Brave as a recommended browser for desktop. It is pretty much the only chromium based browser that is somewhat resistant against fingerprinting that i have found. It has a built in adblocker, so recommending ublock origin is unnecessary. We should recommend that users disable most of brave features (Tor, IPFS, Hangouts, etc) to reduce the attack surface. Google Safe Browsing should be disabled for privacy. HTTPS everywhere needs to be manually enabled.

5. Remove worthy mentions and anti recommendations - these are very questionable recommendations to make and we should avoid them.

6. Specifically mention that TOSdr should only be used as a site and not an extension. Extensions weakens site isolation and makes the user more fingerprintable. It also adds more parties to trust. TOSdr as an extension isn't worth the sacrifice in security.

7. Recommend Bromite as the only browser that should be used on Android (except if the user is already on GrapheneOS - in which case Vanadium is fine). On Android, you pretty much cannot avoid using Chromium - it is the system webview and is used by a lot of apps. It makes sense to just stick to one browser engine and not recommend Firefox to reduce the attack surface.

Bromite is more fingerprinting resistant than Brave (https://fingerprintjs.com/ works just fine against Brave but has trouble fingerprinting Bromite), contains none of the unnecessary features, and includes a built in adblocker. The only thing to recommend on Bromite is to disable JIT for additional security.

8. Tor Browser should only be recommended for Desktop. It is not fingerprinting resistant whatsoever on Firefox, and since we are already recommending Orbot for Android, it makes little sense to recommend the Tor Browser here. I will provide additional recommendations for Orbot in the OS section later.

9. I don't use IOS so I don't know about the 2 browsers recommended for it. Would be great if someone can comment on this.

[TommyTran732]

Also, I plan to be pretty verbose in my explanation on why these browsers are recommended, just like how I did it for Android OS recommendations.

[TommyTran732]

Update: I did look at DuckDuckGo on IOS and it's apparently just Safari with a skin? I don't see the point of it so I removed it in my PR for now.

[ghost]

We can also recommend mull as well as fennec fdroid as an alternative to firefox Fennec has proprietary bits removed whereas mull utilizes features of arkenfox-user.js

[TommyTran732]

We can also recommend mull as well as fennec fdroid as an alternative to firefox Fennec has proprietary bits removed whereas mull utilizes features of arkenfox-user.js

Yeah I think we should test it and see how it performs... generally I do not think Firefox based stuff on android is a good idea because you can't escape using the chromium webview anyways... and having 2 different engines = more attack surface

Tor Browser on android is not resistant at all so I am not sure if mull would handle fingerprinting well

[freddy-m]

Very sceptical about replacing Firefox with Librewolf. Even if its up to date now, all Firefox forks I've seen like this die sooner than later because the team will move on. It takes a hell of a lot to maintain a browser properly. Firefox has Mozilla. Librewolf doesn't.

[SkewedZeppelin]

Perhaps link the Android versions of Brave.

I don't agree with not linking Tor Browser for Android just because Orbot is available. Routing your normal browser through Tor is always not recommended.

Also this leaves out a Gecko based Android browser. Re: Firefox on Android security: https://bugzilla.mozilla.org/show_bug.cgi?id=1565196 @Guardian-AI-Dusty Mull is based on Fennec F-Droid

I also don't really like that Librewolf isn't source-built in any distros. And that isn't even an option for Brave. But that belongs in another issue.

Related: My Mulch offers CFI builds of Chromium that Bromite still doesn't. Bromite itself is also often behind a week+ due to the sheer amount of patches they have to rebase every version.

My proposal: Desktop

• Firefox with Arkenfox user.js and uBlock Origin for advanced users
• Firefox and uBlock Origin for regular users
• Tor Browser with uBlock Origin (like Tails)

Mobile

• Mull for Android with uBlock Origin
• Bromite for Android
• Tor Browser for Android with uBlock Origin
• Safari for iOS
• Onion Browser for iOS
• Don't recommend WebView based browsers

[PhysicsIsAwesome]

Very sceptical about replacing Firefox with Librewolf. Even if its up to date now, all Firefox forks I've seen like this die sooner than later because the team will move on. It takes a hell of a lot to maintain a browser properly. Firefox has Mozilla. Librewolf doesn't.

Just my two cents regarding browsers:

As long as Librewolf can deliver updates fast, it is a good alternative for people who want to use Firefox, but don't want to configure it. The only things I didn't like in their settings was RFP letterboxing set to false and the already mentioned OCSP stuff.

Although I would for sure like to keep Firefox with Arkenfox and uBlockOrigin and maybe "skip redirect".

On Linux using MAC should be recommended for Firefox because of their worse security compared to Chromium. On Ubuntu distributions there are ready-to-use AppArmor profiles and for Tor browser there is Tor Browser Launcher. Or use a lightweight VM.

Firefox without further configuration is not an option tbh, because of no isolation (FPI or similar) and telemetry. At least a few settings need to be changed like disabling telemetry, enabling some form of isolation (e.g. ETP to strict), changing search engine and installing uBlockOrigin.

I don't like Firefox browsers on Android because their sandbox is really weak and the horribly designed usability. Would completely avoid them. Or at least educate people, that this could be a problem. Only exception is Tor browser, to not stick out, despite it's weaker anti-fingerprinting (compared to desktop).

Bromite is a solid browser and even GrapheneOS recommends it as their secondary browser, which is really something.

Brave is also a very good browser, with a lot of privacy features built-in, which allows you to avoid extensions completly. Only very few changes advised and most of the bad stuff is opt-in, while having the better security of Chromium browsers.

[freddy-m]

For the record, I don't think LibreWolf is a bad browser. I just am sceptical about its long-term stability in regards to updates and such.

Bromite is a solid browser and even GrapheneOS recommends it as their secondary browser, which is really something.

Have been using Bromite for a while. Cannot recommend it enough.

[TommyTran732]

Very sceptical about replacing Firefox with Librewolf. Even if its up to date now, all Firefox forks I've seen like this die sooner than later because the team will move on. It takes a hell of a lot to maintain a browser properly. Firefox has Mozilla. Librewolf doesn't.

I just want to make this clear that I recommended librewolf because it has sane defaults for the most part, with firefox you need to install arkenfox or something, and arkenfox isn't very tolerable for most people. We need something with sane defaults for everyone to use.

I would be skeptical if librewolf was new as well, but they are about a year old or more now and the project is still going well.

[TommyTran732]

@SkewedZeppelin I don't think that many people use tails in the first place, so I don't think recommending ublock with tor browser is a good idea, it just makes people stand out more

As for routing normal browsers through tor... yeah, they are usually not recommended because they can be fingerprinted. The problem here is that Tor on Android is not fingerprinting resistant like it is on Desktop at all, and it inherits a lot of security deficiencies from Firefox ESR, so I don't even know what the proper approach should be here.

[TommyTran732]

@PhysicsIsAwesome Brave is not as resistant as Bromite (as I explained in my proposal), and it just contains a lot of unnecessary stuff that increases the attack surface. I just see no reason why anyone should ever use Brave over Bromite

[PhysicsIsAwesome]

@PhysicsIsAwesome Brave is not as resistant as Bromite (as I explained in my proposal), and it just contains a lot of unnecessary stuff that increases the attack surface. I just see no reason why anyone should ever use Brave over Bromite

I don't have that much experience with Brave on mobile. I should have made clear, that I mainly meant the desktop version.

If you mean by "failing", that you get the same ID by revisiting on fingerprintjs, then on my smartphone, I get the same ID on revisit for both Brave and Bromite (cleared website data, cookies and changed IP).

However, there are two ways how to not fail such a test. First by changing ID, second by sharing your ID with a lot of other users. The second one is not as easily verifiable as the first one, since you rely on other users to do the same. And tbh for more advanced fingerprinting tests, like a combination of creepjs and browserleaks.com, all browsers fail for the first category, but some succeed for the second.

Maybe I will write more about fingerprinting next time.

[TommyTran732]

@PhysicsIsAwesome Brave is not as resistant as Bromite (as I explained in my proposal), and it just contains a lot of unnecessary stuff that increases the attack surface. I just see no reason why anyone should ever use Brave over Bromite

I don't have that much experience with Brave on mobile. I should have made clear, that I mainly meant the desktop version.

If you mean by "failing", that you get the same ID by revisiting on fingerprintjs, then on my smartphone, I get the same ID on revisit for both Brave and Bromite (cleared website data, cookies and changed IP).

However, there are two ways how to not fail such a test. First by changing ID, second by sharing your ID with a lot of other users. The second one is not as easily verifiable as the first one, since you rely on other users to do the same. And tbh for more advanced fingerprinting tests, like a combination of creepjs and browserleaks.com, all browsers fail for the first category, but some succeed for the second.

Maybe I will write more about fingerprinting next time.

Strange. I does not manage to fingerprint bromite for me. Do you have JIT enabled?

[PhysicsIsAwesome]

You could also get the same ID on such a test, because the test is not good enough. As an example the script could only detect that you use Brave on Android with fingerprinting resistance set to strict and give every user with this config the same ID. Then you revisit and think, fuck it fingerprinted my browser successfully, but in fact it didn't. Long story short, these test sites have to be handled with care.

[PhysicsIsAwesome]

@PhysicsIsAwesome Brave is not as resistant as Bromite (as I explained in my proposal), and it just contains a lot of unnecessary stuff that increases the attack surface. I just see no reason why anyone should ever use Brave over Bromite

I don't have that much experience with Brave on mobile. I should have made clear, that I mainly meant the desktop version. If you mean by "failing", that you get the same ID by revisiting on fingerprintjs, then on my smartphone, I get the same ID on revisit for both Brave and Bromite (cleared website data, cookies and changed IP). However, there are two ways how to not fail such a test. First by changing ID, second by sharing your ID with a lot of other users. The second one is not as easily verifiable as the first one, since you rely on other users to do the same. And tbh for more advanced fingerprinting tests, like a combination of creepjs and browserleaks.com, all browsers fail for the first category, but some succeed for the second. Maybe I will write more about fingerprinting next time.

Strange. I does not manage to fingerprint bromite for me. Do you have JIT enabled?

Yes

[TommyTran732]

You could also get the same ID on such a test, because the test is not good enough. As an example the script could only detect that you use Brave on Android with fingerprinting resistance set to strict and give every user with this config the same ID. Then you revisit and think, fuck it fingerprinted my browser successfully, but in fact it didn't. Long story short, these test sites have to be handled with care.

No, I did test it with other Brave users. Each of us got a different ID.

Could you disable JIT on Bromite and test again?

[PhysicsIsAwesome]

Could you disable JIT on Bromite and test again?

Same result. No change in ID.

I still haven't come to a conclusion, how important browser fingerprinting is in the wild.

Especially on smartphones, which are way more homogeneous (same device type number usually gets sold a lot of times (100.000 to 10s of millions) and has the same hardware and same OS (including version, assuming most people update properly)) than desktop computers, where you simply can install a different OS, or change parts of your hardware or simple things like screen resolution or install fonts.

Tracking by browser fingerprinting is also (as far as I know) legally prohibited by GDPR as long as you click on the cookie banners "allow only necessary" (then it's only allowed for security measures).

If I understood Arkenfox correctly, he says that there are just too many other easier ways to track aside from fingerprinting, that have proven to work reliably for years for the vast majority of browsers and that tracking by advanced fingerprinting may simply not be economical enough (see this comment). Considering this, it should take priority to take care of the other tracking mechanisms first and anti-fingerprinting second.

Link to fingerprinting in the wild paper

Collection of browser fingerprinting research papers

[youdontneedtoknow22]

I would question recommending Librewolf over Firefox. Librewolf maintainers doesn't seem "techy" enough to decide what should be configured and what not. I absoultely don't have enough knowledge to discuss this, but here's a small discussion between Arkenfox's maintainer and one of Librewolf's maintainers, and you can obviously see and decide which one has more knowledge. (Tho many things have been fixed as recommended by Arkenfox's maintainer) https://github.com/privacytools/privacytools.io/issues/2184

Just to quote a comment:

and it's configuration is a complete mess

outdated prefs since day one
conflicting prefs
prefs that reduce security
overkill on prefs and redundancy (making it harder to revert)
locking prefs (unnecessary)
failure to even keep up with prefs changes (and yet they still claim it uses the "ghacks" user.js)
no clear strategy of what they are doing and way too many wishwashy conflicts
    which takes precedence: security or privacy?
    what about compat

This harks back to initika's compilation in the old librefox: where he basically scraped together every single pref he could find under the sun, merged them all into a single file, and set them all to break everything possible

The whole thing seems to be, and at least attracts all the crazies, about how to beat the jewgle femto mozilla botnet into submission and be based. [Edit to clarify: I said "attract", the "crazies" are not the librewolf devs]

Now, if they sorted all that pref out, and valued security over privacy, and it was a one-click install and forget (e.g. with uBO and some easy toggles for compat), you know, like Tor Browser with HTTPS+NoScript and a slider, then maybe: but then WTF is so hard about dropping a user.js in and installing uBO.

I may sound harsh, and I have zero love for Librewolf, but it's a solution looking for a problem: they all are.

They continued the discussion in another issue (https://github.com/arkenfox/user.js/issues/1218), and here's his summary:

The issue is really about what users can live with in their everyday browsing

FPI vs dFPI is a no-brainer (if you need SSOs, cross site logins, use dFPI - we have a recipe).
RFP and fingerprinting is also pretty simple
    ask yourself if you really NEED it - e.g. is your IP hidden, explain threat model
    if you can handle RFP, cool
        don't mess with it universally in any way
        list breakage, side effects: workarounds/threat model: e.g. maybe use gmail in a secondary browser, or an extension for select sites to spoof the correct timezone
    if you can't handle RFP, or don't need it
        turn RFP ALTS into a "DO NOT USE, this is pointless" section
        direct users to just use CanvasBlocker to randomize canvas + maybe audio spoofing (a secondary random value cannot hurt) - that's all you need

I'm not sure it can get any simpler: assess and either go with RFP or use a minimal effort via CB. Both do the same job at a minimum of fooling naive scripts that may run

Some other resources that might be helpful: https://github.com/arkenfox/user.js/issues/1274

[youdontneedtoknow22]

One thing I don't understand, why would you recommend Apple users to use Safari (because they're already trusting a closed source OS and Webkit is open-source), and not advice Windows users to use Microsoft edge (also trusting a closed source OS and Chromium is open-source)?

[ghost]

Actually all the browsers in ios (other than safari ) are just colored skin of safari itself . That's why

[Thorin-Oakenpants]

I absoultely don't have enough knowledge to discuss this, but here's a small discussion between Arkenfox's maintainer and one of Librewolf's maintainers, and you can obviously see and decide which one has more knowledge. (Tho many things have been fixed as recommended by Arkenfox's maintainer) privacytools/privacytools.io#2184

outdated and no longer relevant

For the record @fxbrit and myself have been working together behind the scenes since then (it'll be seven months next week). Most changes (in LW) have come from fxbrit (and the other LW team members) taking on board that initial criticism, and cleaning it up themselves - i.e deprecated prefs, redundant prefs, some silly ones, etc.

Right now the differences between AF and LW are minimal

Of active prefs that flip from default values (and excluding a bunch for reasons [1])

• 3 prefs have different values
• 17 12 prefs are in AF but not in LW
• 45 32 prefs are in LW but not in AF

most of those aren't really consequential, but we do intend to go through them. AF (94-alpha) flips 154 prefs (total). LW flips approx 180+ 170+ (that we care about) - this is a far cry from the original 600

Also, and I can't stress this enough: fxbrit does his OWN research (and ultimately comes to the same conclusions) and is just as knowledgeable and capable as any girl - in fact, we have benefited from each other's discussions, and I consider him to be a very cool fish

[1] items not considered:

• cosmetics
• FPI vs dFPI and sanitizing methods (which AF will move to)
• URLs in prefs (like all the safe browsing ones)

[github-account1111]

Actually all the browsers in ios (other than safari ) are just colored skin of safari itself . That's why

That in itself isn't the reason. If that were the case then it would just be a matter of preference.

The reason is it's better to share data with Apple than Apple + a 3rd party. For that reason I am with @youdontneedtoknow22 on the question of why not recommend Windows users to give data to Microsoft rather than Microsoft + a 3rd party (be it Mozilla or Opera or Google or whoever else).

[PhysicsIsAwesome]

Actually all the browsers in ios (other than safari ) are just colored skin of safari itself . That's why

That in itself isn't the reason. If that were the case then it would just be a matter of preference.

The reason is it's better to share data with Apple than Apple + a 3rd party. For that reason I am with @youdontneedtoknow22 on the question of why not recommend Windows users to give data to Microsoft rather than Microsoft + a 3rd party (be it Mozilla or Opera or Google or whoever else).

There is way more to browser privacy than involving a third party as browser vendor, which usually doesn't matter since you can disable telemetry on most browsers. What is Edge doing to prevent Cross-Origin Identifier Linkability and Cross-Origin Fingerprinting Linkability ?

[github-account1111]

Actually all the browsers in ios (other than safari ) are just colored skin of safari itself . That's why

That in itself isn't the reason. If that were the case then it would just be a matter of preference. The reason is it's better to share data with Apple than Apple + a 3rd party. For that reason I am with @youdontneedtoknow22 on the question of why not recommend Windows users to give data to Microsoft rather than Microsoft + a 3rd party (be it Mozilla or Opera or Google or whoever else).

There is way more to browser privacy than involving a third party as browser vendor, which usually doesn't matter since you can disable telemetry on most browsers. What is Edge doing to prevent Cross-Origin Identifier Linkability and Cross-Origin Fingerprinting Linkability ?

That involves trusting that it will actually respect your wish and stop telemetry, but fair.