[HN Gopher] The Mullvad Browser ___________________________________________________________________ The Mullvad Browser Author : Foxboron Score : 957 points Date : 2023-04-03 10:11 UTC (12 hours ago) (HTM) web link (mullvad.net) (TXT) w3m dump (mullvad.net) | ddtaylor wrote: | I like Mullvad but it can actually be challenging to purchase a | subscription in the US. Most prepaid cards block the purchase. | Sure, you can use it with a fully tracked card etc. but that's | not really the target audience. | dtx1 wrote: | buy prepaid cards on amazon | ramraj07 wrote: | Isn't this like the one legitimate use for Monero? | s777 wrote: | It is, although then the next problem is getting Monero in | the US with their clutterfuck of cryptocurrency regulations, | so you have to find an exchange that works with Monero and | actually works in the US, then give them your identity and | bank account information and hope they don't think you're | suspicious and block you. | hairofadog wrote: | They also accept cash. | ilikehurdles wrote: | Mozilla sells a $5/mo VPN service which is a user-friendly | reskinned Mullvad. | drexlspivey wrote: | They accept bitcoin and even offer a discount | ementally wrote: | If a lot of non-Mullvad users use it, it will create a nice pool | of people with at least the same browser fingerprint. | | Basically, it seems like a good choice if you are already a | Mullvad user and your threat model does not require the use of a | Tor browser. However, if there's a significant non-Mullvad user | base using it, it won't do much, as you'll just stand out as the | only person using the Mullvad browser without Mullvad VPN. | AccountAccount1 wrote: | The browser fingerprint is so crazy... I don't understand how | they don't regulate this shit. | anigbrowl wrote: | The people you are looking to to regulate it are the same | people who would exploit it. | | I also think this approach of expecting the general public to | adopt a borked browser to give deniability to people using it | strategically is extremely naive. Human psychology just | doesn't work like that, you might as well ask schools of fish | to swim differently to hinder shark learning. To be frank, | this seems like it will just create confusion vs telling | people to use Tor browser. | | The way to improve privacy is to provide a tool that actively | enhances something incredibly well, and does everything else | at least as well. If all browsers are hopelessly compromised, | make something that isn't based on HTML and builds cool user | interfaces directly from API calls like a videogame UI, for | example. | astrostl wrote: | Do I correctly understand that it does not have a mechanism by | which to connect to Mullvad, much less mandate it? The only thing | I see is the ability to manually detect externally-initiated VPN | status. This seems like a key and significant departure from Tor | Browser to me in terms of protection. | notRobot wrote: | > Do I correctly understand that it does not have a mechanism | by which to connect to Mullvad, much less mandate it? | | No. It comes with their extension with contents to the VPN via | socks5. | [deleted] | [deleted] | astrostl wrote: | An extension that has no user prompting or even status | indicator, and that will permit the user to browse the web | without a VPN connection or warning by default. | | It appears that the process is to 1) open Mullvad Browser 2) | (externally) open Mullvad VPN and connect to it 3) click on | the Mullvad Browser Extension icon and connect it to the | Mullvad proxy. Only after this will the proxy be used and the | connection secured. | | Contrast this with Tor Browser's process of 1) open Tor | Browser. It will only work after it automatically connects to | Tor and secures the connection. Do you see the significant | difference? | brewdad wrote: | Mullvad wants this browser to use usable even by people who | don't use their VPN. Tor Browser is never intended to be | used outside the Tor network. | 1101010010 wrote: | Another useless skinjob of Firefox for folks too conditioned and | paranoid to use Tor Browser or know how to edit about:config | themselves, by a company selling literal snakeoil ("trustworthy | VPN"). | pnt12 wrote: | Unlike other VPNs, Mullvad states what they protect against and | what they don't. This browser seems to bridge the gap about | what they previously couldn't. | | Considering there's no vendor lock-in and the browser is open | source, I think your criticism is completely unwarranted. | 1101010010 wrote: | > Mullvad states what they protect against and what they | don't. | | Where? Certainly not on https://mullvad.net/en/why-mullvad- | vpn/ which is filled with virtue signalling nonsense. | | > we encourage anonymous payments with cryptocurrency | | Implying crypto (based on a literal public and immutable | ledger of transactions) is anonymous. | | > we don't log your activity | | No way to validate this claim, but easy to make it. | | > The laws relevant to us as a VPN provider based in Sweden | | Sweden is part of 14 Eyes and almost all of the privacy | legislature (like GDPR) doesn't apply to foreigners. | | Plus they use appear to use OpenVPN which is a dumpster fire | of vulnerabilities. | | Oh, and I love this normalization of ignoring security | warnings: | | > I get warnings when installing your software! | | > That's OK. Allow the software to install. | dijit wrote: | Seems like it's hug of death'd. | | https://web.archive.org/web/20230403101515/https://mullvad.n... | politelemon wrote: | Working fine here in UK. | archb wrote: | Is okay to me as well in California, USA. | ShaurAsar wrote: | Simple and straightforward language makes it easy for users to | understand the features and functionality of the extension. | Screenshots of the extension in action, which helps users get a | better idea of what to expect when using it. | | Overall, the Mullvad browser extension is an excellent resource | for anyone interested in enhancing their online privacy and | security. The page is well-designed, informative, and easy to | use, which makes it an ideal choice for users looking for a | reliable and effective VPN browser extension. | beaker52 wrote: | I wonder how many VPN providers are going to turn out to be | honeypots in the long run. Every time they make it easier, I get | more suspicious about the privacy really being provided. Perhaps | I'm just really distrustful and cynical. | wintermutestwin wrote: | Any discussion of VPN and Privacy need to be explicit re: | threat model. | | My threat model is: | | ISP that has corrupted my govt to allow them to steal my data. | Hide my IP from scummy sites. | | My threat model is not: | | Keep various TLAs from knowing everything I do online. (because | good luck with that) | hotpathdev wrote: | Bingo. | dymk wrote: | Mullvad has been around for quite a long time, and regularly | releases third-party security audits. Is there anything they've | done that comes off as a red flag to you? | | > Perhaps I'm just really distrustful and cynical. | | That's fine, but you should have a good reason for it | hotpathdev wrote: | Long-term services are great targets for governments. | | If you were to looking for some trust in a VPN, you would | want them to offer locations in privacy friendly countries, | and highlighting them as such. That would potentially funnel | more used to those servers which would be beneficial. You | would also want the VPN to ensure the servers in those | countries are run by companies based in that country, and not | be head-quartered in some other country. | lazyeye wrote: | None of these things prevent tracking. In fact they are are | an attractive intelligence asset precisely because people | believe they are more secure. | | Crypto AG | | https://en.m.wikipedia.org/wiki/Crypto_AG | hotpathdev wrote: | I didn't say it prevents tracking, I was offering a | litmus test for a VPN to the question of red flags. If it | doesn't pass the litmus test, preventing tracking is the | least of your concerns. | sph wrote: | Of course, which is why you shouldn't depend on a single VPN | (or just VPNs in general) if you have stuff to hide. | | Opsec is an art, and there are no turnkey solutions to ultimate | privacy and security. You gotta put in the effort yourself. | | It's just a matter of reducing your surface area: I know for | certain my government tracks my unencrypted DNS requests, and I | have a static IP, so I'd rather turn Mullvad on if I'm feeling | like opening an adult site. They might log my DNS, but it's a | little harder for them to correlate my requests than if I were | to use my home network. Not impossible, but since I am not at | odds with the law, GCHQ is probably not spending billions | tracking my every movement across networks. | | If you need to send nuclear bomb plans to an enemy government, | I hope you have a better plan than trusting the promises of any | VPN network. | lurtbancaster wrote: | > "Works on Windows 10 or later " | | Why? | | Firefox hasn't dropped support for Windows 7/8 yet. | | If you are somebody using Windows 7/8 etc and want Tor Browser | but without Tor, then add the following to your `user.js` | user_pref("network.proxy.socks_remote_dns", false); | user_pref("extensions.torlauncher.start_tor", false); | user_pref("network.dns.disabled", false); | user_pref("browser.aboutConfig.showWarning", false); | user_pref("network.proxy.socks", " "); | | That should give you all the anti-fingerprinting measures of Tor | Browser but without Tor. | brewdad wrote: | If a user cares about privacy and security why would they be | using an outdated, unsupported OS? That would be like double | dead bolting the front door but leaving the window next to it | wide open. | lurtbancaster wrote: | My point is that if it's just Tor Browser without Tor, then | there's functionally no reason to have that build be | incompatible with Windows 7. | | Unless they deliberately coded it in like | if OS=Win7/Win8 ; then Crash ; else Run | | Which would be a dick move, especially because Firefox, on | which Tor Browser and Mullvad Browser are based, still | supports Windows 7. | | --------- | | Now to your point. | | It is _absolutely_ possible to run Windows 7 reasonably | securely. | | Well..., depends on your usecase. | | But the way in which I keep it secure might be a little | cumbersome to some. | | My router runs PFSense with Suricata, and I encrypt my DNS | traffic. | | I run a combination of Peerblock(while no longer maintained, | it works splendidly in whitelist mode)[1], and Simplewall | Firewall[2]. | | I run a combination of uMatrix(which again, while no longer | maintained, it works great in whitelist mode)[3], and | NoScript[4] on my Firefox web browser which I run inside | Sandboxie[5]. | | There are also various services that are insecure and must be | turned off - UPnP, Print Spooler, RDP etc. | | I run mostly FOSS software. The few proprietary closed source | software(Games, Sublime Text) that I do run, I run them in | SandBoxie or QEMU. | | Here are my reasons for not upgrading: | | I've modified my `UXTheme.dll` to _significantly_ change my | "Desktop Environment" to suit my workflow, and I've heard | from people I know to be credible, that latter Windows | versions(8 onwards) break system UI modifications when they | update, and they don't work quite as well afterward. My | modified Win7 UI is way too important to my workflow. | | Python have stopped releasing binaries for Win7 after | 3.8.10[6] but I'm okay with it. If I do need the newer Python | versions for something, I'll just use my Linux Desktop or run | Linux in a virtual machine for a Python quickie. | | Windows 7 is _extremely_ stable. While not as stable as | Linux, I often have uptimes of over 350 days, before a BSOD, | by which point I can foresee a crash coming and reboot. | | To lean into your metaphor, Microsoft is now shipping | operating systems with "open windows" everywhere(way more | open windows than my "insecure" Windows 7 has), and we, as | users, are having to rebuild the ISOs they release, to make | them more "privacy friendly"(yes I'm aware of the difference | between privacy and security but they're really | interchangeable here), and even then, we're having to use 3rd | party "de-bloaters" and Batch/Powershell scripts off of | Github, just so the majority of those proverbial windows are | closed back up again. This really shouldn't have to be the | case, but it is. Microsoft have decided that they would | rather their bread be buttered by advertisers than by the | actual users of their software. | | With Windows 7, I know there's an open window that I can't | shut, but I have an electrified fence surrounding my | compound, with security cameras and loaded turrets pointed | towards that open window and other open windows in my house. | I know where Windows 7's security limitations are, and I can | mitigate against that, elsewhere. But I will admit, I don't | go around recommending laypeople to use Windows 7 though, as | the barrier to securing it is high. Even after securing it, | the user has to be careful. | | In my humble opinion, Windows 7 was the last true Microsoft | Operating System. It simply does what is asked of it, and | moves out of the way. All Microsoft need have done was | support Powershell, DirectX, give Win7 a "security updates as | a service" business model(which I would've gladly paid for), | and make WSL for it(Cygwin is excellent but WSL would be | nicer). I know there is 0Patch, a 3rd party company who sell | security updates for Windows 7, but I would've appreciated | official Microsoft security updates. I would switch to Linux, | if there was a robust equivalent to Autohotkey on Linux, and | the games I want to run, worked on it. | | So yeah, I still run Windows 7. I can't see myself ever | upgrading to another Microsoft OS, ever again. And I am, and | I cannot emphasize this enough, _exceedingly_ happy with it. | | [1] https://www.peerblock.com/ | | [2] https://github.com/henrypp/simplewall | | [3] https://github.com/gorhill/uMatrix | | [4] https://noscript.net | | [5] https://github.com/sandboxie-plus/Sandboxie | vrglvrglvrgl wrote: | [dead] | Fervicus wrote: | I am a happy LibreWolf [0] user. Wonder how they compare. | | [0] https://librewolf.net/ | mdasen wrote: | Looking at their FAQ, Mullvad Browser makes some different | connections than LibreWolf | (https://mullvad.net/en/help/tag/mullvad-browser/#93, | https://librewolf.net/docs/faq/#does-librewolf-make-any- | outg...). The big difference seems to be the Mullvad connection | since LibreWolf does make connections for Mozilla's | protection/certificate stuff and for uBlock Origin. | | It looks like they might use Mullvad's DNS Over HTTPS by | default in the Mullvad browser and this would probably be the | biggest privacy thing, but whatever your default DNS is might | be a larger privacy thing. Your ISP or Google's 8.8.8.8 | traveling unencrypted is probably a bigger issue. | | It looks like Mullvad is also based off the Firefox ESR | (extended support release) version that the Tor Browser uses | while LibreWolf would be more up-to-date: | https://news.ycombinator.com/item?id=35421718 | nigamanth wrote: | Why do you think the Tor project team is releasing it together? | Isn't Tor private enough? Or do they want higher privacy without | onion browsing? | rootsudo wrote: | It wouldn't be higher privacy per se, it's just a fork of the | firefox browser that perhaps could carry on TOR in case it ever | shuts down or such. | doodlesdev wrote: | https://archive.ph/NTerI | unsupp0rted wrote: | I'd love to get this on mobile. How does it compare to DDG's | browser? | akomtu wrote: | Good stuff. They should make a mobile version with extensions: | mobile firefox is surprisingly hostile to extensions beyond a | small whitelisted set. | ugurnot wrote: | I hope there will be a mobile version too at some point. | archb wrote: | I'd especially be interested in seeing how they implement on | iOS, with Apple considering opening up options beyond WebKit: | | https://hn.algolia.com/?dateRange=pastYear&page=0&prefix=fal... | esskay wrote: | Both Chrome and Firefox are working on native iOS versions in | preperation for the expected opening up of iOS this year so | would imagine they can just fork that and release their | version. | UncleSlacky wrote: | I'm not sure if it's the same org behind it, but there is a | Mull browser available on F-Droid: | | https://f-droid.org/en/packages/us.spotco.fennec_dos/ | doodlesdev wrote: | It's not. Mull browser is a Fennec fork [0] maintained by | DivestOS [1] (Android ROM). | | [0]: https://gitlab.com/divested-mobile/mull-fenix | | [1]: https://gitlab.com/divested-mobile | hotpathdev wrote: | The last time I tried the Tor browser, it did not sufficiently | handle browser finger prints. I don't have high expectations out | of this project either, but at least they offer a firefox | extension. I'd have to dig into it to determine how effective it | is, but as it stands there are other firefox extensions that | already do an excellent job. | Eisenstein wrote: | > The last time I tried the Tor browser, it did not | sufficiently handle browser finger prints. | | Can you expound on this? | hotpathdev wrote: | Simply download the Tor browser and evaluate its performance | on one of the many browser fingerprint [1][2] and browser | leak [3][4] web services. The last time I checked, it didn't | pass every test. | | [1] https://www.amiunique.org/fp [2] | https://coveryourtracks.eff.org/ [3] | https://browserleaks.com/ [4] https://www.dnsleaktest.com/ | fiso64 wrote: | Indeed, my fingerprint in https://www.amiunique.org/fp | appears to be unique when using the Mullvad browser. | nikcub wrote: | I just diffed the fingerprint[0] of 6 Mullvad browser | sessions across 2 different devices and it was a unique | fingerprint in every case[1] | | It mixes a lot - fonts returned, media devices, the | canvas ID - it's pretty good and similar to what you | expect from the improvements out of Tor Browser | | [0] using amiunique and fingerprint.js (now | fingerprint.com) - which most of the nefarious ad | networks use | | [1] not that just as with Tor, you have to quit the | browser or click the 'new identity' menu button. just | closing a tab/window and re-opening is not enough. I've | always believed that there could be a UI hint to this in | private browsers with a unique color/background in the | menubar as an indicator | hotpathdev wrote: | Check all the browser leak tests too, they are important | and different tests. | greenicon wrote: | This is not necessarily the fault of the browser alone. | I'm also unique on a Safari on an up-to-date iOS, which | in itself is not very unique. | pncnmnp wrote: | Same for me, I am using a VPN provider. | | Even after installing Privacy Badger, my fingerprint | remained unique and unchanged, with 17.65 bits of | identifying information. | | For comparison, after I disabled JavaScript, blocked | remote fonts, disabled cosmetic filtering, and blocked | large media elements using uBlock Origin, my fingerprint | was no longer unique, and it dropped down to 9.55 bits of | identifying information. Obviously, I don't recommend | people do this, but it was fun to check it out. | cyber_kinetist wrote: | Maybe Mullvad uses some techniques to randomize the | unique fingerprint over time in order to not get tracked? | So you're basically identifiable for only a certain | period of time until the tracked identity becomes | invalidated. | bauruine wrote: | I've tested the site with the Tor Browser and it told me | "Yes! You are unique". I've downloaded my fingerprint, | closed the Tor Browser and did it again and again it was | unique. So they couldn't link the two sessions together | which is good. A jsondiff of the downloaded files only | showed "canvas" as different which I guess gets generated | randomly on every visit? | udev4096 wrote: | Testing on a bunch of sites does nothing at all. | Fingerprinting is a lot more than just that | hotpathdev wrote: | Browser fingerprinting is exactly that. And the browser | leaks are an even more concerning issue that must be | confirmed. Websites want to know who you are or at least | that you're not a bot. As a pro-privacy user, you don't | want websites to know either of those things. That's low- | hanging fruit that a few simple browser tweaks can help | with. | Eisenstein wrote: | Isn't passing every test going to make the browser uniquely | unique? My impression is that they want it to be | 'fingerprinted' but look like 1,000,000 other Tor browsers | so they can't be told apart. | hotpathdev wrote: | Yes either you want everyone to look the same, or you | want every page request to be totally random. | SubzeroCarnage wrote: | Tor Browser currently has _the best_ mechanisms to protect | against fingerprinting. | | Most tests are biased to certain methods or do not have a large | enough dataset or are only viewed in isolation. | fefe23 wrote: | Why should I put any faith in this VPN company if I don't even | trust my own ISP? | jonfw wrote: | Mullvad's entire business is based around privacy, so they have | a strong incentive to not collect your data. Your ISP does not | have that incentive | altairprime wrote: | If the third party security audits aren't convincing, then you | shouldn't. That's your choice to make. | simon1573 wrote: | In Sweden (where Mullvad has its origin) IPSs are forced to | keep data on its users, see Datalagringsdirektivet. It does not | apply to VPN providers. | mugr wrote: | Please add support for ARM. | pphysch wrote: | Pros: | | - Makes it hard for advertisers to target you with ads | | Cons: | | - Funded by the State Department via Tor Project | throwaway2056 wrote: | Finally something that beats... | | https://fingerprint.com/demo/ | jerrinot wrote: | Vanilla Firefox beats it too if you set | `privacy.resistFingerprinting` to `true`. | | I assume Mullvad browsers has this on by default. | AtNightWeCode wrote: | Why not. I have a crazy idea. How about building an edge service | that renders pages on the edge on identical HW and SW and then | just stream it to end users. Could be built with Cloudlfare | workers and Puppeteer for instance. People are already doing | crazy things in automatic tests so I don't think there is a need | to shy away because of the need for client side scripts. Or just | run a Chromium instance. | AccountAccount1 wrote: | There's already some work to that direction with cloudflare | workers... but I really differs on why people would look for | that; in a bit more convoluted case, for example, it would be | destined for browsing nested pages of instagram, facebook, | reddit, and so on... so it's bit difficult to that, especially | with things that require auth... | | much more a coordination problem that an engineering one | AtNightWeCode wrote: | My example is simple. This is for tracking and | fingerprinting. At the same time. This all may soon fall into | the mobile tracking problem. Like in my country. By having a | mobile turned off is in itself a tracking point. | lysecret wrote: | Hmm I am sure this is well intentioned, but I am a bit scared | this will just further chip away on FireFoxes market share which | doesn't look good to begin with. | mulle_nat wrote: | Mullvad also states that it disabled the Firefox password storage | feature, because it's supposedly insecure. But the articles | supporting this view (i read) seem to be written by third-party | password storage friends. Their arguments are weak (like "some | managers used to do bla bla, which was insecure") and don't apply | to Firefox. Is there a strong argument specifically against | Firefox passwords and password sync ? | Player6225 wrote: | "The Mullvad Browser is a privacy-focused web browser developed | in a collaboration between Mullvad VPN and the Tor Project. It's | designed to minimize tracking and fingerprinting. You could say | it's a Tor Browser to use without the Tor Network." | | https://github.com/mullvad/mullvad-browser | | So basically like... hardened Firefox? | Player6225 wrote: | Hmm looking the settings I saw a search engine I didn't | recognize... I guess they also have a google proxy? | | https://leta.mullvad.net | | So I guess now you can go full Mullvad. | archb wrote: | This is super interesting. From Leta FAQ[0]: | | Did you make your own search engine from scratch? | | We did not, we made a front end to the Google Search API. | | Our search engine performs the searches on behalf of our | users. This means that rather than using Google Search | directly, our Leta server makes the requests. | | Searching by proxy in other words. | | [0]: https://leta.mullvad.net/faq | medstrom wrote: | A hardened Firefox config exists: | https://github.com/arkenfox/user.js | | But it needs tech skill to adopt, so even if this Mullvad | Browser is basically just prepackaged Arkenfox, that's great to | drive adoption. | kmfrk wrote: | I'd really like a VPN service to recommend streamers where they | don't automatically show your location and IP if you happened to | not be logged in for whatever reason. It's a UX that lands a lot | of people in trouble when they visit the websites to check them | out on stream. Ironically streamers with VPN sponsorships, too. | | Be nice if this stuff were hidden by default with some reveal | button to show the information, both on the website and browser | extension as an alternative to the other options out there. | Otherwise I love recommending Mullvad to everyone. | reisse wrote: | Quite sad Mullvad doesn't have the donations page. One of the | rare projects I'd actually like to donate. | | Guess buying a few more VPN keys will count though... | tyjen wrote: | They've been my go to VPN service for years, since PIA was bought | out, so this is a welcomed surprise. Hope it's as good as their | service. | thunderbong wrote: | I couldn't quite se it in the article - | | Is it based on Chromium or Firefox? | | If it's Firefox, that'll be a great win! | | Edit: Use Player6225 mentions it could be a hardened Firefox | because it's based on the Tor browser | archb wrote: | It's based on Firefox, and I am able to install Firefox | extensions. With 1Password on it now, I think I am going to try | this browser for a while. | A_No_Name_Mouse wrote: | The question not answered: won't I stick out like a sore thumb if | only 1 in 10000 people uses this browser? | esskay wrote: | Stick out to who? Just set the useragent to a default firefox | one (assuming its not already set) and you're golden. | archb wrote: | I decided to test it out on a website[0] and it does seem | that the useragent goes by the Firefox name: | | Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 | Firefox/102.0 | | On my Firefox: | | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) | Gecko/20100101 Firefox/110.0 | | It's interesting to note that the Mullvad browser seems to be | based off on Firefox 102.0, which came way back on June 28, | 2022: | | https://www.mozilla.org/en-US/firefox/102.0/releasenotes/ | | [0]: https://gs.statcounter.com/detect | doodlesdev wrote: | That's because it's a fork of the Tor browser, meaning it's | based on Firefox ESR, which is currently on version 102. | input_sh wrote: | Extended releases are counted a bit differently, it will | jump from 102 to 115. | daveoc64 wrote: | Firefox 102 is current Extended Support Release (ESR): | | https://www.mozilla.org/en-US/firefox/102.9.0/releasenotes/ | [deleted] | xeeeeeeeeeeenu wrote: | You can see in the "About" window that it's based on | Firefox 102.9, which is the latest ESR version. It masks | the minor version in the UA string. | controversial97 wrote: | So ... it is a fork of Mozilla Firefox with privacy-friendly | settings by default, some script blocking, and dns lookups done | via Mullvads encrypted dns service | | Sounds ok to me, I have a longish and probably out of date list | of settings that I like to chance in a new instance of firefox. I | trust mullvad to not log dns more than I trust my ISP and I live | in the UK so unencrypted dns here is being logged and stored by | order of the government. | | Keeping a fork of firefox in sync with mainline firefox to get | security fixes is a load of work, it is good that somebody is | doing it, in this case I think the tor project is doing a lot of | the work. | prox wrote: | Sounds great for the audience it's probably intended for. | anonymousnotme wrote: | I was thinking about that very thing is keeping up with | patches. I suspect that tor is probably a couple of months | behind firefox and then mullvad will probably be a month or two | behind tor. It is easier to check between tor browser and | mullvad browser because they both use git. firefox uses | mercurial, so is probably harder. | dathinab wrote: | AFIK it's a "fork" of the tor-browser (which is a fork of | Firefox) but instead of connecting to the tor network you | connect to a VPN. | | So you get all the in-browser tracking protection Firefox has | (e.g. against fingerprinting) + the ones only the Tor browser | has but without the drawbacks of the tor network and in turn | without onion security. | rtpg wrote: | Does the tor browser fork stay up to date quickly? I would be | quite worried about stale browsers in this day and age, to an | extent at least | brnt wrote: | Yes. They are aware that this is one attack vector they | need to protect their users against. | notpushkin wrote: | I believe Tor is collaborating with Mozilla very closely, | to the point that Mozilla includes patches from Tor Browser | now: https://wiki.mozilla.org/Security/Tor_Uplift | JoachimS wrote: | And Mullvad is a Tor project sponsor. | notRobot wrote: | And Mozilla's partner for the Mozilla VPN. | seanw444 wrote: | Dang, it's a tight-knit group. | pabs3 wrote: | Tor Browser updates often come the same day as Mozilla | releases, sometimes a bit longer. | chiefalchemist wrote: | Speaking of which, anyone have / seen an updated list of which | FF to change and how? I presume the last one I bookmarked is | dated. | | Dear Santa...please stop making a safe & private internet so | gosh darn friction-y :( | tomxor wrote: | > I have a longish and probably out of date list of settings | that I like to chance in a new instance of firefox | | Not a user but part of the purpose of the TOR fork is settings, | anything that is detectable via JS is supposed to remain | default to prevent fingerprinting. | | It's partly why it's not widely popular, I don't know if this | is still true but it used to be that it was supposed to be run | at a specific viewport resolution regardless of your device. | All in the name of making your fingerprint as close to the same | as all other TOR browser users. | dathinab wrote: | > run at a specific viewport resolution regardless of your | device. | | It's more like pretending to the website that your screen has | a "common" resolution etc. which is nearly but not quite the | same as what you said. | | In the past they semi required you to keep your tor window in | a specific window size for this, which just didn't work well | in practice. | | By now they better integrated that in the browser from what I | heard, so you can resize it however you want but websites | might have an "empty" border are to the left/right/bottom | depending on you screen resolution, windows size etc. from | what I have heard. | | With a typical maximized window on 1080p you won't really | notice it, on 4k you might notice that it's just "dump" up | scaled from 1080p, but the person I spoke with wasn't sure if | maybe they have a set of supported common resolutions instead | of just one. And on a 4:3 screen he said it's quite | noticeable. | alkonaut wrote: | Not sure how it's designed but if I was designing a system | of reducing detectable entropy from viewport size, I'd make | a fixed list of available resolutions. First all the common | resolutions (1920x1080, 2550x14540 and so on), and in | addition to that maybe just "snapped" grid sizes in 64p | pixel increments. If you use a window size that doesn't | match, it should just render the viewport to the closest | smaller allowed size, and fill the border with something | (e.g. the background color of the page). Perhaps that's | exactly how it works? | medstrom wrote: | Yes, that's how it works, if you're talking about the | setting privacy.resistFingerprinting.letterboxing. To my | memory, the list is any multiple of 200 on width and any | multiple of 100 on height. So at this moment my viewport | is, I believe, exactly 1200x900. | | Bear in mind that it's a minority of people that hit F11 | to browse fullscreen, they still have toolbars, so it's | not as common as you'd think for the viewport to match a | common screen resolution like 1920x1080. | alkonaut wrote: | Yeah the ones you want I guess would be 1920x1200 with | the height reduced by common (say Windows 10/11) taskbar | and tooobars. It's never going to be perfect but you'd at | least want to minimize letterboxing for the most common | fullscreen setups on the most common platform(s). But you | could throw in 1920x1200 full screen as well for good | measure. | | Perhaps it would be better to letterbox randomly with say | 20px width and 20px height, so it's just 1 chance in 400 | to even return to the same reported screen size? That way | you'd be even harder to track than if you are the only | person running exactly 1000x800. | encryptluks2 wrote: | [dead] | zamnos wrote: | Hm that seems like a mistake. If I'm reading the docs right, the | Mullvad browser will let you browse the web _without_ using their | /any VPN, which mean that it's entirely possible to accidentally | surf to a site without having your VPN up, and reveal your IP | address to that site. To contrast, there's no way to use the Tor | Browser without using the onion network so it's ~impossible to | accidentally browse to site and reveal your IP address, and not | just the IP address of the exit node. | | OpSec is hard, and tools letting you shoot yourself in the foot | doesn't help. There are plenty of other browsers out there that | don't offer VPN integration, so (imo) they should have made the | browser a paid feature for customers, instead of giving it away | for free like the market has demanded since IE6. | altairprime wrote: | Mullvad's VPN software has an available function that blocks | network traffic when the VPN isn't connected, so there's no | need to patch that into the browser. | nicce wrote: | But isn't this integrated directly into the browser, so that | your host system does not need Mullvad? | altairprime wrote: | Nope. Their browser seems intended to be paired with their | VPN product, not to be substituted for it. | nicce wrote: | In my understanding, the Mullvad VPN extension is built | in, with Mullvad DoH included. | | https://mullvad.net/en/help/tag/mullvad-browser/#93 | altairprime wrote: | Does it offer the same system-wide protection as the | desktop VPN product; or, does it only use the VPN for | socks-proxied traffic through the extension-created SOCKS | port, and so those protections are applied within the | browser; or, it doesn't protect against temporary | interruptions; or, orher? | | I can't experiment with this during my workday, and we've | reached the limit of information available without | running it and testing, so I can't help resolve this | further right now. | udev4096 wrote: | I think the reason that they have made it free is to combat | fingerprinting more efficiently. It would be easy to | fingerprint if they have a very limited amount of users | warner25 wrote: | That makes sense except for the fact that servers can still | identify the smaller set of actual Mullvad VPN users by their | IP address(es). | MikusR wrote: | They advertise their VPN as having a working Split tunnel | feature. That is also false, at least on Windows. | paulryanrogers wrote: | Citation? | MikusR wrote: | Me. It leaks. | paulryanrogers wrote: | Can you provide a few examples? | | Has this been reported to Mullvad? | MikusR wrote: | Split tunnel + qbittorrent leaks your ip | SadTrombone wrote: | There's absolutely no way for qbittorrent to leak your IP | if you've configured it correctly to only use the Mullvad | network interface. | artimaeis wrote: | Using Mullvad (2023.2) split tunnel on my Windows 11 | machine with qBittorrent 4.5.2. Every IP tool I know of | is showing only my Mullvad IP. What tool are you using | that indicates a leak of your real IP? | | Tools I've used to verify: | | - https://mullvad.net/en/check | | - https://ipleak.org/ | | - https://browserleaks.com/ip | | Genuinely curious because I use this setup all the time | and want to rest assured it's behaving as I expect. | switch007 wrote: | So, not reported to Mullvad? I don't think it's out of | order to ask for some proof at this stage | udev4096 wrote: | It's available on android and linux. Don't know about windows | artimaeis wrote: | I use their split tunnel feature on my Windows machine daily. | I think there's some limitations to its capability to spit, | such as Windows Store apps. | | https://mullvad.net/en/help/split-tunneling-with-the- | mullvad... | the_common_man wrote: | Isn't Firefox already reselling mulvad for their VPN? | archb wrote: | They are. Mullvad browser seems to be aimed at users that want | a hardened Firefox out of the box with additional Mullvad | extensions, while Firefox with Mullvad installed manually is | all manual setup. | ajdude wrote: | I welcome all new non-chromium based browsers. | hardwaresofton wrote: | Really would have loved if this could have been a partnership | with Mozilla... | triihart wrote: | "The account number is the only thing you need to connect to | Mullvad VPN. We ask for no email, no phone number, no personal | information whatsoever." | | yeah, also they get my bank card info, I become easily trackable | if need arises | asenna wrote: | They launched the Mullvad cards being sold on Amazon[1], you | can ask a friend in a different country to buy one for you. | | [1] https://www.amazon.com/Mullvad-VPN-Windows-Android- | SCRATCH/d... | stainablesteel wrote: | they don't save this information, they used to then ended up | removing the process to do so 1-2 years ago | aprilnya wrote: | you can pay with cash or crypto | dns_snek wrote: | Using your card is a choice, you can pay with Monero or send | them cash in an envelope. | silentsanctuary wrote: | For this reason they do encourage you to anonymously pay with | cash. | fuddle wrote: | I'd love to see a more technical write up on the Mullvad Browser. | crop_rotation wrote: | I am disappointed to see that it doesn't integrate with Mullvad | VPN at all. I have Mullvad VPN but I use it too less because I | don't want all traffic on my mac going via VPN (e.g all kinds of | random IDEs and websites). All I want is one browser which always | uses VPN. But Mullvad has no split tunneling on mac AFAIK, and on | windows also you can only block some apps from VPN, instead of | saying that only this application will use VPN. This is one | feature I really miss from PIA. | anotherhue wrote: | It bundles their extension which allows for socks5 connection, | so you should be good. | piaste wrote: | Why don't you want random traffic to go through the VPN? | Mullvad is quite fast. | crop_rotation wrote: | It's not about speed. There are many websites where your | identity is linked in some fashion (e.g Your bank). I don't | want my bank to block my account because I was in one | continent in the morning and another in afternoon. The same | goes for other critical accounts. I know I know, this is all | unlikely, but why bother with it if it can cause a lot of | headache. e.g. I know of people whose facebook accounts got | blocked and were asked to provide some id since the accounts | were opened from two different geographies. | | Basically sending all traffic via VPN seems a big headache to | me.e.g. Using gmail from a VPN doesn't help me at all. | dns_snek wrote: | Firefox allows you to assign proxies to individual | containers. You could create a "Mullvad" container, set it | to use Mullvad's SOCKS proxy and then configure a list of | websites to always open in that container. That should | allow for nice segregation on the level of individual tabs. | | They haven't documented this feature [1], but it's part of | the official "Multi-Account Containers" extension. It can | be found in MAC -> Manage Containers -> Select -> Advanced | Proxy Settings at the bottom. | | [1] https://support.mozilla.org/en-US/kb/containers | digging wrote: | I usually just turn off my VPN temporarily if I get blocked | and need to continue using a connection. | stainablesteel wrote: | you might want to check out vopono, i've gotten it working with | firefox and its nice | | https://github.com/jamesmcm/vopono | crop_rotation wrote: | Vopono does look awesome but it seems it is Linux only, no | mac. | JustSomeNobody wrote: | I think I personally would find this more useful on my phone than | on my desktop or laptop. | | I like Mullvad, they're my goto for VPN service when I'm out and | about. | amsterdorn wrote: | Is this just Brave for FF minus the crypto? | ravewithme wrote: | Controlling browser + vpn - not a good idea. | | i turst the tor browser because of the protocol it uses (the | onion protocol), not because of the browser i use it with. Even | if mullvad is fully open-source and very transparent about it, i | think it is not a good idea to use a browser and a vpn from the | same vendor. They have full access to your internet data, and | they now (if you use this browser) full controll over the browser | you use. | anigbrowl wrote: | I don't get it, why not just use Tor browser? | sylware wrote: | I wonder if one day we'll get a group of devs with the balls to | propose the world with a real disruptive web engine (instead of | using vanguard/blackrock ones): for instance plain and simple C + | assembly. | Proven wrote: | Signatures don't validate, I guess I'll pass for now. | | $ gpg --verify mullvad-browser-linux64-12.0.4_ALL.tar.xz.asc gpg: | assuming signed data in 'mullvad-browser- | linux64-12.0.4_ALL.tar.xz' gpg: Signature made Fri 31 Mar 2023 | 01:15:54 AM CST gpg: using RSA key E53D989A9E2D47BF gpg: Can't | check signature: No public key | medill1919 wrote: | Beware, there does not seem to be a way to uninstall this | conventionally. | jack_riminton wrote: | Mullvad is the swedish name for a mole incase you were wondering. | Source: wikipedia https://en.wikipedia.org/wiki/Mullvad | Waterluvian wrote: | I was wondering! For an English-speaking audience it feels like | it might be a poor brand. It's not exactly a "nice-sounding" | name. Though to be fair, they might not be trying to win | mindshare, so careful branding might not be a concern. | | I appreciate that to a technical audience this can usually feel | like a super pedantic bit of nonsense. But for the other 99% of | browser users, this kind of thing can matter! | | "You should try out the Mullvad browser!" | | "The what?" | brewdad wrote: | Is it really any worse than living on the Edge? | Waterluvian wrote: | To be fair, this is a very pseudosubjective thing. I know | my data point. And I feel my data point is plausible as a | trend. For example, you don't need to do studies to know | that "Diarrhea Browser" would be a bad name. | | Edge? I think it's sharp and techy and modern. So it seems | at least... valid. But it also screams, to me at least, the | classic Microsoft branding thing of, "this feels like a | bunch of 50 year olds in a room declared what they believe | to be cool and hip." | | Then again. `iPad` was broadly laughed at when it was | announced, and through sheer repetition it has been | accepted and I don't really even notice the weirdness of | the name anymore. So maybe with enough success, Mullvad | would be adopted. | DrBazza wrote: | Can anyone explain how this won't, putting it diplomatically, | attract certain 'dark web' types, and in turn bring mullvad under | the microscope of law enforcement? | sneak wrote: | You can't browse the dark web with this browser. | traveler01 wrote: | If you do something useful it will probably attract criminals, | nothing we can do about it. | hotpathdev wrote: | This isn't useful to 'dark web' types. This is at best useful | for 'mom and pop' who heard about 'china tiktok' on the news. | KoftaBob wrote: | Couldn't you say that about any VPN? Why would Mullvad's | browser be unique in this regard? | andai wrote: | Curious how usable it is for anything with CloudFlare. CloudFlare | doesn't like browsers that block fingerprinting, and it doesn't | like Tor Browser in my experience, and when I use Mullvad I also | get way more CloudFlare Captchas, often getting stuck in an | infinite loop. I'm focusing on CloudFlare because it seems half | the sites I use are behind their firewall now. (e.g. I have to | switch from Brave to Firefox every time I want to use ChatGPT...) | s777 wrote: | I use LibreWolf (hardened Firefox) with Mullvad VPN and in my | experience have hardly had any issues with Cloudflare | (occasionally I might get a single Cloudflare captcha but this | doesn't happen often). Tor browser, on the other hand, gives me | tons of captchas and is barely usable. | jraph wrote: | I guess why not. | | This is an open source, rebranded Firefox and Firefox-like | browsers could use some publicity. It promotes privacy and | privacy can use some publicity too. Tor too. | | Mullvad seems to be honest in the fact that their business model | is selling VPNs and it's nice they are saying it's not enough. | They are not saying that you might not need one though. | | We need a Firefox with good defaults and it seems like this | browser is such a thing. I'd prefer these privacy features to be | in upstream Firefox but I guess world is not perfect and that | Firefox still relies on revenues from Google so can't be as | privacy-focused as it should. | | My little concern I guess is that this browser will push for | their service so it's a bit like an ad for them, at least with | its name. But fair enough, and at least the business model seems | healthy. | | With Mullvad already being a Mozilla partner for their branded | VPN, all this actually look good. They seem to be spending their | money on worthy stuff. | FireInsight wrote: | I'm quite surprised nobody mentioned Librewolf yet. | https://librewolf.net/ | | It's a custom build of Firefox with somewhat sensible, | sometimes strict, privacy respecting default settings. | | There's also the Arkenfox user.js which you can put on top of | vanilla Firefox, aiming for the most privacy and security | possible. https://github.com/arkenfox/user.js | 93po wrote: | My issue with these browsers, including Firefox with things | like fingerprint resisting enabled, is that it breaks a lot | of sites. Add a VPN to the mix and a lot of sites flat out | refuse to let you interact with them, or they give you 5 | minutes of captchas, or they require 2 factor login despite | asking them to remember your device. I have to open some | sites (banking, brokerage, health insurance) on a near-daily | basis in Chrome with no extensions and no VPN instead of my | regular firefox+vpn. | | A lot of sites allow interaction even with the above but they | shadowban you without telling you. Craigslist shadow bans and | auto-spam-filters any submissions done with a VPN, and then | also auto-spam-filters any subsequent submissions on the same | account even with the VPN turned off. | | Reddit also universally spam-filters any submissions and | comments done under a VPN, and rate limits your commenting a | shitload on VPNs. | joveian wrote: | Arkenfox is great, although worth noting that there are | always privacy vs. security vs. usability tradeoffs. The best | usability settings (in terms of sites just working at least) | are generally the Firefox default and Arkenfox defaults aims | for privacy mostly but they also have some of the best | descriptions of available configuration available anywhere | (often the only other source of any kind of information is a | brief comment in the source code that assumes familiarity | with Firefox code). Personally, I aim for the best security | and accept that that makes me unique. | kulahan wrote: | Tor is borderline useless for privacy. It was literally built | for the government [1] | | 1: https://en.wikipedia.org/wiki/Tor_(network)#History | rOOb85 wrote: | You do realize that tor is open source and has been under | scrutiny by some of the worlds leading security researchers? | It may not be 100% perfect, but claiming it's useless and | ineffective simply because it was born out of government | research is completely asinine. | 1101010010 wrote: | The Tor design spec literally says it is not meant to defeat | a global passive surveillance panopticon like a world | government. Know its limitations and it's a fine tool. By the | way, the entire Internet was built for the government. | | https://en.wikipedia.org/wiki/Arpanet | navigate8310 wrote: | > We need a Firefox with good defaults and it seems like this | browser is such a thing. | | Allow me to introduce you LibreWolf https://librewolf.net/ | 2Gkashmiri wrote: | I've asked multiple times to all the brave sympathizers about | "why not fork firefox, put your shnazzy customization and call | it a day. By lapping up to chromium, you are only helping | Google regardless of what search engine you use" | | And more often than not the response has been "well we did | investigate Firefox but working with it was pita so we went | with easiest option" | | Shit dude. You want to start a business so at least do the | right thing. | | If there are more Firefox forks, like there are chromium forks | today, that would normalize Firefox because currently chromium | is the de facto web standard. | charcircuit wrote: | How is propping up Firefox's market share and slowing down | their own development the right thing to do as a business? | | If Firefox wants to have a competitive market share they | should actively compete instead of begging people to increase | their market share. | olyjohn wrote: | I love how the 'right thing to do' is not the same as the | 'right thing to do as a business.' | | One is actually the right thing to do. The other is how to | make more money faster and quicker. | yucky wrote: | [flagged] | dymk wrote: | It's no surprise that Brave's obsession with pushing crypto | and their own ad network, and Eich being a homophobe, did | burn a lot of goodwill. | tomcam wrote: | > Eich being a homophobe | | Wut? Citation needed. I'm sure you don't mean his support | of Proposition 8 in 2008, because Barack Obama professed | the same belief in 2008... making him, in this formulation, | a homophobe. | asddubs wrote: | so someone being against gay marriage is not a homophobe | in your eyes? Why can't Obama just also be/have been a | homophobe | tomcam wrote: | One can have a principled opposition to gay marriage | without being a homophobe. | | Declaring someone else is a homophobe without their | making such an assertion is mindreading. | darksaints wrote: | No, they can't. | dymk wrote: | > One can have a principled opposition to gay marriage | without being a homophobe. | | The same way a principled vegan also eats meat, to be | sure. | asddubs wrote: | actions speak louder than words. by that logic you can | never declare anyone anything. | jraph wrote: | I don't think we need an umpteenth discussion about this | here, it has already been discussed to hell. This is | getting old. Just search Brendan Each on HN [1], this | discussion happens any time he is mentioned here. | | Or just read the summary on Wikipedia [2]. | | There's a lot of material on this topic, it's easy to | make up one's opinion on this if you are genuinely | interested. | | edit: please people, don't feed this. | | [1] https://hn.algolia.com/?dateRange=all&page=0&prefix=t | rue&que... | | [2] https://en.wikipedia.org/wiki/Brendan_Eich#Appointmen | t_to_CE... | haswell wrote: | As a bi man, the next paragraphs excuse nothing. | | But if these details are to play a factor in browser | selection, one should reflect on the myriad of | undesirable associations involved in going about daily | life. | | Just typing this reply involves an entire supply chain | associated with individuals and organizations of | questionable character. | | To apply this same level of sensitivity to daily life | would be to mostly unhook oneself from modern society. | | I care deeply about the safety and freedom of the LGBTQ+ | community, and find little value in allowing someone | else's lack of acceptance of me dictate my life. Doing so | is a form of "doing something" that does nothing but | widen the gap to actual change, which can only ever | happen via open dialogue. | | I think there are plenty of reasons not to choose Brave | based on the actual technical merits of the product. | axus wrote: | What are your thoughts on Chick-Fil-A. I will sometimes | choose them on the merits of their product. | haswell wrote: | I tend to avoid fast food in general, but I try not to | orient my life around actions (or avoiding actions) that | are unlikely to have any impact, especially if they | involve spending more of my own energy. | | Avoiding Chik-Fil-A at all costs: primarily affects me. | | Being willing to frequent a Chik-Fil-A because a friend | somewhere else on the political spectrum enjoys it: | potentially opens an opportunity to talk. | | Most of my family and their circles fit that latter | description, so this is not a hypothetical. Any chance of | influencing them is actively harmed by choosing/avoiding | fast food based on tribal allegiance. | | None of this should be construed to mean that I find | their leadership team and public stances acceptable. | jraph wrote: | Sure, I'm not disagreeing with you and this is actually | an interesting philosophical topic to discuss (I mean it, | I'm genuinely interested in this and have been wondering | where to put limits on this kind of stuff). | | But wondering whether is Eich homophobic? Meh. Bored of | these discussions. I have set my opinion on this. It's | been discussed enough. | haswell wrote: | Yeah, that's a fair stance and I generally agree with you | here. | tomcam wrote: | That has nothing to do with my comment. You libeled | someone without providing any proof at all. | jraph wrote: | > That has nothing to do with my comment | | It has everything to do with your comment? I'm inviting | anybody interested on the topic to go read about it | themselves instead of rehashing the same subject again | and again, since I believe everything about this has | already been said already? | | > You libeled someone without providing any proof at all. | | On the contrary, please notice how I carefully and | deliberately stated nothing about Eich, not given my | opinion on this and not taken sides here. | | It would not be smart, it would invite people who have | opinions on this to further push this discussion. | | Did you confuse me with another commenter? | [deleted] | darksaints wrote: | Barack Obama opposed prop 8 in 2008, and certainly never | donated money to the campaign like Eich did. There are | dozens of articles about it. | | But he also opposed gay marriage, so to some extent he | was homophobic, at least for political reasons. He later | changed his mind on it, likely also for political | reasons. | | But shame on you for using such disingenuous bullshit | tactics to make your homophobic point: "If you call Eich | a homophobe, then you also have to call <insert beloved | liberal figure> a homophobe!". For one, it ignores the | fact that people's minds can change over time, whereas | Eich has never changed his stance on gay marriage and has | never disavowed the money he spent trying to stop it. And | two, it's just a red herring argument and attempted | hypocrisy trap. | | And worse, it's a fucking terrible hypocrisy trap. There | are millions of people who support gay marriage but never | supported Barack Obama, and millions more who supported | Obama precisely because they didn't want gay marriage and | thought they could trust him to not change his mind on | it. Obama may be beloved by some liberals, but he is a | hypocrite to many on a multitude of reasons, ranging from | his gay marriage flip flop, to his support of the patriot | act, to the promotion of indefinite detention and torture | to federal law, to the fact that he continued the | pointless Iraq war for his entire term. | Euphorbium wrote: | Lets replace that with vpn pushing, that sure is better. By | the way brave is also pushing a paid vpn. | dymk wrote: | There is no opt-out to not use a VPN. There's... the | Mullvad logo, which seems pretty reasonable. Certainly | more reasonable than injecting their own ad network into | your pages and pushing your home-rolled cryptocoin. | Euphorbium wrote: | I have been using brave for a long time, and the only | places where crypto is mentioned is in the new tab | window. You have to opt in to add replacement. | Dylan16807 wrote: | I believe you mean "you have to opt in to their ads, and | there is no ad replacement feature", unless something has | changed very recently. | notpushkin wrote: | Brave is not a Firefox though, it's just another Chromium. | sph wrote: | Eich is divisive, sure, but Brave is not a secure browser any | more than Firefox is, with a lot of phoning home and crypto | widget, that like them or not, are out of place in a browser | you want to trust. | | Ideally my browser and all the software I use do not connect | and fetch data unless I tell them to. A browser should not be | "bundled" with extra widgets for convenience. | INeedMoreRam wrote: | You can completely disable the crypto wallet. | sph wrote: | On-by-default is a terrible security and privacy | approach. | anotherhue wrote: | Brave had the least home-phoning in the study | https://arstechnica.com/information- | technology/2020/03/study... | Geezus-42 wrote: | I would have liked to see where Vivaldi fell in there | testing. | mpgarate wrote: | While brave may have some good privacy aspects, it is still | based on chromium. | overthrow wrote: | Brave is an advertising company just like Google. | | https://www.computerworld.com/article/3292619/the-brave- | brow... | | > Brave scrubs sites of ads and ad tracking, then replaces | those ads with its own advertisements, which are not | individually targeted but instead aimed at an anonymous | aggregate of the browser's user base. | | Sounds an awful lot like Google's | https://en.wikipedia.org/wiki/Federated_Learning_of_Cohorts, | no? | | btw I don't know anything about Brandon Eich, but I still | would never use a crypto browser | jraph wrote: | I don't care about Brendan Eich quite as much as I care about | the Google / Chrome monopoly, and Brave just makes this | monopoly stronger by depending on Chrome. By being Chrome, | actually. | | I want the web to be built around something else than | ad-/tracking-supported software and Brave is being very self- | contradictory with this. | | Don't use Brave if you care about the global picture / | tracking around the globe. | INeedMoreRam wrote: | Which browser do you recommend? | chaxor wrote: | Probably the one from this post will now be the likely | answer. | jraph wrote: | It's not perfect (since its funding is mostly Google) but | Firefox is my current browser of choice. It notably has | very good support for blocking tracking and unwanted | stuff thanks to uBlock Origin, which works best on | Firefox according to its main developer [0]. And while it | is funded with Google's money (which is a huge caveat), I | still hope this changes in the future. Firefox could be | funded differently. [By the way] maybe Mullvad browser is | an interesting choice for this exact reason? | | Other (independent) initiatives like NetSurf [1] and | Ladybird [2] are on my radar. NetSurf has been around for | a while; Ladybird seems impressive, achieving some great | progress and result with little resources. I should | actually try Ladybird more seriously when I get the | chance, and maybe contribute if I find the time :-) | | [0] https://github.com/gorhill/uBlock/wiki/uBlock-Origin- | works-b... | | [1] https://www.netsurf-browser.org/ | | [2] https://awesomekling.github.io/Ladybird-a-new-cross- | platform... | yucky wrote: | Brave is a separate fork and completely unreliant on | Chrome. It also is the most privacy-focused browser so it's | the opposite of "tracking-supported software". | jraph wrote: | Unreliant on Chrome? | | If Chrome disappears, Brave ceases to exist. Brave | totally relies on Google developers working on Chrome and | do the vast majority of what it takes to build the | browser. Brave only does superficial work in comparison. | Brave may itself be privacy-focused but only exists | thanks to Google's business model which is mostly | tracking the world. | | So, yes, Brave is mostly funded by tracking since it is | mostly Chrome with some lightweight work on top of it. | oDot wrote: | > I guess why not. | | > ...Even in the desktop version, Firefox's sandbox is still | substantially weaker (especially on Linux) and lacks full | support for isolating sites from each other rather than only | containing content as a whole. The sandbox has been gradually | improving on the desktop but it isn't happening for their | Android browser yet. | | https://grapheneos.org/usage#web-browsing | dblohm7 wrote: | That is waaaay out of date on the Desktop front. | kitsunesoba wrote: | Seems like a wash overall with how Chrome for Android lacks | support for extensions entirely. Firefox for Android supports | uBlock Origin, which greatly cuts down on tracking and | chances to be hit by broadly-targeted malvertising. | charcircuit wrote: | Kiwi Browser is a chrome fork that supports web extentions | on Android. | jorvi wrote: | Firefox on iOS contains no built-in adblocking despite | Firefox Focus doing so. | | More bizarrely, there's an open Bugzilla _and_ GitHub issue | on that, both a few years old. | | Obviously I have transferred my entire family and social | circle over to Brave. If Firefox won't make their users | secure, I will. | pxc wrote: | > More bizarrely, there's an open Bugzilla and GitHub | issue on that, both a few years old. | | I can understand why it's not a priority at this point, | at least, given that Firefox on iOS is currently a reskin | of Safari, and the door is reportedly about to open for | actual competition among iOS browsers due to increasing | anti-trust pressures on Apple. | | It would make more sense to me to address this with a | real port of Gecko to iOS, and then you can just run the | full version of uBlock Origin for Firefox on your iPhone. | seanw444 wrote: | The thing is, while Firefox _should_ have better sandboxing, | the tradeoff at the moment is that with Chromium you get | better security, but less control and privacy off the bat. | With Firefox, you get less security, but more control and | privacy off the bat. | noobcoder wrote: | I've been a Mullvad user for a while now, and I have to say, | their commitment to open source is truly impressive. They're | living that philosophy by making their VPN client open source. | Tor Browser with the security of a trusted VPN should be an | great alternative | np1810 wrote: | > We need a Firefox with good defaults and it seems like this | browser is such a thing. | | If you're looking such option for Android, you can check out | Mull [1] which is available on F-Droid [2] as well and use it | along with uBlock Origin. | | [1]: https://gitlab.com/divested-mobile/mull-fenix | | [2]: https://f-droid.org/packages/us.spotco.fennec_dos/ | whoopdedo wrote: | Firefox is already an an ad for Mullvad since the Mozilla VPN | is rebranded Mullvad. It would not be terrible for them to | become a more prominent corporate sponsor of Mozilla. Less | eyebrow-raising than Google at least. | thejosh wrote: | I quite like Mullvad. I haven't needed to use them much (mostly | when my ISP has wonky routing and I need something semi- | urgent), but their service is pretty good, their website feels | like it's designed for the more "techy users". Their billing is | the least sketchiest of VPN providers, with no ticking clocks, | no upsell and other nonsense. | | I also like they provide a Wireguard file and a way to filter | it, so it's super easy to get started. | enlyth wrote: | I share a VPN subscription with my father, I use it for | torrenting so my ISP can't snoop on me, and he uses it to | bypass geo blocking to watch UK shows (things like BritBox, | Netflix, BBC etc.) in another country. Unfortunately, there | is no way to legally pay for most of these services and watch | them from abroad. | | I tried to get us to use Mullvad, as it was perfect for me, | but for him it was constant problems with the services he | used, whereas the sketchier providers like NordVPN and | ExpressVPN always worked without issues. | gesman wrote: | >> I use it for torrenting so my ISP can't snoop on me | | Would installing WireGuard server on a router directly | solve this (like Gl-Inet travel routers)? | domh wrote: | It annoys me that the only way to access iPlayer from | abroad is via a VPN. Surely opening it up and allowing | international customers to pay some form of license fee | could be a nice little revenue stream for the BBC? I'm | guessing the reason is just "licensing issues" but if | they're making the programmes then what's the problem? I'm | sure there's an international market for watching the world | class output from the BBC. | kbf wrote: | Shows are often made by production companies on contract | and licensed for domestic distribution. Licensing for | international distribution might be significantly more | expensive. | mongol wrote: | Yes but they would get more revenue from it too. | burnished wrote: | Maybe you should start shopping the business case for it | around then. | Kwpolska wrote: | They might get some revenue, but they would need to build | and maintain a streaming service with payments, and | that's not free. They might also be limited by contracts | with local broadcasters, which give them exclusive rights | to online distribution within their country, even if they | do not exercise them now. | 867-5309 wrote: | a few years ago I moved outside the UK and spent the best | part of 3 months (on and off) trying to access BBC | content, legally, still holding residency, paying | domiciliary and employment taxes, and paying for a bladdy | TV loicence | | of course, I wanted to do this for as close to free as | possible, since plugging an aerial into a tv at home also | cost next to nothing | | VPNs were already being detected and banned. I tried at | least 4 extensively, including tcp, udp, socks, wg, | obfuscated servers, etc. to no avail | | dodgy residential/mobile proxies were too unreliable for | live 720p m3u streams, not to mention expensive | | I went through a few cheap linux VPSs with UK ip | addresses, forwarding their web streams to my tv outside | the UK, until I found one that seemed to work well. so | much so I even invested in some fancy routing through | intermediary countries for almost jitter-free stability | | until a few weeks later, back to the same old shite -- | everything 403 Unauthorised | | after yet a few more weeks of furious head-scratching | shame over the stable-now-vanished CBeebies and BritComs | daily consumption, I concluded and confirmed the BBC had | just started detecting and banning datacentre IPs more | aggressively | | it was at this ebb I discovered the wonderful world of | illegal IPTV streams and adopted a _fuck you too, BBC_ | attitude | idiot900 wrote: | Perhaps roll your own VPN using a home router that can | act as a VPN server? That way you can use your home | internet connection...assuming its upload speed is fast | enough. | | A shame BBC can't accommodate its paying customers who | happen to be abroad. | 867-5309 wrote: | yes in hindsight, had I known the BBC would stoop, I | could have set up something from an actual home IP. | whether that be forwarding their web streams or | forwarding a few OTA DVB-T2 streams. but even that could | require physical presence for emergency debugs, reboots, | retunes.. | domh wrote: | I used a small independent proxy company that I paid PS50 | a year annually through PayPal. I think they must've been | small enough to fly under the radar of the detection | algorithms. When I went onto google maps connected to the | proxy, it always thought I was in Dubai, which gives you | an idea of the clientele. | | Maybe it was something to do with the fact that it was a | Proxy and not a VPN, though I'm not sure if this makes it | any less detectable. I even had a Firefox extension that | automatically turned on the proxy when opening iPlayer | tabs! It worked very well, though I wish I could've paid | the license fee and just got access. | Bluecobra wrote: | I also used some UK shell provider (via SOCKS proxy + | Putty) in the past and it worked really well. My guess is | that there's some there's kind of threshold/concurrent | connection that iPlayer looks at per IP address. | | It's pretty silly though, I would absolutely pay for a TV | license if given the opportunity. Dear BBC: Shut up and | take my money! | 867-5309 wrote: | I dabbled with free and cheap paid-for proxies which were | either injecting javascript or too flaky for live video. | I saw a few of those smaller providers, but the initial | outlay would have been too risky, because I am convinced | the BBC throw a lot of money at residential geolocation, | so if they haven't already their IP address blocks will | be blacklisted at some point in the near future | | interesting about Dubai though, makes me wonder if they | have some sort of expat or economic deal with them. if | Google thinks you're there, you can bet BBC do too. I | discovered they use multiple CDNs and delivery mechanisms | as fallback/best effort, which sometimes (but not always) | sieved most (but not all) VPN locations in an | indeterminate (but authoritatively intentional) fashion, | so perhaps Dubai is whitelisted on one of those. might | investigate further at some point if I can swallow some | bile first | lazyeye wrote: | Its not the only way. | | Smart DNS providers like Getflix provide access to BBC | Iplayer and a ton of other streaming services too. | | Basically you use their DNS servers and they handle the | geo-unblocking. | kelipso wrote: | With the cultural capital that BBC had especially 7 to 10 | years ago, I'm pretty sure they would have been at league | with Netflix and the like if they had opened it up. Dr | Who was huge back then in the US, and you had Sherlock | and a few other shows. I think people were just pirating | it (?) but lots of people I knew were huge fans. | jwagenet wrote: | Dr. Who was on Netflix for a long time, except maybe | whatever recent season, and more recently HBO Max | domh wrote: | There was something called Kangaroo [1] which was a | partnership between BBC, ITV and C4 but it got blocked by | the competition commission. Now it's run under Britbox I | think! | | [1] https://en.m.wikipedia.org/wiki/Kangaroo_(video_on_de | mand) | RealStickman_ wrote: | Problems with services are to be expected when using | Mullvad. Their IPs are all recognised as originating from | datacenters. You might be lucky, but often not. | | Sketchier VPN providers use "home ips" and rotate them | regularly in order to defeat Netflix or other services | blocking them. | seanw444 wrote: | Why are the sketchy VPN providers capable of that, but | not Mullvad? | tempest_ wrote: | Sketchier providers often use dubious methods to acquire | their exit nodes. | | Often they pay someone to include their code in a "free" | software or browser extension (or malware) that allows | them to route traffic through the host. | | Oxylabs is one of the larger examples whose record is | somewhat dubious. | dirheist wrote: | IIRC the mylobot botnet is responsible for providing the | vast majority of residential (home) IP addresses for | residential VPN providers (who are then sold to | expressvpn/nordvpn). The whole business is incredibly | shady and nefarious and nordvpn/expressvpn must know from | whom they contract their residential vpn services from. | | BHProxies is the largest residential proxy provider on | the internet and almost all of their proxies are acquired | through the botnet above. | | https://www.bitsight.com/blog/mylobot-investigating- | proxy-bo... | myself248 wrote: | Whaaaaaaaaaat. | | This needs to be on the front page of.... something. | seanw444 wrote: | Seconded. I refer to them as shady because I have no way | of knowing what they do with your data. I didn't even | consider that they'd have a whole botnet market going on | too. This definitely needs to be more public. | Spinnaker_ wrote: | Is there a source for expressvpn actually using | BHProxies? I had no clue it was that sketchy. It is owned | by a public company, so that's pretty substantial news if | true. | Stagnant wrote: | I would be very skeptical of the claim, quite worrying to | see multiple people accepting that as a fact without any | kind of evidence to support the claim. | | I'd be shocked if any of the major VPN providers were | involved with illegal residential proxies. It just | doesn't make sense, can you imagine just how unstable and | slow those connections would be? Why would they risk | being legally liable when there exists legal residential | proxy providers that get their IP's from people that | voluntarily share their connection (honeygain etc.)? I've | never heard of any of the big VPN providers offering | residential connections. As I understand the VPN | providers that promise support for netflix and similar | streaming services just acquire newer IP's from time to | time but the connection still goes through a regular | datacenter, definitely not from some random dude's home. | | The proxy market is more so targeted towards developers | who scrape data and criminals that do credential | stuffing/other criminal activity. | tempest_ wrote: | Cool, I did not know about this one. | JadeNB wrote: | > ... he uses it to bypass geo blocking to watch UK shows | (things like BritBox, Netflix, BBC etc.) in another | country. Unfortunately, there is no way to legally pay for | most of these services and watch them from abroad. | | Not that it's your point, but, at least in the US, you can | pay for BritBox on Amazon: https://www.amazon.com/gp/video/ | storefront?contentType=subsc... . | mistrial9 wrote: | how are people supposed to react to this ? Those are two | reasons why legal providers make life so difficult for | innocent people. The response will be to enable more | intrusive record keeping and more very-low bandwidth for | me, because of you. | rurp wrote: | I want to second this and add that they make it very easy to | make non-recurring payments. So many modern software | companies do everything they can to hook you into an endless | subscription, but Mullvad is refreshing in this regard. I | only use a VPN once in a while and when I need one I just | throw Mullvad a few bucks for one month plan, which they make | as seamless as possible. | WinstonSmith84 wrote: | I use Mullvad for 2 years and yeah it's been a good VPN. Global | outage have been very rare, maybe it happened 2 or 3 times | altogether. It happens however that some websites are blocking | Mullvad servers, usually, it's just about switching to another | server to get this working. | | The desktop client also supports some obfuscation schemes (UDP | over TCP) which is useful when you're in countries which block | any kind of VPN. The default smartphone app doesn't support | this out of the box, but they have some tutorials to setup | Shadowsocks and OpenVPN to route the traffic over https as well | MuffinFlavored wrote: | > it's nice they are saying it's not enough. | | Mullvad, who has a reputation in the HN comments for being just | like... over the top amazing + great (they swear up and down | they don't store traffic logs and if you don't trust them, you | can pay anonymously somehow or whatever), is having a "hard | time" being profitable/growing | | all while | | NordVPN, who has a bad reputation in HN comments for being | untrustworthy and "not so anonymous", seems more well known | (and therefore most likely has more paying customers and makes | more money?) | | What is that law called in business? when the "less good" | offering wins? | skeaker wrote: | Not sure if it's got a "law," but the reasoning seems | intuitive: 1. More complex products are usually better, but | being more complicated means they're harder to explain to the | average customer and makes them harder to sell. 2. More | widely known products get that way by stripping money out of | the budget for their product to put it into advertising | instead. Less money in the product means it's potentially | inferior to a product that put their whole budget into | development. | pnt12 wrote: | Well, many libertarians will state the rules of the free | market as if they were physics law, but they are not. I think | they're just post-fact invented laws to justify the ideology, | but that's besides the point. | | The law that "in a free market, the best product wins" has | been beaten by profit-driven companies with billions at their | disposal. Sure, you can have a better product. But maybe it's | more profitable to have better marketing, or secondary | sources of profit. | | It's quite telling that VPN providers sponsor so many YouTube | videos... Which require login to the biggest ad-driven | company... Which will identify users by their login, no | matter if they have a VPN or not! | jeltz wrote: | Where did you get this impression? Mullvad is growing like | crazy (4 times as much revenue in 2021 compared to 2020, 2022 | numbers not yet public). NordVPN is obviously larger since | they are older and have bought a lot of ads on Youtube but | Mullvad has crazy growth and I have seen their ads in the | subway here in Stockholm. Mullvad is in no way a company | which struggles as far as I can tell. | | The old company: | https://www.allabolag.se/5567839807/amagicom-ab | | The current company: | https://www.allabolag.se/5592384001/mullvad-vpn-ab | johnmaguire wrote: | >> it's nice they are saying it's not enough. | | > Mullvad [...] is having a "hard time" being | profitable/growing | | This is how I originally interpreted the parent comment as | well, but they actually meant "a VPN is not enough to | maintain your privacy, you also need a privacy-respecting | browser." | benknight87 wrote: | It's because, like it or not, NordVPN is a great product. The | apps are great, the design is slick, they have more servers | in more countries, and offer additional value through things | like Smart DNS, dedicated IP. Not to mention solid customer | service. | the_duke wrote: | Sure, their UX is more polished, and due to using | residential IPs they aren't so easily blocked out. | | But there is a different reason for the popularity: | | NordVPN and others spend a lot of money on aggresive and | pretty shady advertising, which tricks consumers into all | kinds of false assumptions. | dimitrios1 wrote: | It's called educating your potential customers on your | product. | | NordVPN has spent an incredible amount of money getting their | name out there. | | The majority of the population hasn't a clue about what a VPN | is or does. The ones that do, their only interface is "its | this thing my company makes me connect to" | | Of the remaining subset of people who are aware of what VPNs | actually do for you, it's likely they can only name 1 or two | brands: NordVPN and ExpressVPN. | | So if you have the superior product, but the lesser position | in the market, then get busy marketing. | dns_snek wrote: | > So if you have the superior product, but the lesser | position in the market, then get busy marketing. | | Easier said than done I imagine. Big brand VPN providers | charge several times more for the "same" service, or make | you sign up with 3 year commitment to even come close to | Mullvad's monthly pricing. | yencabulator wrote: | > NordVPN has spent an incredible amount of money getting | their name out there. | | I think you misspelled "spamming ads everywhere". | dimitrios1 wrote: | Whatever you want to call it, and whatever it means to | you, it must be done in some way, like it or not. Or you | can sit here and complain everyone's using the big name | that sucks and nobody uses your superior 100% | artisinally, crafted from free-range conflict-free code, | ethically "superior" app. | archb wrote: | As a DuckDuckGo fan as well, I'd have loved to see | them/DuckDuckGo develop their browser on the top of Firefox with | Mullvad as a partner with deep integrations. | craigjennings wrote: | Looks like they're getting closer: | https://duckduckgo.com/mac?ref=duckduckgo | coppsilgold wrote: | You can run the tor browser without tor. | | env TOR_SKIP_LAUNCH=1 TOR_TRANSPROXY=1 | | about:config extensions.torlauncher.start_tor = | FALSE network.dns.disabled = FALSE | Eisenstein wrote: | > Dns Over HTTPS (DoH) > Mullvad Browser is configured to use | Mullvad DoH for all DNS requests, without fallback. In the | settings, you can also configure it to use Mullvad Adblocking | DoH. | | about:config DOH entries screenshot here: | | * https://imgur.com/a/evd9OzN | | Can anyone knowledgeable comment on the security implications of | this? | nextaccountic wrote: | If you trust Mullvad to see all your traffic (including every | IP you connect to), it seems okay to trust them to see your DNS | queries (that will return the very same IPs you will later | connect to) | Eisenstein wrote: | I don't though. I don't use Mullvad VPN. | nextaccountic wrote: | Okay so probably this browser isn't for you | mackie_roy wrote: | You can actually disable DoH by going to: Settings > | General > Network Settings > Settings | | Then either untick "Enable DNS over HTTPS" or add a | custom DoH. | AccountAccount1 wrote: | Haven't read any comment that points to a user actually trying | it; does someone have a link? Or has tried it? | bragadiru_mafia wrote: | All you smart asses making recommendations on alternatives, | shush. The moment it gets on their radar it's compromised in 3 | ..2 ... | | Take your obscure html rendered and live in peace brother . | webmobdev wrote: | _Important Note_ : Tor browser isn't truly private as it connects | to Firefox services on start-up, even if you disable all options | that require these. (Unlike zero telemetry / "no automated | connections" browsers like the Orion browser - | https://browser.kagi.com/ - or the PaleMoon browser - | http://www.palemoon.org/ that actually do respect your browser | settings). | | This seems deliberate as no attempts have been made to fix this | despite repeated highlighting of this issue online by many | concerned users. | | (I haven't verified if the Mullvad browser has the same problem). | MrAlex94 wrote: | Interesting! A few years ago I started a similar project, | essentially a clearnet fork of Tor called Aegis. Problem was, it | makes a lot of the modern web very broken. A very niche corner of | the web browser market - but a lot of things like WebRTC and | Widevine (unfortunately) are what most users would expect. I'd | imagine there's the possibility there will be no H264 support | either? | | Nice to see more Firefox related forks though, hopefully help | gain more ground on the web for alternative engines. | lofaszvanitt wrote: | Why not sprinkle it with something like grsec? Now that would be | a secure browser and would really upset a lot of shady people. | sampa wrote: | clearly, you don't know what grsec is | lofaszvanitt wrote: | and? | sneak wrote: | grsec are patches for the kernel. | | The main exploit risk to a modern browser is javascript JIT. | lofaszvanitt wrote: | And? Is it considered secure or the threshold just pushed | higher so the exploitation is not for everyone? | udev4096 wrote: | grsec isn't free anymore | lofaszvanitt wrote: | Windriver, hm? | hooverd wrote: | It's nice to see a Firefox based alternative browser. | detrites wrote: | From the FAQ [0]: | | > _Why is the time is wrong?_ | | > The timezone is spoofed, to combat fingerprinting. | | > _What 's this weird spacing around the websites?_ | | > It's called letterboxing, a function to combat fingerprinting | (using your browser window size to identify you together with | other measures). | | > _How do I stay logged into specific websites between sessions?_ | | > It's not possible. It's an action to combat tracking. | | Not sure if there are other measures, other than that the browser | itself doesn't track anything. | | Looking much better than a stock firefox, and presumably will | improve over time. | | [0] - https://mullvad.net/en/help/tag/mullvad-browser/ | ta1243 wrote: | Except most of the time I don't want to spoof my timezone, | don't want weird spacing around websites, and do want to remain | logged in to websites. | | > How do I stay logged into specific websites between sessions? | > It's not possible. It's an action to combat tracking. | | Turns me off immediately | bubersson wrote: | Unfortunately from now on, the Mullvad Browser is the only | browser you can use, ever. So you will be annoyed by this | inconvenience a lot. | DrewADesign wrote: | Have you considered becoming a non-user? | neurostimulant wrote: | This is inherited from the upstream TOR browser. It's | basically designed to evade fingerprinting by making the | browser's fingerprint similar across all TOR browser's users. | It's indeed very inconvenient so don't use these browsers | unless you're seriously care about these stuff. | archb wrote: | I thought it'd be possible by simply turning off "Always use | private browsing mode" setting, but it doesn't seem to work. | Sessions are still cleared upon browser exit. | | In my case, I had to turn off that setting because without | it, 1Password wouldn't work. | naillo wrote: | Obviously you're not the target audience for a privacy | focused browser | hotpathdev wrote: | No one wants that, most websites become broken by taking pro- | privacy measures. It's about not consenting to tracking. | Right now the majority of users are implicitly giving consent | to tracking. | | It seems like a harmless thing to be tracked, but once the | likes of haveibeenpwned.com came out and the databases that | fuel it, and services that provide search utility to those | databases, it should become clear that being tracked across | every single website on the internet is probably not what you | want. | | Scenario: You apply for a job, they look up your totally- | clean email address, see the email linked to an ip address on | some database from a leaky website you applied for a job on, | the ip address is linked to a service where you used a | certain password which you used on 6 other services, one of | which had a database leak of your system fonts, now you can | see all the accounts to services to which your system fonts | were identically matched. Oh look, you were 13 years old when | you joined stack overflow on an abandoned account and you | posted some humorous, incorrect solutions that were down- | voted to oblivion. But that's ok, they invite you to the job | interview and they make a funny remark about your stack | overflow answers and then offer you a job. Do you want to | work there now that you know they completely invaded your | privacy ? | | And yes, performing such searches is trivial. | encryptluks2 wrote: | [dead] | oefrha wrote: | Well, I'd say this is largely privacy theater for hobbyists. | Like a lot of other hobbies, unreasonable suffering is often | part of the fun and creates a sense of belonging. What sets | you apart if you're just browsing like every other mortal? | | Edit: As mentioned elsewhere in the thread, there are still | plenty of identifying bits. | weberer wrote: | Then standard Firefox with "Enhanced Tracking Protection" set | to "Strict" would probably be enough for you. | detrites wrote: | Well, some of us don't want to be tracked, don't want to be | tracked and don't want to be tracked. | | Given your stated preferences, are you actually looking for a | privacy-focused browser? | ramraj07 wrote: | Some people just want everything, no compromises. | overthrow wrote: | That's not very charitable. | | Some people just want to pick a different point on the | tradeoff between convenience and privacy. | | Imagine User A uses Fastmail every day, logging in | manually every morning. User B uses Fastmail every day, | with a saved login cookie. How is User B's privacy any | worse? What would User B gain from not having that | choice? | teawrecks wrote: | It's not a matter of user choice, it's a matter of | maintenance and product integrity. | | User B's privacy is objectively lessened by allowing | tracking cookies, but that is their choice. What is out | of the user's control is what mullvad chooses to spend | their time supporting. | | If mullvad allows users to turn off a privacy feature, | now that's a permutation they have to test for. It's also | an attack vector they've enabled, either through user | carelessness or social engineering. Mullvad wants to be | able to say "here's a browser, it's 100% private" and not | have to say "as long as you do X, and don't do Y, | and...". Every other browser already does that. | ta1243 wrote: | If someone is logging into fastmail every day how does | preventing this from being remembered help? | hitekker wrote: | The GP said "some people" not everyone. Some people want | all the convenience and the illusion of privacy; the | benefits minus the cost. It's human nature to want | something without paying for it, just as it is human | nature to pretend that desire doesn't exist | _puk wrote: | But isn't this what Firefox containers achieve? | | My understanding is that cookies etc aren't shared | between containers, so I can stay logged in, and not be | tracked across websites. | | If it's achievable, why compromise? | hiccuphippo wrote: | What I'd like is a Mullvad container in regular Firefox | so I can choose what sites to open in it, or rather make | it the default and move a site to another container if I | want permanent cookies. I use temporary containers now | but the extra fingerprinting features appeal to me. | SadTrombone wrote: | You could look into Mozilla's VPN offering, it does what | you want and is powered by Mullvad. | lxgr wrote: | It's a neat feature, but beware: Per-container VPN | reveals your real IP if you're also using uBlock in the | default configuration at the moment due to a limitation | in Firefox: https://github.com/gorhill/uBlock/wiki/Dashbo | ard:-Settings#u... | noahmasur wrote: | Your browser can still be fingerprinted without cookies. | The site just needs enough unique information (user | agent, timezone, screen size, IP, operating system, | country, etc.) to form a trackable identity. | jwestbury wrote: | > IP | | This is a surprisingly effective one when combined with | other users of your network. A couple of years ago, I | started getting Facebook ads for things I'd never looked | at, but that I knew my wife had looked at. We don't share | any devices, and she doesn't even have a Facebook | account. | | It's pretty troubling how invasive shadow profiles are. | wkat4242 wrote: | It should be possible to make exceptions for sites you | trust IMO. | heartbreak wrote: | It is. You open those sites in Firefox. | lxgr wrote: | What if I don't want the memory and disk storage overhead | of running two browsers? | | Being able to easily reopen a tab in a different | "identity" is also a pretty neat feature. | BLKNSLVR wrote: | You can have more than one browser installed. I have some | specific use cases between Brave and Firefox. | | Choose the right tool for the job. | deltree7 wrote: | Most of us are self-aware that I'm not that important to be | specifically targeted. | | At the end of the day, where there is attention, there will | be ads. All you are fighting for should they show you | relevant ads or irrelevant ads. | | People who live a privileged life and have nothing else | important going on in their life choose this hill to die | on. | beardog wrote: | > Most of us are self-aware that I'm not that important | to be specifically targeted. | | Of course, not in the sense that the FBI, Wagner Group, | or the boogy man are going after you today (but you never | know what the future holds) - however data brokers and | large companies have a financial incentive right now to | know as much about everyone as possible and the | information they collect is increasingly being used to | decide your insurance rates, give you employment, etc. | | >People who live a privileged life and have nothing else | important going on in their life choose this hill to die | on. | | I mostly agree, however privacy issues impact the less | privileged more, for example women seeking abortions in | unfriendly states, teenagers learning about queer issues | in a toxic community/family, people fleeing abusive | relationships (the effort some stalkers do is truly | insanity), minority groups (e.g. undocumented | immigrants). Sure these groups can't dedicate lots of | mental energy to privacy but plug and play browsers like | this one make it easier and even if you are highly | privileged protecting your privacy makes it more | acceptable for others to do so too. | chaxor wrote: | You're clearly not thinking enough about this. It's not | just about ads. For just one example, think about the | data acquired regarding fertility and abortion, and how | it can be used with respect to some law alterations. | There are many other examples for present and potential | futures, so no this isn't just about ads. | detrites wrote: | There are 200 countries on this earth, and not all of | them have the luxury of an uncorrupt, actually-democratic | set of genuine public servants who wish only to create | utmost benefit for the largest number of people. | | If you have that, you're a minority. And if you believe | you have that, but actually you don't, you'll find out | only after it's too late to save it. It's prudent instead | to assume and act like you don't have it in either case. | | Indeed, some of the greatest democracies have been set up | precisely to that end. | | For many, online privacy isn't at all about advertising. | It's about working to a common good of rights and freedom | for all. | | Rest on your laurels all you like, but don't deride | others who refuse to. It is only through the efforts of | such people, and in the past those like them, that any of | us have the ability to take any such rest at all. | mongol wrote: | I like the Duck Duck Go browser. It has a "burn" buttton that | destroys all cookies except those you opt in to keep. | FollowingTheDao wrote: | Convenience is the wedge that separates you from your | privacy. | illiarian wrote: | So it's Tor Browser, but for clearnet | npteljes wrote: | Yes, and I like it that they explicitly say so on the page. | This kind of transparency and down to earth marketing | inspires confidence. | illiarian wrote: | Ah, completely missed it on the page. So I'm just re- | iterating :) | [deleted] | sundarurfriend wrote: | > > Why is the time is wrong? | | > > The timezone is spoofed, to combat fingerprinting. | | The annoying thing about this (assuming it's the same as in | Firefox) is that the times displayed in your own local History | page are also "wrong" i.e. shown in UTC. | shp0ngle wrote: | What is more satisfying than needing to enter OTP every time I | go to check email. | | I already do this for work (for security theatre) so I will | skip this | bmacho wrote: | Why not just disable javascript? | [deleted] | minipark wrote: | Checking with https://www.amiunique.org/ resulted in a unique | fingerprint for me. The "Canvas" and "Media devices" attributes | are unique on their own. I had not expected this. | notRobot wrote: | Try restarting your browser and see if the fingerprint changes. | If it does, that means you can't be tracked across sites using | this mechanism. | nbzso wrote: | No computer in my office is running without Mullvad VPN. No mac | without Little Snitch. | mcsniff wrote: | Here's to hoping they maintain this for a while. There are a lot | of "hardened Firefox" forks around, none of them that I would | trust to follow upstream for a long enough time to switch. | | I already trust Mullvad enough to use as VPN, and am likely | willing to extend that trust to a fork of Firefox they manage, | but truthfully, I always concerned when achieving goals means new | ventures and projects as it may mean resources are moving to | other areas and may impact their code product. I like my core | providers to do one thing and do it well. | | Edit: I hope they bring this to Android also! | handedness wrote: | > Edit: I hope they bring this to Android also! | | "Avoid Gecko-based browsers like Firefox as they're currently | much more vulnerable to exploitation and inherently add a huge | amount of attack surface. Gecko doesn't have a WebView | implementation (GeckoView is not a WebView implementation), so | it has to be used alongside the Chromium-based WebView rather | than instead of Chromium, which means having the remote attack | surface of two separate browser engines instead of only one. | Firefox / Gecko also bypass or cripple a fair bit of the | upstream and GrapheneOS hardening work for apps. Worst of all, | Firefox does not have internal sandboxing on Android. This is | despite the fact that Chromium semantic sandbox layer on | Android is implemented via the OS isolatedProcess feature, | which is a very easy to use boolean property for app service | processes to provide strong isolation with only the ability to | communicate with the app running them via the standard service | API. Even in the desktop version, Firefox's sandbox is still | substantially weaker (especially on Linux) and lacks full | support for isolating sites from each other rather than only | containing content as a whole. The sandbox has been gradually | improving on the desktop but it isn't happening for their | Android browser yet." | | Source: https://grapheneos.org/usage#web-browsing | sacrosanct wrote: | > There are a lot of "hardened Firefox" forks around | | Sticking with LibreWolf for now, which has updates disabled in | the policies section, but I frequently ping their Gitlab for | new releases. It's annoying having to do that, but if it means | I get security patches in time, I do it. | SubzeroCarnage wrote: | re Android & fork maintenance I track this here for Firefox: | https://divestos.org/misc/ffa-dates.txt | | and for Chromium: https://divestos.org/misc/ch-dates.txt | brucethemoose2 wrote: | Firefox runs like cold molassas on Android, unfortunately. | | Bromite seems like its sticking around, fortunately. | SubzeroCarnage wrote: | Bromite has not been updated since December 12th 2022 per my | history here: https://divestos.org/misc/ch-dates.txt | brucethemoose2 wrote: | Oh dear, you are right. Last commit was in January. | | Thorium was comatose for awhile but come back, so I am | keeping my fingers crossed. | SubzeroCarnage wrote: | If you really want Chromium based consider switching to | Brave and following my steps here: | https://divestos.org/pages/browsers#tuningBrave | brucethemoose2 wrote: | Oh actually I was mistaken, looks like dev builds are still | up here: https://github.com/uazo/bromite- | buildtools/releases/ | | I do not like Brave's business model (replacing web ads | with their own, even setting the crypto thing aside), but I | will check out your link if Bromite fizzles out. | handedness wrote: | > Bromite seems like its sticking around, fortunately. | | Only barely, unfortunately. | | I've since moved to Vanadium for anything untrusted and/or | critical. It's still missing some features I'll enjoy seeing | added, but it's improved considerably lately. | raindear wrote: | It's not available for smartphones. | shp0ngle wrote: | Isn't Tor using always out-of-date Firefox, for minimizing | tracking on versions? Wouldn't this affect the security angle? | abbe98 wrote: | It is based on Firefox ESR(Extended Support Release) which gets | security fixes backported. | markrankin wrote: | They don't have an iOS app like Firefox Focus. Are they working | on an iOS app? | jxi wrote: | [dead] | the_duke wrote: | I use a custom Firefox config that tweaks and disables lots of | features, based on this template: | https://github.com/arkenfox/user.js . | | Fun fact: this makes you extremely easy to identify, because it | gives your browser a very unique fingerprint. If JS is enabled, | that is, which you can disable by default, but JS is simply a | requirement for many websites to function. | | I wonder how they approached this problem this for the Mullvad | Browser. | uconnectlol wrote: | a derivative of tor and mullvad, when tor browser is already | second rate software (tor itself seems fine) and mullvad can't | possibly be good since it's part of the "vpn as privacy | mechnaism" fad. pass | | there's no fixing web browsers. ___________________________________________________________________ (page generated 2023-04-03 23:00 UTC)