[HN Gopher] The Mullvad Browser
___________________________________________________________________
The Mullvad Browser
Author : Foxboron
Score : 957 points
Date : 2023-04-03 10:11 UTC (12 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| ddtaylor wrote:
| I like Mullvad but it can actually be challenging to purchase a
| subscription in the US. Most prepaid cards block the purchase.
| Sure, you can use it with a fully tracked card etc. but that's
| not really the target audience.
| dtx1 wrote:
| buy prepaid cards on amazon
| ramraj07 wrote:
| Isn't this like the one legitimate use for Monero?
| s777 wrote:
| It is, although then the next problem is getting Monero in
| the US with their clutterfuck of cryptocurrency regulations,
| so you have to find an exchange that works with Monero and
| actually works in the US, then give them your identity and
| bank account information and hope they don't think you're
| suspicious and block you.
| hairofadog wrote:
| They also accept cash.
| ilikehurdles wrote:
| Mozilla sells a $5/mo VPN service which is a user-friendly
| reskinned Mullvad.
| drexlspivey wrote:
| They accept bitcoin and even offer a discount
| ementally wrote:
| If a lot of non-Mullvad users use it, it will create a nice pool
| of people with at least the same browser fingerprint.
|
| Basically, it seems like a good choice if you are already a
| Mullvad user and your threat model does not require the use of a
| Tor browser. However, if there's a significant non-Mullvad user
| base using it, it won't do much, as you'll just stand out as the
| only person using the Mullvad browser without Mullvad VPN.
| AccountAccount1 wrote:
| The browser fingerprint is so crazy... I don't understand how
| they don't regulate this shit.
| anigbrowl wrote:
| The people you are looking to to regulate it are the same
| people who would exploit it.
|
| I also think this approach of expecting the general public to
| adopt a borked browser to give deniability to people using it
| strategically is extremely naive. Human psychology just
| doesn't work like that, you might as well ask schools of fish
| to swim differently to hinder shark learning. To be frank,
| this seems like it will just create confusion vs telling
| people to use Tor browser.
|
| The way to improve privacy is to provide a tool that actively
| enhances something incredibly well, and does everything else
| at least as well. If all browsers are hopelessly compromised,
| make something that isn't based on HTML and builds cool user
| interfaces directly from API calls like a videogame UI, for
| example.
| astrostl wrote:
| Do I correctly understand that it does not have a mechanism by
| which to connect to Mullvad, much less mandate it? The only thing
| I see is the ability to manually detect externally-initiated VPN
| status. This seems like a key and significant departure from Tor
| Browser to me in terms of protection.
| notRobot wrote:
| > Do I correctly understand that it does not have a mechanism
| by which to connect to Mullvad, much less mandate it?
|
| No. It comes with their extension with contents to the VPN via
| socks5.
| [deleted]
| [deleted]
| astrostl wrote:
| An extension that has no user prompting or even status
| indicator, and that will permit the user to browse the web
| without a VPN connection or warning by default.
|
| It appears that the process is to 1) open Mullvad Browser 2)
| (externally) open Mullvad VPN and connect to it 3) click on
| the Mullvad Browser Extension icon and connect it to the
| Mullvad proxy. Only after this will the proxy be used and the
| connection secured.
|
| Contrast this with Tor Browser's process of 1) open Tor
| Browser. It will only work after it automatically connects to
| Tor and secures the connection. Do you see the significant
| difference?
| brewdad wrote:
| Mullvad wants this browser to use usable even by people who
| don't use their VPN. Tor Browser is never intended to be
| used outside the Tor network.
| 1101010010 wrote:
| Another useless skinjob of Firefox for folks too conditioned and
| paranoid to use Tor Browser or know how to edit about:config
| themselves, by a company selling literal snakeoil ("trustworthy
| VPN").
| pnt12 wrote:
| Unlike other VPNs, Mullvad states what they protect against and
| what they don't. This browser seems to bridge the gap about
| what they previously couldn't.
|
| Considering there's no vendor lock-in and the browser is open
| source, I think your criticism is completely unwarranted.
| 1101010010 wrote:
| > Mullvad states what they protect against and what they
| don't.
|
| Where? Certainly not on https://mullvad.net/en/why-mullvad-
| vpn/ which is filled with virtue signalling nonsense.
|
| > we encourage anonymous payments with cryptocurrency
|
| Implying crypto (based on a literal public and immutable
| ledger of transactions) is anonymous.
|
| > we don't log your activity
|
| No way to validate this claim, but easy to make it.
|
| > The laws relevant to us as a VPN provider based in Sweden
|
| Sweden is part of 14 Eyes and almost all of the privacy
| legislature (like GDPR) doesn't apply to foreigners.
|
| Plus they use appear to use OpenVPN which is a dumpster fire
| of vulnerabilities.
|
| Oh, and I love this normalization of ignoring security
| warnings:
|
| > I get warnings when installing your software!
|
| > That's OK. Allow the software to install.
| dijit wrote:
| Seems like it's hug of death'd.
|
| https://web.archive.org/web/20230403101515/https://mullvad.n...
| politelemon wrote:
| Working fine here in UK.
| archb wrote:
| Is okay to me as well in California, USA.
| ShaurAsar wrote:
| Simple and straightforward language makes it easy for users to
| understand the features and functionality of the extension.
| Screenshots of the extension in action, which helps users get a
| better idea of what to expect when using it.
|
| Overall, the Mullvad browser extension is an excellent resource
| for anyone interested in enhancing their online privacy and
| security. The page is well-designed, informative, and easy to
| use, which makes it an ideal choice for users looking for a
| reliable and effective VPN browser extension.
| beaker52 wrote:
| I wonder how many VPN providers are going to turn out to be
| honeypots in the long run. Every time they make it easier, I get
| more suspicious about the privacy really being provided. Perhaps
| I'm just really distrustful and cynical.
| wintermutestwin wrote:
| Any discussion of VPN and Privacy need to be explicit re:
| threat model.
|
| My threat model is:
|
| ISP that has corrupted my govt to allow them to steal my data.
| Hide my IP from scummy sites.
|
| My threat model is not:
|
| Keep various TLAs from knowing everything I do online. (because
| good luck with that)
| hotpathdev wrote:
| Bingo.
| dymk wrote:
| Mullvad has been around for quite a long time, and regularly
| releases third-party security audits. Is there anything they've
| done that comes off as a red flag to you?
|
| > Perhaps I'm just really distrustful and cynical.
|
| That's fine, but you should have a good reason for it
| hotpathdev wrote:
| Long-term services are great targets for governments.
|
| If you were to looking for some trust in a VPN, you would
| want them to offer locations in privacy friendly countries,
| and highlighting them as such. That would potentially funnel
| more used to those servers which would be beneficial. You
| would also want the VPN to ensure the servers in those
| countries are run by companies based in that country, and not
| be head-quartered in some other country.
| lazyeye wrote:
| None of these things prevent tracking. In fact they are are
| an attractive intelligence asset precisely because people
| believe they are more secure.
|
| Crypto AG
|
| https://en.m.wikipedia.org/wiki/Crypto_AG
| hotpathdev wrote:
| I didn't say it prevents tracking, I was offering a
| litmus test for a VPN to the question of red flags. If it
| doesn't pass the litmus test, preventing tracking is the
| least of your concerns.
| sph wrote:
| Of course, which is why you shouldn't depend on a single VPN
| (or just VPNs in general) if you have stuff to hide.
|
| Opsec is an art, and there are no turnkey solutions to ultimate
| privacy and security. You gotta put in the effort yourself.
|
| It's just a matter of reducing your surface area: I know for
| certain my government tracks my unencrypted DNS requests, and I
| have a static IP, so I'd rather turn Mullvad on if I'm feeling
| like opening an adult site. They might log my DNS, but it's a
| little harder for them to correlate my requests than if I were
| to use my home network. Not impossible, but since I am not at
| odds with the law, GCHQ is probably not spending billions
| tracking my every movement across networks.
|
| If you need to send nuclear bomb plans to an enemy government,
| I hope you have a better plan than trusting the promises of any
| VPN network.
| lurtbancaster wrote:
| > "Works on Windows 10 or later "
|
| Why?
|
| Firefox hasn't dropped support for Windows 7/8 yet.
|
| If you are somebody using Windows 7/8 etc and want Tor Browser
| but without Tor, then add the following to your `user.js`
| user_pref("network.proxy.socks_remote_dns", false);
| user_pref("extensions.torlauncher.start_tor", false);
| user_pref("network.dns.disabled", false);
| user_pref("browser.aboutConfig.showWarning", false);
| user_pref("network.proxy.socks", " ");
|
| That should give you all the anti-fingerprinting measures of Tor
| Browser but without Tor.
| brewdad wrote:
| If a user cares about privacy and security why would they be
| using an outdated, unsupported OS? That would be like double
| dead bolting the front door but leaving the window next to it
| wide open.
| lurtbancaster wrote:
| My point is that if it's just Tor Browser without Tor, then
| there's functionally no reason to have that build be
| incompatible with Windows 7.
|
| Unless they deliberately coded it in like
| if OS=Win7/Win8 ; then Crash ; else Run
|
| Which would be a dick move, especially because Firefox, on
| which Tor Browser and Mullvad Browser are based, still
| supports Windows 7.
|
| ---------
|
| Now to your point.
|
| It is _absolutely_ possible to run Windows 7 reasonably
| securely.
|
| Well..., depends on your usecase.
|
| But the way in which I keep it secure might be a little
| cumbersome to some.
|
| My router runs PFSense with Suricata, and I encrypt my DNS
| traffic.
|
| I run a combination of Peerblock(while no longer maintained,
| it works splendidly in whitelist mode)[1], and Simplewall
| Firewall[2].
|
| I run a combination of uMatrix(which again, while no longer
| maintained, it works great in whitelist mode)[3], and
| NoScript[4] on my Firefox web browser which I run inside
| Sandboxie[5].
|
| There are also various services that are insecure and must be
| turned off - UPnP, Print Spooler, RDP etc.
|
| I run mostly FOSS software. The few proprietary closed source
| software(Games, Sublime Text) that I do run, I run them in
| SandBoxie or QEMU.
|
| Here are my reasons for not upgrading:
|
| I've modified my `UXTheme.dll` to _significantly_ change my
| "Desktop Environment" to suit my workflow, and I've heard
| from people I know to be credible, that latter Windows
| versions(8 onwards) break system UI modifications when they
| update, and they don't work quite as well afterward. My
| modified Win7 UI is way too important to my workflow.
|
| Python have stopped releasing binaries for Win7 after
| 3.8.10[6] but I'm okay with it. If I do need the newer Python
| versions for something, I'll just use my Linux Desktop or run
| Linux in a virtual machine for a Python quickie.
|
| Windows 7 is _extremely_ stable. While not as stable as
| Linux, I often have uptimes of over 350 days, before a BSOD,
| by which point I can foresee a crash coming and reboot.
|
| To lean into your metaphor, Microsoft is now shipping
| operating systems with "open windows" everywhere(way more
| open windows than my "insecure" Windows 7 has), and we, as
| users, are having to rebuild the ISOs they release, to make
| them more "privacy friendly"(yes I'm aware of the difference
| between privacy and security but they're really
| interchangeable here), and even then, we're having to use 3rd
| party "de-bloaters" and Batch/Powershell scripts off of
| Github, just so the majority of those proverbial windows are
| closed back up again. This really shouldn't have to be the
| case, but it is. Microsoft have decided that they would
| rather their bread be buttered by advertisers than by the
| actual users of their software.
|
| With Windows 7, I know there's an open window that I can't
| shut, but I have an electrified fence surrounding my
| compound, with security cameras and loaded turrets pointed
| towards that open window and other open windows in my house.
| I know where Windows 7's security limitations are, and I can
| mitigate against that, elsewhere. But I will admit, I don't
| go around recommending laypeople to use Windows 7 though, as
| the barrier to securing it is high. Even after securing it,
| the user has to be careful.
|
| In my humble opinion, Windows 7 was the last true Microsoft
| Operating System. It simply does what is asked of it, and
| moves out of the way. All Microsoft need have done was
| support Powershell, DirectX, give Win7 a "security updates as
| a service" business model(which I would've gladly paid for),
| and make WSL for it(Cygwin is excellent but WSL would be
| nicer). I know there is 0Patch, a 3rd party company who sell
| security updates for Windows 7, but I would've appreciated
| official Microsoft security updates. I would switch to Linux,
| if there was a robust equivalent to Autohotkey on Linux, and
| the games I want to run, worked on it.
|
| So yeah, I still run Windows 7. I can't see myself ever
| upgrading to another Microsoft OS, ever again. And I am, and
| I cannot emphasize this enough, _exceedingly_ happy with it.
|
| [1] https://www.peerblock.com/
|
| [2] https://github.com/henrypp/simplewall
|
| [3] https://github.com/gorhill/uMatrix
|
| [4] https://noscript.net
|
| [5] https://github.com/sandboxie-plus/Sandboxie
| vrglvrglvrgl wrote:
| [dead]
| Fervicus wrote:
| I am a happy LibreWolf [0] user. Wonder how they compare.
|
| [0] https://librewolf.net/
| mdasen wrote:
| Looking at their FAQ, Mullvad Browser makes some different
| connections than LibreWolf
| (https://mullvad.net/en/help/tag/mullvad-browser/#93,
| https://librewolf.net/docs/faq/#does-librewolf-make-any-
| outg...). The big difference seems to be the Mullvad connection
| since LibreWolf does make connections for Mozilla's
| protection/certificate stuff and for uBlock Origin.
|
| It looks like they might use Mullvad's DNS Over HTTPS by
| default in the Mullvad browser and this would probably be the
| biggest privacy thing, but whatever your default DNS is might
| be a larger privacy thing. Your ISP or Google's 8.8.8.8
| traveling unencrypted is probably a bigger issue.
|
| It looks like Mullvad is also based off the Firefox ESR
| (extended support release) version that the Tor Browser uses
| while LibreWolf would be more up-to-date:
| https://news.ycombinator.com/item?id=35421718
| nigamanth wrote:
| Why do you think the Tor project team is releasing it together?
| Isn't Tor private enough? Or do they want higher privacy without
| onion browsing?
| rootsudo wrote:
| It wouldn't be higher privacy per se, it's just a fork of the
| firefox browser that perhaps could carry on TOR in case it ever
| shuts down or such.
| doodlesdev wrote:
| https://archive.ph/NTerI
| unsupp0rted wrote:
| I'd love to get this on mobile. How does it compare to DDG's
| browser?
| akomtu wrote:
| Good stuff. They should make a mobile version with extensions:
| mobile firefox is surprisingly hostile to extensions beyond a
| small whitelisted set.
| ugurnot wrote:
| I hope there will be a mobile version too at some point.
| archb wrote:
| I'd especially be interested in seeing how they implement on
| iOS, with Apple considering opening up options beyond WebKit:
|
| https://hn.algolia.com/?dateRange=pastYear&page=0&prefix=fal...
| esskay wrote:
| Both Chrome and Firefox are working on native iOS versions in
| preperation for the expected opening up of iOS this year so
| would imagine they can just fork that and release their
| version.
| UncleSlacky wrote:
| I'm not sure if it's the same org behind it, but there is a
| Mull browser available on F-Droid:
|
| https://f-droid.org/en/packages/us.spotco.fennec_dos/
| doodlesdev wrote:
| It's not. Mull browser is a Fennec fork [0] maintained by
| DivestOS [1] (Android ROM).
|
| [0]: https://gitlab.com/divested-mobile/mull-fenix
|
| [1]: https://gitlab.com/divested-mobile
| hotpathdev wrote:
| The last time I tried the Tor browser, it did not sufficiently
| handle browser finger prints. I don't have high expectations out
| of this project either, but at least they offer a firefox
| extension. I'd have to dig into it to determine how effective it
| is, but as it stands there are other firefox extensions that
| already do an excellent job.
| Eisenstein wrote:
| > The last time I tried the Tor browser, it did not
| sufficiently handle browser finger prints.
|
| Can you expound on this?
| hotpathdev wrote:
| Simply download the Tor browser and evaluate its performance
| on one of the many browser fingerprint [1][2] and browser
| leak [3][4] web services. The last time I checked, it didn't
| pass every test.
|
| [1] https://www.amiunique.org/fp [2]
| https://coveryourtracks.eff.org/ [3]
| https://browserleaks.com/ [4] https://www.dnsleaktest.com/
| fiso64 wrote:
| Indeed, my fingerprint in https://www.amiunique.org/fp
| appears to be unique when using the Mullvad browser.
| nikcub wrote:
| I just diffed the fingerprint[0] of 6 Mullvad browser
| sessions across 2 different devices and it was a unique
| fingerprint in every case[1]
|
| It mixes a lot - fonts returned, media devices, the
| canvas ID - it's pretty good and similar to what you
| expect from the improvements out of Tor Browser
|
| [0] using amiunique and fingerprint.js (now
| fingerprint.com) - which most of the nefarious ad
| networks use
|
| [1] not that just as with Tor, you have to quit the
| browser or click the 'new identity' menu button. just
| closing a tab/window and re-opening is not enough. I've
| always believed that there could be a UI hint to this in
| private browsers with a unique color/background in the
| menubar as an indicator
| hotpathdev wrote:
| Check all the browser leak tests too, they are important
| and different tests.
| greenicon wrote:
| This is not necessarily the fault of the browser alone.
| I'm also unique on a Safari on an up-to-date iOS, which
| in itself is not very unique.
| pncnmnp wrote:
| Same for me, I am using a VPN provider.
|
| Even after installing Privacy Badger, my fingerprint
| remained unique and unchanged, with 17.65 bits of
| identifying information.
|
| For comparison, after I disabled JavaScript, blocked
| remote fonts, disabled cosmetic filtering, and blocked
| large media elements using uBlock Origin, my fingerprint
| was no longer unique, and it dropped down to 9.55 bits of
| identifying information. Obviously, I don't recommend
| people do this, but it was fun to check it out.
| cyber_kinetist wrote:
| Maybe Mullvad uses some techniques to randomize the
| unique fingerprint over time in order to not get tracked?
| So you're basically identifiable for only a certain
| period of time until the tracked identity becomes
| invalidated.
| bauruine wrote:
| I've tested the site with the Tor Browser and it told me
| "Yes! You are unique". I've downloaded my fingerprint,
| closed the Tor Browser and did it again and again it was
| unique. So they couldn't link the two sessions together
| which is good. A jsondiff of the downloaded files only
| showed "canvas" as different which I guess gets generated
| randomly on every visit?
| udev4096 wrote:
| Testing on a bunch of sites does nothing at all.
| Fingerprinting is a lot more than just that
| hotpathdev wrote:
| Browser fingerprinting is exactly that. And the browser
| leaks are an even more concerning issue that must be
| confirmed. Websites want to know who you are or at least
| that you're not a bot. As a pro-privacy user, you don't
| want websites to know either of those things. That's low-
| hanging fruit that a few simple browser tweaks can help
| with.
| Eisenstein wrote:
| Isn't passing every test going to make the browser uniquely
| unique? My impression is that they want it to be
| 'fingerprinted' but look like 1,000,000 other Tor browsers
| so they can't be told apart.
| hotpathdev wrote:
| Yes either you want everyone to look the same, or you
| want every page request to be totally random.
| SubzeroCarnage wrote:
| Tor Browser currently has _the best_ mechanisms to protect
| against fingerprinting.
|
| Most tests are biased to certain methods or do not have a large
| enough dataset or are only viewed in isolation.
| fefe23 wrote:
| Why should I put any faith in this VPN company if I don't even
| trust my own ISP?
| jonfw wrote:
| Mullvad's entire business is based around privacy, so they have
| a strong incentive to not collect your data. Your ISP does not
| have that incentive
| altairprime wrote:
| If the third party security audits aren't convincing, then you
| shouldn't. That's your choice to make.
| simon1573 wrote:
| In Sweden (where Mullvad has its origin) IPSs are forced to
| keep data on its users, see Datalagringsdirektivet. It does not
| apply to VPN providers.
| mugr wrote:
| Please add support for ARM.
| pphysch wrote:
| Pros:
|
| - Makes it hard for advertisers to target you with ads
|
| Cons:
|
| - Funded by the State Department via Tor Project
| throwaway2056 wrote:
| Finally something that beats...
|
| https://fingerprint.com/demo/
| jerrinot wrote:
| Vanilla Firefox beats it too if you set
| `privacy.resistFingerprinting` to `true`.
|
| I assume Mullvad browsers has this on by default.
| AtNightWeCode wrote:
| Why not. I have a crazy idea. How about building an edge service
| that renders pages on the edge on identical HW and SW and then
| just stream it to end users. Could be built with Cloudlfare
| workers and Puppeteer for instance. People are already doing
| crazy things in automatic tests so I don't think there is a need
| to shy away because of the need for client side scripts. Or just
| run a Chromium instance.
| AccountAccount1 wrote:
| There's already some work to that direction with cloudflare
| workers... but I really differs on why people would look for
| that; in a bit more convoluted case, for example, it would be
| destined for browsing nested pages of instagram, facebook,
| reddit, and so on... so it's bit difficult to that, especially
| with things that require auth...
|
| much more a coordination problem that an engineering one
| AtNightWeCode wrote:
| My example is simple. This is for tracking and
| fingerprinting. At the same time. This all may soon fall into
| the mobile tracking problem. Like in my country. By having a
| mobile turned off is in itself a tracking point.
| lysecret wrote:
| Hmm I am sure this is well intentioned, but I am a bit scared
| this will just further chip away on FireFoxes market share which
| doesn't look good to begin with.
| mulle_nat wrote:
| Mullvad also states that it disabled the Firefox password storage
| feature, because it's supposedly insecure. But the articles
| supporting this view (i read) seem to be written by third-party
| password storage friends. Their arguments are weak (like "some
| managers used to do bla bla, which was insecure") and don't apply
| to Firefox. Is there a strong argument specifically against
| Firefox passwords and password sync ?
| Player6225 wrote:
| "The Mullvad Browser is a privacy-focused web browser developed
| in a collaboration between Mullvad VPN and the Tor Project. It's
| designed to minimize tracking and fingerprinting. You could say
| it's a Tor Browser to use without the Tor Network."
|
| https://github.com/mullvad/mullvad-browser
|
| So basically like... hardened Firefox?
| Player6225 wrote:
| Hmm looking the settings I saw a search engine I didn't
| recognize... I guess they also have a google proxy?
|
| https://leta.mullvad.net
|
| So I guess now you can go full Mullvad.
| archb wrote:
| This is super interesting. From Leta FAQ[0]:
|
| Did you make your own search engine from scratch?
|
| We did not, we made a front end to the Google Search API.
|
| Our search engine performs the searches on behalf of our
| users. This means that rather than using Google Search
| directly, our Leta server makes the requests.
|
| Searching by proxy in other words.
|
| [0]: https://leta.mullvad.net/faq
| medstrom wrote:
| A hardened Firefox config exists:
| https://github.com/arkenfox/user.js
|
| But it needs tech skill to adopt, so even if this Mullvad
| Browser is basically just prepackaged Arkenfox, that's great to
| drive adoption.
| kmfrk wrote:
| I'd really like a VPN service to recommend streamers where they
| don't automatically show your location and IP if you happened to
| not be logged in for whatever reason. It's a UX that lands a lot
| of people in trouble when they visit the websites to check them
| out on stream. Ironically streamers with VPN sponsorships, too.
|
| Be nice if this stuff were hidden by default with some reveal
| button to show the information, both on the website and browser
| extension as an alternative to the other options out there.
| Otherwise I love recommending Mullvad to everyone.
| reisse wrote:
| Quite sad Mullvad doesn't have the donations page. One of the
| rare projects I'd actually like to donate.
|
| Guess buying a few more VPN keys will count though...
| tyjen wrote:
| They've been my go to VPN service for years, since PIA was bought
| out, so this is a welcomed surprise. Hope it's as good as their
| service.
| thunderbong wrote:
| I couldn't quite se it in the article -
|
| Is it based on Chromium or Firefox?
|
| If it's Firefox, that'll be a great win!
|
| Edit: Use Player6225 mentions it could be a hardened Firefox
| because it's based on the Tor browser
| archb wrote:
| It's based on Firefox, and I am able to install Firefox
| extensions. With 1Password on it now, I think I am going to try
| this browser for a while.
| A_No_Name_Mouse wrote:
| The question not answered: won't I stick out like a sore thumb if
| only 1 in 10000 people uses this browser?
| esskay wrote:
| Stick out to who? Just set the useragent to a default firefox
| one (assuming its not already set) and you're golden.
| archb wrote:
| I decided to test it out on a website[0] and it does seem
| that the useragent goes by the Firefox name:
|
| Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
| Firefox/102.0
|
| On my Firefox:
|
| Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
| Gecko/20100101 Firefox/110.0
|
| It's interesting to note that the Mullvad browser seems to be
| based off on Firefox 102.0, which came way back on June 28,
| 2022:
|
| https://www.mozilla.org/en-US/firefox/102.0/releasenotes/
|
| [0]: https://gs.statcounter.com/detect
| doodlesdev wrote:
| That's because it's a fork of the Tor browser, meaning it's
| based on Firefox ESR, which is currently on version 102.
| input_sh wrote:
| Extended releases are counted a bit differently, it will
| jump from 102 to 115.
| daveoc64 wrote:
| Firefox 102 is current Extended Support Release (ESR):
|
| https://www.mozilla.org/en-US/firefox/102.9.0/releasenotes/
| [deleted]
| xeeeeeeeeeeenu wrote:
| You can see in the "About" window that it's based on
| Firefox 102.9, which is the latest ESR version. It masks
| the minor version in the UA string.
| controversial97 wrote:
| So ... it is a fork of Mozilla Firefox with privacy-friendly
| settings by default, some script blocking, and dns lookups done
| via Mullvads encrypted dns service
|
| Sounds ok to me, I have a longish and probably out of date list
| of settings that I like to chance in a new instance of firefox. I
| trust mullvad to not log dns more than I trust my ISP and I live
| in the UK so unencrypted dns here is being logged and stored by
| order of the government.
|
| Keeping a fork of firefox in sync with mainline firefox to get
| security fixes is a load of work, it is good that somebody is
| doing it, in this case I think the tor project is doing a lot of
| the work.
| prox wrote:
| Sounds great for the audience it's probably intended for.
| anonymousnotme wrote:
| I was thinking about that very thing is keeping up with
| patches. I suspect that tor is probably a couple of months
| behind firefox and then mullvad will probably be a month or two
| behind tor. It is easier to check between tor browser and
| mullvad browser because they both use git. firefox uses
| mercurial, so is probably harder.
| dathinab wrote:
| AFIK it's a "fork" of the tor-browser (which is a fork of
| Firefox) but instead of connecting to the tor network you
| connect to a VPN.
|
| So you get all the in-browser tracking protection Firefox has
| (e.g. against fingerprinting) + the ones only the Tor browser
| has but without the drawbacks of the tor network and in turn
| without onion security.
| rtpg wrote:
| Does the tor browser fork stay up to date quickly? I would be
| quite worried about stale browsers in this day and age, to an
| extent at least
| brnt wrote:
| Yes. They are aware that this is one attack vector they
| need to protect their users against.
| notpushkin wrote:
| I believe Tor is collaborating with Mozilla very closely,
| to the point that Mozilla includes patches from Tor Browser
| now: https://wiki.mozilla.org/Security/Tor_Uplift
| JoachimS wrote:
| And Mullvad is a Tor project sponsor.
| notRobot wrote:
| And Mozilla's partner for the Mozilla VPN.
| seanw444 wrote:
| Dang, it's a tight-knit group.
| pabs3 wrote:
| Tor Browser updates often come the same day as Mozilla
| releases, sometimes a bit longer.
| chiefalchemist wrote:
| Speaking of which, anyone have / seen an updated list of which
| FF to change and how? I presume the last one I bookmarked is
| dated.
|
| Dear Santa...please stop making a safe & private internet so
| gosh darn friction-y :(
| tomxor wrote:
| > I have a longish and probably out of date list of settings
| that I like to chance in a new instance of firefox
|
| Not a user but part of the purpose of the TOR fork is settings,
| anything that is detectable via JS is supposed to remain
| default to prevent fingerprinting.
|
| It's partly why it's not widely popular, I don't know if this
| is still true but it used to be that it was supposed to be run
| at a specific viewport resolution regardless of your device.
| All in the name of making your fingerprint as close to the same
| as all other TOR browser users.
| dathinab wrote:
| > run at a specific viewport resolution regardless of your
| device.
|
| It's more like pretending to the website that your screen has
| a "common" resolution etc. which is nearly but not quite the
| same as what you said.
|
| In the past they semi required you to keep your tor window in
| a specific window size for this, which just didn't work well
| in practice.
|
| By now they better integrated that in the browser from what I
| heard, so you can resize it however you want but websites
| might have an "empty" border are to the left/right/bottom
| depending on you screen resolution, windows size etc. from
| what I have heard.
|
| With a typical maximized window on 1080p you won't really
| notice it, on 4k you might notice that it's just "dump" up
| scaled from 1080p, but the person I spoke with wasn't sure if
| maybe they have a set of supported common resolutions instead
| of just one. And on a 4:3 screen he said it's quite
| noticeable.
| alkonaut wrote:
| Not sure how it's designed but if I was designing a system
| of reducing detectable entropy from viewport size, I'd make
| a fixed list of available resolutions. First all the common
| resolutions (1920x1080, 2550x14540 and so on), and in
| addition to that maybe just "snapped" grid sizes in 64p
| pixel increments. If you use a window size that doesn't
| match, it should just render the viewport to the closest
| smaller allowed size, and fill the border with something
| (e.g. the background color of the page). Perhaps that's
| exactly how it works?
| medstrom wrote:
| Yes, that's how it works, if you're talking about the
| setting privacy.resistFingerprinting.letterboxing. To my
| memory, the list is any multiple of 200 on width and any
| multiple of 100 on height. So at this moment my viewport
| is, I believe, exactly 1200x900.
|
| Bear in mind that it's a minority of people that hit F11
| to browse fullscreen, they still have toolbars, so it's
| not as common as you'd think for the viewport to match a
| common screen resolution like 1920x1080.
| alkonaut wrote:
| Yeah the ones you want I guess would be 1920x1200 with
| the height reduced by common (say Windows 10/11) taskbar
| and tooobars. It's never going to be perfect but you'd at
| least want to minimize letterboxing for the most common
| fullscreen setups on the most common platform(s). But you
| could throw in 1920x1200 full screen as well for good
| measure.
|
| Perhaps it would be better to letterbox randomly with say
| 20px width and 20px height, so it's just 1 chance in 400
| to even return to the same reported screen size? That way
| you'd be even harder to track than if you are the only
| person running exactly 1000x800.
| encryptluks2 wrote:
| [dead]
| zamnos wrote:
| Hm that seems like a mistake. If I'm reading the docs right, the
| Mullvad browser will let you browse the web _without_ using their
| /any VPN, which mean that it's entirely possible to accidentally
| surf to a site without having your VPN up, and reveal your IP
| address to that site. To contrast, there's no way to use the Tor
| Browser without using the onion network so it's ~impossible to
| accidentally browse to site and reveal your IP address, and not
| just the IP address of the exit node.
|
| OpSec is hard, and tools letting you shoot yourself in the foot
| doesn't help. There are plenty of other browsers out there that
| don't offer VPN integration, so (imo) they should have made the
| browser a paid feature for customers, instead of giving it away
| for free like the market has demanded since IE6.
| altairprime wrote:
| Mullvad's VPN software has an available function that blocks
| network traffic when the VPN isn't connected, so there's no
| need to patch that into the browser.
| nicce wrote:
| But isn't this integrated directly into the browser, so that
| your host system does not need Mullvad?
| altairprime wrote:
| Nope. Their browser seems intended to be paired with their
| VPN product, not to be substituted for it.
| nicce wrote:
| In my understanding, the Mullvad VPN extension is built
| in, with Mullvad DoH included.
|
| https://mullvad.net/en/help/tag/mullvad-browser/#93
| altairprime wrote:
| Does it offer the same system-wide protection as the
| desktop VPN product; or, does it only use the VPN for
| socks-proxied traffic through the extension-created SOCKS
| port, and so those protections are applied within the
| browser; or, it doesn't protect against temporary
| interruptions; or, orher?
|
| I can't experiment with this during my workday, and we've
| reached the limit of information available without
| running it and testing, so I can't help resolve this
| further right now.
| udev4096 wrote:
| I think the reason that they have made it free is to combat
| fingerprinting more efficiently. It would be easy to
| fingerprint if they have a very limited amount of users
| warner25 wrote:
| That makes sense except for the fact that servers can still
| identify the smaller set of actual Mullvad VPN users by their
| IP address(es).
| MikusR wrote:
| They advertise their VPN as having a working Split tunnel
| feature. That is also false, at least on Windows.
| paulryanrogers wrote:
| Citation?
| MikusR wrote:
| Me. It leaks.
| paulryanrogers wrote:
| Can you provide a few examples?
|
| Has this been reported to Mullvad?
| MikusR wrote:
| Split tunnel + qbittorrent leaks your ip
| SadTrombone wrote:
| There's absolutely no way for qbittorrent to leak your IP
| if you've configured it correctly to only use the Mullvad
| network interface.
| artimaeis wrote:
| Using Mullvad (2023.2) split tunnel on my Windows 11
| machine with qBittorrent 4.5.2. Every IP tool I know of
| is showing only my Mullvad IP. What tool are you using
| that indicates a leak of your real IP?
|
| Tools I've used to verify:
|
| - https://mullvad.net/en/check
|
| - https://ipleak.org/
|
| - https://browserleaks.com/ip
|
| Genuinely curious because I use this setup all the time
| and want to rest assured it's behaving as I expect.
| switch007 wrote:
| So, not reported to Mullvad? I don't think it's out of
| order to ask for some proof at this stage
| udev4096 wrote:
| It's available on android and linux. Don't know about windows
| artimaeis wrote:
| I use their split tunnel feature on my Windows machine daily.
| I think there's some limitations to its capability to spit,
| such as Windows Store apps.
|
| https://mullvad.net/en/help/split-tunneling-with-the-
| mullvad...
| the_common_man wrote:
| Isn't Firefox already reselling mulvad for their VPN?
| archb wrote:
| They are. Mullvad browser seems to be aimed at users that want
| a hardened Firefox out of the box with additional Mullvad
| extensions, while Firefox with Mullvad installed manually is
| all manual setup.
| ajdude wrote:
| I welcome all new non-chromium based browsers.
| hardwaresofton wrote:
| Really would have loved if this could have been a partnership
| with Mozilla...
| triihart wrote:
| "The account number is the only thing you need to connect to
| Mullvad VPN. We ask for no email, no phone number, no personal
| information whatsoever."
|
| yeah, also they get my bank card info, I become easily trackable
| if need arises
| asenna wrote:
| They launched the Mullvad cards being sold on Amazon[1], you
| can ask a friend in a different country to buy one for you.
|
| [1] https://www.amazon.com/Mullvad-VPN-Windows-Android-
| SCRATCH/d...
| stainablesteel wrote:
| they don't save this information, they used to then ended up
| removing the process to do so 1-2 years ago
| aprilnya wrote:
| you can pay with cash or crypto
| dns_snek wrote:
| Using your card is a choice, you can pay with Monero or send
| them cash in an envelope.
| silentsanctuary wrote:
| For this reason they do encourage you to anonymously pay with
| cash.
| fuddle wrote:
| I'd love to see a more technical write up on the Mullvad Browser.
| crop_rotation wrote:
| I am disappointed to see that it doesn't integrate with Mullvad
| VPN at all. I have Mullvad VPN but I use it too less because I
| don't want all traffic on my mac going via VPN (e.g all kinds of
| random IDEs and websites). All I want is one browser which always
| uses VPN. But Mullvad has no split tunneling on mac AFAIK, and on
| windows also you can only block some apps from VPN, instead of
| saying that only this application will use VPN. This is one
| feature I really miss from PIA.
| anotherhue wrote:
| It bundles their extension which allows for socks5 connection,
| so you should be good.
| piaste wrote:
| Why don't you want random traffic to go through the VPN?
| Mullvad is quite fast.
| crop_rotation wrote:
| It's not about speed. There are many websites where your
| identity is linked in some fashion (e.g Your bank). I don't
| want my bank to block my account because I was in one
| continent in the morning and another in afternoon. The same
| goes for other critical accounts. I know I know, this is all
| unlikely, but why bother with it if it can cause a lot of
| headache. e.g. I know of people whose facebook accounts got
| blocked and were asked to provide some id since the accounts
| were opened from two different geographies.
|
| Basically sending all traffic via VPN seems a big headache to
| me.e.g. Using gmail from a VPN doesn't help me at all.
| dns_snek wrote:
| Firefox allows you to assign proxies to individual
| containers. You could create a "Mullvad" container, set it
| to use Mullvad's SOCKS proxy and then configure a list of
| websites to always open in that container. That should
| allow for nice segregation on the level of individual tabs.
|
| They haven't documented this feature [1], but it's part of
| the official "Multi-Account Containers" extension. It can
| be found in MAC -> Manage Containers -> Select -> Advanced
| Proxy Settings at the bottom.
|
| [1] https://support.mozilla.org/en-US/kb/containers
| digging wrote:
| I usually just turn off my VPN temporarily if I get blocked
| and need to continue using a connection.
| stainablesteel wrote:
| you might want to check out vopono, i've gotten it working with
| firefox and its nice
|
| https://github.com/jamesmcm/vopono
| crop_rotation wrote:
| Vopono does look awesome but it seems it is Linux only, no
| mac.
| JustSomeNobody wrote:
| I think I personally would find this more useful on my phone than
| on my desktop or laptop.
|
| I like Mullvad, they're my goto for VPN service when I'm out and
| about.
| amsterdorn wrote:
| Is this just Brave for FF minus the crypto?
| ravewithme wrote:
| Controlling browser + vpn - not a good idea.
|
| i turst the tor browser because of the protocol it uses (the
| onion protocol), not because of the browser i use it with. Even
| if mullvad is fully open-source and very transparent about it, i
| think it is not a good idea to use a browser and a vpn from the
| same vendor. They have full access to your internet data, and
| they now (if you use this browser) full controll over the browser
| you use.
| anigbrowl wrote:
| I don't get it, why not just use Tor browser?
| sylware wrote:
| I wonder if one day we'll get a group of devs with the balls to
| propose the world with a real disruptive web engine (instead of
| using vanguard/blackrock ones): for instance plain and simple C +
| assembly.
| Proven wrote:
| Signatures don't validate, I guess I'll pass for now.
|
| $ gpg --verify mullvad-browser-linux64-12.0.4_ALL.tar.xz.asc gpg:
| assuming signed data in 'mullvad-browser-
| linux64-12.0.4_ALL.tar.xz' gpg: Signature made Fri 31 Mar 2023
| 01:15:54 AM CST gpg: using RSA key E53D989A9E2D47BF gpg: Can't
| check signature: No public key
| medill1919 wrote:
| Beware, there does not seem to be a way to uninstall this
| conventionally.
| jack_riminton wrote:
| Mullvad is the swedish name for a mole incase you were wondering.
| Source: wikipedia https://en.wikipedia.org/wiki/Mullvad
| Waterluvian wrote:
| I was wondering! For an English-speaking audience it feels like
| it might be a poor brand. It's not exactly a "nice-sounding"
| name. Though to be fair, they might not be trying to win
| mindshare, so careful branding might not be a concern.
|
| I appreciate that to a technical audience this can usually feel
| like a super pedantic bit of nonsense. But for the other 99% of
| browser users, this kind of thing can matter!
|
| "You should try out the Mullvad browser!"
|
| "The what?"
| brewdad wrote:
| Is it really any worse than living on the Edge?
| Waterluvian wrote:
| To be fair, this is a very pseudosubjective thing. I know
| my data point. And I feel my data point is plausible as a
| trend. For example, you don't need to do studies to know
| that "Diarrhea Browser" would be a bad name.
|
| Edge? I think it's sharp and techy and modern. So it seems
| at least... valid. But it also screams, to me at least, the
| classic Microsoft branding thing of, "this feels like a
| bunch of 50 year olds in a room declared what they believe
| to be cool and hip."
|
| Then again. `iPad` was broadly laughed at when it was
| announced, and through sheer repetition it has been
| accepted and I don't really even notice the weirdness of
| the name anymore. So maybe with enough success, Mullvad
| would be adopted.
| DrBazza wrote:
| Can anyone explain how this won't, putting it diplomatically,
| attract certain 'dark web' types, and in turn bring mullvad under
| the microscope of law enforcement?
| sneak wrote:
| You can't browse the dark web with this browser.
| traveler01 wrote:
| If you do something useful it will probably attract criminals,
| nothing we can do about it.
| hotpathdev wrote:
| This isn't useful to 'dark web' types. This is at best useful
| for 'mom and pop' who heard about 'china tiktok' on the news.
| KoftaBob wrote:
| Couldn't you say that about any VPN? Why would Mullvad's
| browser be unique in this regard?
| andai wrote:
| Curious how usable it is for anything with CloudFlare. CloudFlare
| doesn't like browsers that block fingerprinting, and it doesn't
| like Tor Browser in my experience, and when I use Mullvad I also
| get way more CloudFlare Captchas, often getting stuck in an
| infinite loop. I'm focusing on CloudFlare because it seems half
| the sites I use are behind their firewall now. (e.g. I have to
| switch from Brave to Firefox every time I want to use ChatGPT...)
| s777 wrote:
| I use LibreWolf (hardened Firefox) with Mullvad VPN and in my
| experience have hardly had any issues with Cloudflare
| (occasionally I might get a single Cloudflare captcha but this
| doesn't happen often). Tor browser, on the other hand, gives me
| tons of captchas and is barely usable.
| jraph wrote:
| I guess why not.
|
| This is an open source, rebranded Firefox and Firefox-like
| browsers could use some publicity. It promotes privacy and
| privacy can use some publicity too. Tor too.
|
| Mullvad seems to be honest in the fact that their business model
| is selling VPNs and it's nice they are saying it's not enough.
| They are not saying that you might not need one though.
|
| We need a Firefox with good defaults and it seems like this
| browser is such a thing. I'd prefer these privacy features to be
| in upstream Firefox but I guess world is not perfect and that
| Firefox still relies on revenues from Google so can't be as
| privacy-focused as it should.
|
| My little concern I guess is that this browser will push for
| their service so it's a bit like an ad for them, at least with
| its name. But fair enough, and at least the business model seems
| healthy.
|
| With Mullvad already being a Mozilla partner for their branded
| VPN, all this actually look good. They seem to be spending their
| money on worthy stuff.
| FireInsight wrote:
| I'm quite surprised nobody mentioned Librewolf yet.
| https://librewolf.net/
|
| It's a custom build of Firefox with somewhat sensible,
| sometimes strict, privacy respecting default settings.
|
| There's also the Arkenfox user.js which you can put on top of
| vanilla Firefox, aiming for the most privacy and security
| possible. https://github.com/arkenfox/user.js
| 93po wrote:
| My issue with these browsers, including Firefox with things
| like fingerprint resisting enabled, is that it breaks a lot
| of sites. Add a VPN to the mix and a lot of sites flat out
| refuse to let you interact with them, or they give you 5
| minutes of captchas, or they require 2 factor login despite
| asking them to remember your device. I have to open some
| sites (banking, brokerage, health insurance) on a near-daily
| basis in Chrome with no extensions and no VPN instead of my
| regular firefox+vpn.
|
| A lot of sites allow interaction even with the above but they
| shadowban you without telling you. Craigslist shadow bans and
| auto-spam-filters any submissions done with a VPN, and then
| also auto-spam-filters any subsequent submissions on the same
| account even with the VPN turned off.
|
| Reddit also universally spam-filters any submissions and
| comments done under a VPN, and rate limits your commenting a
| shitload on VPNs.
| joveian wrote:
| Arkenfox is great, although worth noting that there are
| always privacy vs. security vs. usability tradeoffs. The best
| usability settings (in terms of sites just working at least)
| are generally the Firefox default and Arkenfox defaults aims
| for privacy mostly but they also have some of the best
| descriptions of available configuration available anywhere
| (often the only other source of any kind of information is a
| brief comment in the source code that assumes familiarity
| with Firefox code). Personally, I aim for the best security
| and accept that that makes me unique.
| kulahan wrote:
| Tor is borderline useless for privacy. It was literally built
| for the government [1]
|
| 1: https://en.wikipedia.org/wiki/Tor_(network)#History
| rOOb85 wrote:
| You do realize that tor is open source and has been under
| scrutiny by some of the worlds leading security researchers?
| It may not be 100% perfect, but claiming it's useless and
| ineffective simply because it was born out of government
| research is completely asinine.
| 1101010010 wrote:
| The Tor design spec literally says it is not meant to defeat
| a global passive surveillance panopticon like a world
| government. Know its limitations and it's a fine tool. By the
| way, the entire Internet was built for the government.
|
| https://en.wikipedia.org/wiki/Arpanet
| navigate8310 wrote:
| > We need a Firefox with good defaults and it seems like this
| browser is such a thing.
|
| Allow me to introduce you LibreWolf https://librewolf.net/
| 2Gkashmiri wrote:
| I've asked multiple times to all the brave sympathizers about
| "why not fork firefox, put your shnazzy customization and call
| it a day. By lapping up to chromium, you are only helping
| Google regardless of what search engine you use"
|
| And more often than not the response has been "well we did
| investigate Firefox but working with it was pita so we went
| with easiest option"
|
| Shit dude. You want to start a business so at least do the
| right thing.
|
| If there are more Firefox forks, like there are chromium forks
| today, that would normalize Firefox because currently chromium
| is the de facto web standard.
| charcircuit wrote:
| How is propping up Firefox's market share and slowing down
| their own development the right thing to do as a business?
|
| If Firefox wants to have a competitive market share they
| should actively compete instead of begging people to increase
| their market share.
| olyjohn wrote:
| I love how the 'right thing to do' is not the same as the
| 'right thing to do as a business.'
|
| One is actually the right thing to do. The other is how to
| make more money faster and quicker.
| yucky wrote:
| [flagged]
| dymk wrote:
| It's no surprise that Brave's obsession with pushing crypto
| and their own ad network, and Eich being a homophobe, did
| burn a lot of goodwill.
| tomcam wrote:
| > Eich being a homophobe
|
| Wut? Citation needed. I'm sure you don't mean his support
| of Proposition 8 in 2008, because Barack Obama professed
| the same belief in 2008... making him, in this formulation,
| a homophobe.
| asddubs wrote:
| so someone being against gay marriage is not a homophobe
| in your eyes? Why can't Obama just also be/have been a
| homophobe
| tomcam wrote:
| One can have a principled opposition to gay marriage
| without being a homophobe.
|
| Declaring someone else is a homophobe without their
| making such an assertion is mindreading.
| darksaints wrote:
| No, they can't.
| dymk wrote:
| > One can have a principled opposition to gay marriage
| without being a homophobe.
|
| The same way a principled vegan also eats meat, to be
| sure.
| asddubs wrote:
| actions speak louder than words. by that logic you can
| never declare anyone anything.
| jraph wrote:
| I don't think we need an umpteenth discussion about this
| here, it has already been discussed to hell. This is
| getting old. Just search Brendan Each on HN [1], this
| discussion happens any time he is mentioned here.
|
| Or just read the summary on Wikipedia [2].
|
| There's a lot of material on this topic, it's easy to
| make up one's opinion on this if you are genuinely
| interested.
|
| edit: please people, don't feed this.
|
| [1] https://hn.algolia.com/?dateRange=all&page=0&prefix=t
| rue&que...
|
| [2] https://en.wikipedia.org/wiki/Brendan_Eich#Appointmen
| t_to_CE...
| haswell wrote:
| As a bi man, the next paragraphs excuse nothing.
|
| But if these details are to play a factor in browser
| selection, one should reflect on the myriad of
| undesirable associations involved in going about daily
| life.
|
| Just typing this reply involves an entire supply chain
| associated with individuals and organizations of
| questionable character.
|
| To apply this same level of sensitivity to daily life
| would be to mostly unhook oneself from modern society.
|
| I care deeply about the safety and freedom of the LGBTQ+
| community, and find little value in allowing someone
| else's lack of acceptance of me dictate my life. Doing so
| is a form of "doing something" that does nothing but
| widen the gap to actual change, which can only ever
| happen via open dialogue.
|
| I think there are plenty of reasons not to choose Brave
| based on the actual technical merits of the product.
| axus wrote:
| What are your thoughts on Chick-Fil-A. I will sometimes
| choose them on the merits of their product.
| haswell wrote:
| I tend to avoid fast food in general, but I try not to
| orient my life around actions (or avoiding actions) that
| are unlikely to have any impact, especially if they
| involve spending more of my own energy.
|
| Avoiding Chik-Fil-A at all costs: primarily affects me.
|
| Being willing to frequent a Chik-Fil-A because a friend
| somewhere else on the political spectrum enjoys it:
| potentially opens an opportunity to talk.
|
| Most of my family and their circles fit that latter
| description, so this is not a hypothetical. Any chance of
| influencing them is actively harmed by choosing/avoiding
| fast food based on tribal allegiance.
|
| None of this should be construed to mean that I find
| their leadership team and public stances acceptable.
| jraph wrote:
| Sure, I'm not disagreeing with you and this is actually
| an interesting philosophical topic to discuss (I mean it,
| I'm genuinely interested in this and have been wondering
| where to put limits on this kind of stuff).
|
| But wondering whether is Eich homophobic? Meh. Bored of
| these discussions. I have set my opinion on this. It's
| been discussed enough.
| haswell wrote:
| Yeah, that's a fair stance and I generally agree with you
| here.
| tomcam wrote:
| That has nothing to do with my comment. You libeled
| someone without providing any proof at all.
| jraph wrote:
| > That has nothing to do with my comment
|
| It has everything to do with your comment? I'm inviting
| anybody interested on the topic to go read about it
| themselves instead of rehashing the same subject again
| and again, since I believe everything about this has
| already been said already?
|
| > You libeled someone without providing any proof at all.
|
| On the contrary, please notice how I carefully and
| deliberately stated nothing about Eich, not given my
| opinion on this and not taken sides here.
|
| It would not be smart, it would invite people who have
| opinions on this to further push this discussion.
|
| Did you confuse me with another commenter?
| [deleted]
| darksaints wrote:
| Barack Obama opposed prop 8 in 2008, and certainly never
| donated money to the campaign like Eich did. There are
| dozens of articles about it.
|
| But he also opposed gay marriage, so to some extent he
| was homophobic, at least for political reasons. He later
| changed his mind on it, likely also for political
| reasons.
|
| But shame on you for using such disingenuous bullshit
| tactics to make your homophobic point: "If you call Eich
| a homophobe, then you also have to call <insert beloved
| liberal figure> a homophobe!". For one, it ignores the
| fact that people's minds can change over time, whereas
| Eich has never changed his stance on gay marriage and has
| never disavowed the money he spent trying to stop it. And
| two, it's just a red herring argument and attempted
| hypocrisy trap.
|
| And worse, it's a fucking terrible hypocrisy trap. There
| are millions of people who support gay marriage but never
| supported Barack Obama, and millions more who supported
| Obama precisely because they didn't want gay marriage and
| thought they could trust him to not change his mind on
| it. Obama may be beloved by some liberals, but he is a
| hypocrite to many on a multitude of reasons, ranging from
| his gay marriage flip flop, to his support of the patriot
| act, to the promotion of indefinite detention and torture
| to federal law, to the fact that he continued the
| pointless Iraq war for his entire term.
| Euphorbium wrote:
| Lets replace that with vpn pushing, that sure is better. By
| the way brave is also pushing a paid vpn.
| dymk wrote:
| There is no opt-out to not use a VPN. There's... the
| Mullvad logo, which seems pretty reasonable. Certainly
| more reasonable than injecting their own ad network into
| your pages and pushing your home-rolled cryptocoin.
| Euphorbium wrote:
| I have been using brave for a long time, and the only
| places where crypto is mentioned is in the new tab
| window. You have to opt in to add replacement.
| Dylan16807 wrote:
| I believe you mean "you have to opt in to their ads, and
| there is no ad replacement feature", unless something has
| changed very recently.
| notpushkin wrote:
| Brave is not a Firefox though, it's just another Chromium.
| sph wrote:
| Eich is divisive, sure, but Brave is not a secure browser any
| more than Firefox is, with a lot of phoning home and crypto
| widget, that like them or not, are out of place in a browser
| you want to trust.
|
| Ideally my browser and all the software I use do not connect
| and fetch data unless I tell them to. A browser should not be
| "bundled" with extra widgets for convenience.
| INeedMoreRam wrote:
| You can completely disable the crypto wallet.
| sph wrote:
| On-by-default is a terrible security and privacy
| approach.
| anotherhue wrote:
| Brave had the least home-phoning in the study
| https://arstechnica.com/information-
| technology/2020/03/study...
| Geezus-42 wrote:
| I would have liked to see where Vivaldi fell in there
| testing.
| mpgarate wrote:
| While brave may have some good privacy aspects, it is still
| based on chromium.
| overthrow wrote:
| Brave is an advertising company just like Google.
|
| https://www.computerworld.com/article/3292619/the-brave-
| brow...
|
| > Brave scrubs sites of ads and ad tracking, then replaces
| those ads with its own advertisements, which are not
| individually targeted but instead aimed at an anonymous
| aggregate of the browser's user base.
|
| Sounds an awful lot like Google's
| https://en.wikipedia.org/wiki/Federated_Learning_of_Cohorts,
| no?
|
| btw I don't know anything about Brandon Eich, but I still
| would never use a crypto browser
| jraph wrote:
| I don't care about Brendan Eich quite as much as I care about
| the Google / Chrome monopoly, and Brave just makes this
| monopoly stronger by depending on Chrome. By being Chrome,
| actually.
|
| I want the web to be built around something else than
| ad-/tracking-supported software and Brave is being very self-
| contradictory with this.
|
| Don't use Brave if you care about the global picture /
| tracking around the globe.
| INeedMoreRam wrote:
| Which browser do you recommend?
| chaxor wrote:
| Probably the one from this post will now be the likely
| answer.
| jraph wrote:
| It's not perfect (since its funding is mostly Google) but
| Firefox is my current browser of choice. It notably has
| very good support for blocking tracking and unwanted
| stuff thanks to uBlock Origin, which works best on
| Firefox according to its main developer [0]. And while it
| is funded with Google's money (which is a huge caveat), I
| still hope this changes in the future. Firefox could be
| funded differently. [By the way] maybe Mullvad browser is
| an interesting choice for this exact reason?
|
| Other (independent) initiatives like NetSurf [1] and
| Ladybird [2] are on my radar. NetSurf has been around for
| a while; Ladybird seems impressive, achieving some great
| progress and result with little resources. I should
| actually try Ladybird more seriously when I get the
| chance, and maybe contribute if I find the time :-)
|
| [0] https://github.com/gorhill/uBlock/wiki/uBlock-Origin-
| works-b...
|
| [1] https://www.netsurf-browser.org/
|
| [2] https://awesomekling.github.io/Ladybird-a-new-cross-
| platform...
| yucky wrote:
| Brave is a separate fork and completely unreliant on
| Chrome. It also is the most privacy-focused browser so it's
| the opposite of "tracking-supported software".
| jraph wrote:
| Unreliant on Chrome?
|
| If Chrome disappears, Brave ceases to exist. Brave
| totally relies on Google developers working on Chrome and
| do the vast majority of what it takes to build the
| browser. Brave only does superficial work in comparison.
| Brave may itself be privacy-focused but only exists
| thanks to Google's business model which is mostly
| tracking the world.
|
| So, yes, Brave is mostly funded by tracking since it is
| mostly Chrome with some lightweight work on top of it.
| oDot wrote:
| > I guess why not.
|
| > ...Even in the desktop version, Firefox's sandbox is still
| substantially weaker (especially on Linux) and lacks full
| support for isolating sites from each other rather than only
| containing content as a whole. The sandbox has been gradually
| improving on the desktop but it isn't happening for their
| Android browser yet.
|
| https://grapheneos.org/usage#web-browsing
| dblohm7 wrote:
| That is waaaay out of date on the Desktop front.
| kitsunesoba wrote:
| Seems like a wash overall with how Chrome for Android lacks
| support for extensions entirely. Firefox for Android supports
| uBlock Origin, which greatly cuts down on tracking and
| chances to be hit by broadly-targeted malvertising.
| charcircuit wrote:
| Kiwi Browser is a chrome fork that supports web extentions
| on Android.
| jorvi wrote:
| Firefox on iOS contains no built-in adblocking despite
| Firefox Focus doing so.
|
| More bizarrely, there's an open Bugzilla _and_ GitHub issue
| on that, both a few years old.
|
| Obviously I have transferred my entire family and social
| circle over to Brave. If Firefox won't make their users
| secure, I will.
| pxc wrote:
| > More bizarrely, there's an open Bugzilla and GitHub
| issue on that, both a few years old.
|
| I can understand why it's not a priority at this point,
| at least, given that Firefox on iOS is currently a reskin
| of Safari, and the door is reportedly about to open for
| actual competition among iOS browsers due to increasing
| anti-trust pressures on Apple.
|
| It would make more sense to me to address this with a
| real port of Gecko to iOS, and then you can just run the
| full version of uBlock Origin for Firefox on your iPhone.
| seanw444 wrote:
| The thing is, while Firefox _should_ have better sandboxing,
| the tradeoff at the moment is that with Chromium you get
| better security, but less control and privacy off the bat.
| With Firefox, you get less security, but more control and
| privacy off the bat.
| noobcoder wrote:
| I've been a Mullvad user for a while now, and I have to say,
| their commitment to open source is truly impressive. They're
| living that philosophy by making their VPN client open source.
| Tor Browser with the security of a trusted VPN should be an
| great alternative
| np1810 wrote:
| > We need a Firefox with good defaults and it seems like this
| browser is such a thing.
|
| If you're looking such option for Android, you can check out
| Mull [1] which is available on F-Droid [2] as well and use it
| along with uBlock Origin.
|
| [1]: https://gitlab.com/divested-mobile/mull-fenix
|
| [2]: https://f-droid.org/packages/us.spotco.fennec_dos/
| whoopdedo wrote:
| Firefox is already an an ad for Mullvad since the Mozilla VPN
| is rebranded Mullvad. It would not be terrible for them to
| become a more prominent corporate sponsor of Mozilla. Less
| eyebrow-raising than Google at least.
| thejosh wrote:
| I quite like Mullvad. I haven't needed to use them much (mostly
| when my ISP has wonky routing and I need something semi-
| urgent), but their service is pretty good, their website feels
| like it's designed for the more "techy users". Their billing is
| the least sketchiest of VPN providers, with no ticking clocks,
| no upsell and other nonsense.
|
| I also like they provide a Wireguard file and a way to filter
| it, so it's super easy to get started.
| enlyth wrote:
| I share a VPN subscription with my father, I use it for
| torrenting so my ISP can't snoop on me, and he uses it to
| bypass geo blocking to watch UK shows (things like BritBox,
| Netflix, BBC etc.) in another country. Unfortunately, there
| is no way to legally pay for most of these services and watch
| them from abroad.
|
| I tried to get us to use Mullvad, as it was perfect for me,
| but for him it was constant problems with the services he
| used, whereas the sketchier providers like NordVPN and
| ExpressVPN always worked without issues.
| gesman wrote:
| >> I use it for torrenting so my ISP can't snoop on me
|
| Would installing WireGuard server on a router directly
| solve this (like Gl-Inet travel routers)?
| domh wrote:
| It annoys me that the only way to access iPlayer from
| abroad is via a VPN. Surely opening it up and allowing
| international customers to pay some form of license fee
| could be a nice little revenue stream for the BBC? I'm
| guessing the reason is just "licensing issues" but if
| they're making the programmes then what's the problem? I'm
| sure there's an international market for watching the world
| class output from the BBC.
| kbf wrote:
| Shows are often made by production companies on contract
| and licensed for domestic distribution. Licensing for
| international distribution might be significantly more
| expensive.
| mongol wrote:
| Yes but they would get more revenue from it too.
| burnished wrote:
| Maybe you should start shopping the business case for it
| around then.
| Kwpolska wrote:
| They might get some revenue, but they would need to build
| and maintain a streaming service with payments, and
| that's not free. They might also be limited by contracts
| with local broadcasters, which give them exclusive rights
| to online distribution within their country, even if they
| do not exercise them now.
| 867-5309 wrote:
| a few years ago I moved outside the UK and spent the best
| part of 3 months (on and off) trying to access BBC
| content, legally, still holding residency, paying
| domiciliary and employment taxes, and paying for a bladdy
| TV loicence
|
| of course, I wanted to do this for as close to free as
| possible, since plugging an aerial into a tv at home also
| cost next to nothing
|
| VPNs were already being detected and banned. I tried at
| least 4 extensively, including tcp, udp, socks, wg,
| obfuscated servers, etc. to no avail
|
| dodgy residential/mobile proxies were too unreliable for
| live 720p m3u streams, not to mention expensive
|
| I went through a few cheap linux VPSs with UK ip
| addresses, forwarding their web streams to my tv outside
| the UK, until I found one that seemed to work well. so
| much so I even invested in some fancy routing through
| intermediary countries for almost jitter-free stability
|
| until a few weeks later, back to the same old shite --
| everything 403 Unauthorised
|
| after yet a few more weeks of furious head-scratching
| shame over the stable-now-vanished CBeebies and BritComs
| daily consumption, I concluded and confirmed the BBC had
| just started detecting and banning datacentre IPs more
| aggressively
|
| it was at this ebb I discovered the wonderful world of
| illegal IPTV streams and adopted a _fuck you too, BBC_
| attitude
| idiot900 wrote:
| Perhaps roll your own VPN using a home router that can
| act as a VPN server? That way you can use your home
| internet connection...assuming its upload speed is fast
| enough.
|
| A shame BBC can't accommodate its paying customers who
| happen to be abroad.
| 867-5309 wrote:
| yes in hindsight, had I known the BBC would stoop, I
| could have set up something from an actual home IP.
| whether that be forwarding their web streams or
| forwarding a few OTA DVB-T2 streams. but even that could
| require physical presence for emergency debugs, reboots,
| retunes..
| domh wrote:
| I used a small independent proxy company that I paid PS50
| a year annually through PayPal. I think they must've been
| small enough to fly under the radar of the detection
| algorithms. When I went onto google maps connected to the
| proxy, it always thought I was in Dubai, which gives you
| an idea of the clientele.
|
| Maybe it was something to do with the fact that it was a
| Proxy and not a VPN, though I'm not sure if this makes it
| any less detectable. I even had a Firefox extension that
| automatically turned on the proxy when opening iPlayer
| tabs! It worked very well, though I wish I could've paid
| the license fee and just got access.
| Bluecobra wrote:
| I also used some UK shell provider (via SOCKS proxy +
| Putty) in the past and it worked really well. My guess is
| that there's some there's kind of threshold/concurrent
| connection that iPlayer looks at per IP address.
|
| It's pretty silly though, I would absolutely pay for a TV
| license if given the opportunity. Dear BBC: Shut up and
| take my money!
| 867-5309 wrote:
| I dabbled with free and cheap paid-for proxies which were
| either injecting javascript or too flaky for live video.
| I saw a few of those smaller providers, but the initial
| outlay would have been too risky, because I am convinced
| the BBC throw a lot of money at residential geolocation,
| so if they haven't already their IP address blocks will
| be blacklisted at some point in the near future
|
| interesting about Dubai though, makes me wonder if they
| have some sort of expat or economic deal with them. if
| Google thinks you're there, you can bet BBC do too. I
| discovered they use multiple CDNs and delivery mechanisms
| as fallback/best effort, which sometimes (but not always)
| sieved most (but not all) VPN locations in an
| indeterminate (but authoritatively intentional) fashion,
| so perhaps Dubai is whitelisted on one of those. might
| investigate further at some point if I can swallow some
| bile first
| lazyeye wrote:
| Its not the only way.
|
| Smart DNS providers like Getflix provide access to BBC
| Iplayer and a ton of other streaming services too.
|
| Basically you use their DNS servers and they handle the
| geo-unblocking.
| kelipso wrote:
| With the cultural capital that BBC had especially 7 to 10
| years ago, I'm pretty sure they would have been at league
| with Netflix and the like if they had opened it up. Dr
| Who was huge back then in the US, and you had Sherlock
| and a few other shows. I think people were just pirating
| it (?) but lots of people I knew were huge fans.
| jwagenet wrote:
| Dr. Who was on Netflix for a long time, except maybe
| whatever recent season, and more recently HBO Max
| domh wrote:
| There was something called Kangaroo [1] which was a
| partnership between BBC, ITV and C4 but it got blocked by
| the competition commission. Now it's run under Britbox I
| think!
|
| [1] https://en.m.wikipedia.org/wiki/Kangaroo_(video_on_de
| mand)
| RealStickman_ wrote:
| Problems with services are to be expected when using
| Mullvad. Their IPs are all recognised as originating from
| datacenters. You might be lucky, but often not.
|
| Sketchier VPN providers use "home ips" and rotate them
| regularly in order to defeat Netflix or other services
| blocking them.
| seanw444 wrote:
| Why are the sketchy VPN providers capable of that, but
| not Mullvad?
| tempest_ wrote:
| Sketchier providers often use dubious methods to acquire
| their exit nodes.
|
| Often they pay someone to include their code in a "free"
| software or browser extension (or malware) that allows
| them to route traffic through the host.
|
| Oxylabs is one of the larger examples whose record is
| somewhat dubious.
| dirheist wrote:
| IIRC the mylobot botnet is responsible for providing the
| vast majority of residential (home) IP addresses for
| residential VPN providers (who are then sold to
| expressvpn/nordvpn). The whole business is incredibly
| shady and nefarious and nordvpn/expressvpn must know from
| whom they contract their residential vpn services from.
|
| BHProxies is the largest residential proxy provider on
| the internet and almost all of their proxies are acquired
| through the botnet above.
|
| https://www.bitsight.com/blog/mylobot-investigating-
| proxy-bo...
| myself248 wrote:
| Whaaaaaaaaaat.
|
| This needs to be on the front page of.... something.
| seanw444 wrote:
| Seconded. I refer to them as shady because I have no way
| of knowing what they do with your data. I didn't even
| consider that they'd have a whole botnet market going on
| too. This definitely needs to be more public.
| Spinnaker_ wrote:
| Is there a source for expressvpn actually using
| BHProxies? I had no clue it was that sketchy. It is owned
| by a public company, so that's pretty substantial news if
| true.
| Stagnant wrote:
| I would be very skeptical of the claim, quite worrying to
| see multiple people accepting that as a fact without any
| kind of evidence to support the claim.
|
| I'd be shocked if any of the major VPN providers were
| involved with illegal residential proxies. It just
| doesn't make sense, can you imagine just how unstable and
| slow those connections would be? Why would they risk
| being legally liable when there exists legal residential
| proxy providers that get their IP's from people that
| voluntarily share their connection (honeygain etc.)? I've
| never heard of any of the big VPN providers offering
| residential connections. As I understand the VPN
| providers that promise support for netflix and similar
| streaming services just acquire newer IP's from time to
| time but the connection still goes through a regular
| datacenter, definitely not from some random dude's home.
|
| The proxy market is more so targeted towards developers
| who scrape data and criminals that do credential
| stuffing/other criminal activity.
| tempest_ wrote:
| Cool, I did not know about this one.
| JadeNB wrote:
| > ... he uses it to bypass geo blocking to watch UK shows
| (things like BritBox, Netflix, BBC etc.) in another
| country. Unfortunately, there is no way to legally pay for
| most of these services and watch them from abroad.
|
| Not that it's your point, but, at least in the US, you can
| pay for BritBox on Amazon: https://www.amazon.com/gp/video/
| storefront?contentType=subsc... .
| mistrial9 wrote:
| how are people supposed to react to this ? Those are two
| reasons why legal providers make life so difficult for
| innocent people. The response will be to enable more
| intrusive record keeping and more very-low bandwidth for
| me, because of you.
| rurp wrote:
| I want to second this and add that they make it very easy to
| make non-recurring payments. So many modern software
| companies do everything they can to hook you into an endless
| subscription, but Mullvad is refreshing in this regard. I
| only use a VPN once in a while and when I need one I just
| throw Mullvad a few bucks for one month plan, which they make
| as seamless as possible.
| WinstonSmith84 wrote:
| I use Mullvad for 2 years and yeah it's been a good VPN. Global
| outage have been very rare, maybe it happened 2 or 3 times
| altogether. It happens however that some websites are blocking
| Mullvad servers, usually, it's just about switching to another
| server to get this working.
|
| The desktop client also supports some obfuscation schemes (UDP
| over TCP) which is useful when you're in countries which block
| any kind of VPN. The default smartphone app doesn't support
| this out of the box, but they have some tutorials to setup
| Shadowsocks and OpenVPN to route the traffic over https as well
| MuffinFlavored wrote:
| > it's nice they are saying it's not enough.
|
| Mullvad, who has a reputation in the HN comments for being just
| like... over the top amazing + great (they swear up and down
| they don't store traffic logs and if you don't trust them, you
| can pay anonymously somehow or whatever), is having a "hard
| time" being profitable/growing
|
| all while
|
| NordVPN, who has a bad reputation in HN comments for being
| untrustworthy and "not so anonymous", seems more well known
| (and therefore most likely has more paying customers and makes
| more money?)
|
| What is that law called in business? when the "less good"
| offering wins?
| skeaker wrote:
| Not sure if it's got a "law," but the reasoning seems
| intuitive: 1. More complex products are usually better, but
| being more complicated means they're harder to explain to the
| average customer and makes them harder to sell. 2. More
| widely known products get that way by stripping money out of
| the budget for their product to put it into advertising
| instead. Less money in the product means it's potentially
| inferior to a product that put their whole budget into
| development.
| pnt12 wrote:
| Well, many libertarians will state the rules of the free
| market as if they were physics law, but they are not. I think
| they're just post-fact invented laws to justify the ideology,
| but that's besides the point.
|
| The law that "in a free market, the best product wins" has
| been beaten by profit-driven companies with billions at their
| disposal. Sure, you can have a better product. But maybe it's
| more profitable to have better marketing, or secondary
| sources of profit.
|
| It's quite telling that VPN providers sponsor so many YouTube
| videos... Which require login to the biggest ad-driven
| company... Which will identify users by their login, no
| matter if they have a VPN or not!
| jeltz wrote:
| Where did you get this impression? Mullvad is growing like
| crazy (4 times as much revenue in 2021 compared to 2020, 2022
| numbers not yet public). NordVPN is obviously larger since
| they are older and have bought a lot of ads on Youtube but
| Mullvad has crazy growth and I have seen their ads in the
| subway here in Stockholm. Mullvad is in no way a company
| which struggles as far as I can tell.
|
| The old company:
| https://www.allabolag.se/5567839807/amagicom-ab
|
| The current company:
| https://www.allabolag.se/5592384001/mullvad-vpn-ab
| johnmaguire wrote:
| >> it's nice they are saying it's not enough.
|
| > Mullvad [...] is having a "hard time" being
| profitable/growing
|
| This is how I originally interpreted the parent comment as
| well, but they actually meant "a VPN is not enough to
| maintain your privacy, you also need a privacy-respecting
| browser."
| benknight87 wrote:
| It's because, like it or not, NordVPN is a great product. The
| apps are great, the design is slick, they have more servers
| in more countries, and offer additional value through things
| like Smart DNS, dedicated IP. Not to mention solid customer
| service.
| the_duke wrote:
| Sure, their UX is more polished, and due to using
| residential IPs they aren't so easily blocked out.
|
| But there is a different reason for the popularity:
|
| NordVPN and others spend a lot of money on aggresive and
| pretty shady advertising, which tricks consumers into all
| kinds of false assumptions.
| dimitrios1 wrote:
| It's called educating your potential customers on your
| product.
|
| NordVPN has spent an incredible amount of money getting their
| name out there.
|
| The majority of the population hasn't a clue about what a VPN
| is or does. The ones that do, their only interface is "its
| this thing my company makes me connect to"
|
| Of the remaining subset of people who are aware of what VPNs
| actually do for you, it's likely they can only name 1 or two
| brands: NordVPN and ExpressVPN.
|
| So if you have the superior product, but the lesser position
| in the market, then get busy marketing.
| dns_snek wrote:
| > So if you have the superior product, but the lesser
| position in the market, then get busy marketing.
|
| Easier said than done I imagine. Big brand VPN providers
| charge several times more for the "same" service, or make
| you sign up with 3 year commitment to even come close to
| Mullvad's monthly pricing.
| yencabulator wrote:
| > NordVPN has spent an incredible amount of money getting
| their name out there.
|
| I think you misspelled "spamming ads everywhere".
| dimitrios1 wrote:
| Whatever you want to call it, and whatever it means to
| you, it must be done in some way, like it or not. Or you
| can sit here and complain everyone's using the big name
| that sucks and nobody uses your superior 100%
| artisinally, crafted from free-range conflict-free code,
| ethically "superior" app.
| archb wrote:
| As a DuckDuckGo fan as well, I'd have loved to see
| them/DuckDuckGo develop their browser on the top of Firefox with
| Mullvad as a partner with deep integrations.
| craigjennings wrote:
| Looks like they're getting closer:
| https://duckduckgo.com/mac?ref=duckduckgo
| coppsilgold wrote:
| You can run the tor browser without tor.
|
| env TOR_SKIP_LAUNCH=1 TOR_TRANSPROXY=1
|
| about:config extensions.torlauncher.start_tor =
| FALSE network.dns.disabled = FALSE
| Eisenstein wrote:
| > Dns Over HTTPS (DoH) > Mullvad Browser is configured to use
| Mullvad DoH for all DNS requests, without fallback. In the
| settings, you can also configure it to use Mullvad Adblocking
| DoH.
|
| about:config DOH entries screenshot here:
|
| * https://imgur.com/a/evd9OzN
|
| Can anyone knowledgeable comment on the security implications of
| this?
| nextaccountic wrote:
| If you trust Mullvad to see all your traffic (including every
| IP you connect to), it seems okay to trust them to see your DNS
| queries (that will return the very same IPs you will later
| connect to)
| Eisenstein wrote:
| I don't though. I don't use Mullvad VPN.
| nextaccountic wrote:
| Okay so probably this browser isn't for you
| mackie_roy wrote:
| You can actually disable DoH by going to: Settings >
| General > Network Settings > Settings
|
| Then either untick "Enable DNS over HTTPS" or add a
| custom DoH.
| AccountAccount1 wrote:
| Haven't read any comment that points to a user actually trying
| it; does someone have a link? Or has tried it?
| bragadiru_mafia wrote:
| All you smart asses making recommendations on alternatives,
| shush. The moment it gets on their radar it's compromised in 3
| ..2 ...
|
| Take your obscure html rendered and live in peace brother .
| webmobdev wrote:
| _Important Note_ : Tor browser isn't truly private as it connects
| to Firefox services on start-up, even if you disable all options
| that require these. (Unlike zero telemetry / "no automated
| connections" browsers like the Orion browser -
| https://browser.kagi.com/ - or the PaleMoon browser -
| http://www.palemoon.org/ that actually do respect your browser
| settings).
|
| This seems deliberate as no attempts have been made to fix this
| despite repeated highlighting of this issue online by many
| concerned users.
|
| (I haven't verified if the Mullvad browser has the same problem).
| MrAlex94 wrote:
| Interesting! A few years ago I started a similar project,
| essentially a clearnet fork of Tor called Aegis. Problem was, it
| makes a lot of the modern web very broken. A very niche corner of
| the web browser market - but a lot of things like WebRTC and
| Widevine (unfortunately) are what most users would expect. I'd
| imagine there's the possibility there will be no H264 support
| either?
|
| Nice to see more Firefox related forks though, hopefully help
| gain more ground on the web for alternative engines.
| lofaszvanitt wrote:
| Why not sprinkle it with something like grsec? Now that would be
| a secure browser and would really upset a lot of shady people.
| sampa wrote:
| clearly, you don't know what grsec is
| lofaszvanitt wrote:
| and?
| sneak wrote:
| grsec are patches for the kernel.
|
| The main exploit risk to a modern browser is javascript JIT.
| lofaszvanitt wrote:
| And? Is it considered secure or the threshold just pushed
| higher so the exploitation is not for everyone?
| udev4096 wrote:
| grsec isn't free anymore
| lofaszvanitt wrote:
| Windriver, hm?
| hooverd wrote:
| It's nice to see a Firefox based alternative browser.
| detrites wrote:
| From the FAQ [0]:
|
| > _Why is the time is wrong?_
|
| > The timezone is spoofed, to combat fingerprinting.
|
| > _What 's this weird spacing around the websites?_
|
| > It's called letterboxing, a function to combat fingerprinting
| (using your browser window size to identify you together with
| other measures).
|
| > _How do I stay logged into specific websites between sessions?_
|
| > It's not possible. It's an action to combat tracking.
|
| Not sure if there are other measures, other than that the browser
| itself doesn't track anything.
|
| Looking much better than a stock firefox, and presumably will
| improve over time.
|
| [0] - https://mullvad.net/en/help/tag/mullvad-browser/
| ta1243 wrote:
| Except most of the time I don't want to spoof my timezone,
| don't want weird spacing around websites, and do want to remain
| logged in to websites.
|
| > How do I stay logged into specific websites between sessions?
| > It's not possible. It's an action to combat tracking.
|
| Turns me off immediately
| bubersson wrote:
| Unfortunately from now on, the Mullvad Browser is the only
| browser you can use, ever. So you will be annoyed by this
| inconvenience a lot.
| DrewADesign wrote:
| Have you considered becoming a non-user?
| neurostimulant wrote:
| This is inherited from the upstream TOR browser. It's
| basically designed to evade fingerprinting by making the
| browser's fingerprint similar across all TOR browser's users.
| It's indeed very inconvenient so don't use these browsers
| unless you're seriously care about these stuff.
| archb wrote:
| I thought it'd be possible by simply turning off "Always use
| private browsing mode" setting, but it doesn't seem to work.
| Sessions are still cleared upon browser exit.
|
| In my case, I had to turn off that setting because without
| it, 1Password wouldn't work.
| naillo wrote:
| Obviously you're not the target audience for a privacy
| focused browser
| hotpathdev wrote:
| No one wants that, most websites become broken by taking pro-
| privacy measures. It's about not consenting to tracking.
| Right now the majority of users are implicitly giving consent
| to tracking.
|
| It seems like a harmless thing to be tracked, but once the
| likes of haveibeenpwned.com came out and the databases that
| fuel it, and services that provide search utility to those
| databases, it should become clear that being tracked across
| every single website on the internet is probably not what you
| want.
|
| Scenario: You apply for a job, they look up your totally-
| clean email address, see the email linked to an ip address on
| some database from a leaky website you applied for a job on,
| the ip address is linked to a service where you used a
| certain password which you used on 6 other services, one of
| which had a database leak of your system fonts, now you can
| see all the accounts to services to which your system fonts
| were identically matched. Oh look, you were 13 years old when
| you joined stack overflow on an abandoned account and you
| posted some humorous, incorrect solutions that were down-
| voted to oblivion. But that's ok, they invite you to the job
| interview and they make a funny remark about your stack
| overflow answers and then offer you a job. Do you want to
| work there now that you know they completely invaded your
| privacy ?
|
| And yes, performing such searches is trivial.
| encryptluks2 wrote:
| [dead]
| oefrha wrote:
| Well, I'd say this is largely privacy theater for hobbyists.
| Like a lot of other hobbies, unreasonable suffering is often
| part of the fun and creates a sense of belonging. What sets
| you apart if you're just browsing like every other mortal?
|
| Edit: As mentioned elsewhere in the thread, there are still
| plenty of identifying bits.
| weberer wrote:
| Then standard Firefox with "Enhanced Tracking Protection" set
| to "Strict" would probably be enough for you.
| detrites wrote:
| Well, some of us don't want to be tracked, don't want to be
| tracked and don't want to be tracked.
|
| Given your stated preferences, are you actually looking for a
| privacy-focused browser?
| ramraj07 wrote:
| Some people just want everything, no compromises.
| overthrow wrote:
| That's not very charitable.
|
| Some people just want to pick a different point on the
| tradeoff between convenience and privacy.
|
| Imagine User A uses Fastmail every day, logging in
| manually every morning. User B uses Fastmail every day,
| with a saved login cookie. How is User B's privacy any
| worse? What would User B gain from not having that
| choice?
| teawrecks wrote:
| It's not a matter of user choice, it's a matter of
| maintenance and product integrity.
|
| User B's privacy is objectively lessened by allowing
| tracking cookies, but that is their choice. What is out
| of the user's control is what mullvad chooses to spend
| their time supporting.
|
| If mullvad allows users to turn off a privacy feature,
| now that's a permutation they have to test for. It's also
| an attack vector they've enabled, either through user
| carelessness or social engineering. Mullvad wants to be
| able to say "here's a browser, it's 100% private" and not
| have to say "as long as you do X, and don't do Y,
| and...". Every other browser already does that.
| ta1243 wrote:
| If someone is logging into fastmail every day how does
| preventing this from being remembered help?
| hitekker wrote:
| The GP said "some people" not everyone. Some people want
| all the convenience and the illusion of privacy; the
| benefits minus the cost. It's human nature to want
| something without paying for it, just as it is human
| nature to pretend that desire doesn't exist
| _puk wrote:
| But isn't this what Firefox containers achieve?
|
| My understanding is that cookies etc aren't shared
| between containers, so I can stay logged in, and not be
| tracked across websites.
|
| If it's achievable, why compromise?
| hiccuphippo wrote:
| What I'd like is a Mullvad container in regular Firefox
| so I can choose what sites to open in it, or rather make
| it the default and move a site to another container if I
| want permanent cookies. I use temporary containers now
| but the extra fingerprinting features appeal to me.
| SadTrombone wrote:
| You could look into Mozilla's VPN offering, it does what
| you want and is powered by Mullvad.
| lxgr wrote:
| It's a neat feature, but beware: Per-container VPN
| reveals your real IP if you're also using uBlock in the
| default configuration at the moment due to a limitation
| in Firefox: https://github.com/gorhill/uBlock/wiki/Dashbo
| ard:-Settings#u...
| noahmasur wrote:
| Your browser can still be fingerprinted without cookies.
| The site just needs enough unique information (user
| agent, timezone, screen size, IP, operating system,
| country, etc.) to form a trackable identity.
| jwestbury wrote:
| > IP
|
| This is a surprisingly effective one when combined with
| other users of your network. A couple of years ago, I
| started getting Facebook ads for things I'd never looked
| at, but that I knew my wife had looked at. We don't share
| any devices, and she doesn't even have a Facebook
| account.
|
| It's pretty troubling how invasive shadow profiles are.
| wkat4242 wrote:
| It should be possible to make exceptions for sites you
| trust IMO.
| heartbreak wrote:
| It is. You open those sites in Firefox.
| lxgr wrote:
| What if I don't want the memory and disk storage overhead
| of running two browsers?
|
| Being able to easily reopen a tab in a different
| "identity" is also a pretty neat feature.
| BLKNSLVR wrote:
| You can have more than one browser installed. I have some
| specific use cases between Brave and Firefox.
|
| Choose the right tool for the job.
| deltree7 wrote:
| Most of us are self-aware that I'm not that important to be
| specifically targeted.
|
| At the end of the day, where there is attention, there will
| be ads. All you are fighting for should they show you
| relevant ads or irrelevant ads.
|
| People who live a privileged life and have nothing else
| important going on in their life choose this hill to die
| on.
| beardog wrote:
| > Most of us are self-aware that I'm not that important
| to be specifically targeted.
|
| Of course, not in the sense that the FBI, Wagner Group,
| or the boogy man are going after you today (but you never
| know what the future holds) - however data brokers and
| large companies have a financial incentive right now to
| know as much about everyone as possible and the
| information they collect is increasingly being used to
| decide your insurance rates, give you employment, etc.
|
| >People who live a privileged life and have nothing else
| important going on in their life choose this hill to die
| on.
|
| I mostly agree, however privacy issues impact the less
| privileged more, for example women seeking abortions in
| unfriendly states, teenagers learning about queer issues
| in a toxic community/family, people fleeing abusive
| relationships (the effort some stalkers do is truly
| insanity), minority groups (e.g. undocumented
| immigrants). Sure these groups can't dedicate lots of
| mental energy to privacy but plug and play browsers like
| this one make it easier and even if you are highly
| privileged protecting your privacy makes it more
| acceptable for others to do so too.
| chaxor wrote:
| You're clearly not thinking enough about this. It's not
| just about ads. For just one example, think about the
| data acquired regarding fertility and abortion, and how
| it can be used with respect to some law alterations.
| There are many other examples for present and potential
| futures, so no this isn't just about ads.
| detrites wrote:
| There are 200 countries on this earth, and not all of
| them have the luxury of an uncorrupt, actually-democratic
| set of genuine public servants who wish only to create
| utmost benefit for the largest number of people.
|
| If you have that, you're a minority. And if you believe
| you have that, but actually you don't, you'll find out
| only after it's too late to save it. It's prudent instead
| to assume and act like you don't have it in either case.
|
| Indeed, some of the greatest democracies have been set up
| precisely to that end.
|
| For many, online privacy isn't at all about advertising.
| It's about working to a common good of rights and freedom
| for all.
|
| Rest on your laurels all you like, but don't deride
| others who refuse to. It is only through the efforts of
| such people, and in the past those like them, that any of
| us have the ability to take any such rest at all.
| mongol wrote:
| I like the Duck Duck Go browser. It has a "burn" buttton that
| destroys all cookies except those you opt in to keep.
| FollowingTheDao wrote:
| Convenience is the wedge that separates you from your
| privacy.
| illiarian wrote:
| So it's Tor Browser, but for clearnet
| npteljes wrote:
| Yes, and I like it that they explicitly say so on the page.
| This kind of transparency and down to earth marketing
| inspires confidence.
| illiarian wrote:
| Ah, completely missed it on the page. So I'm just re-
| iterating :)
| [deleted]
| sundarurfriend wrote:
| > > Why is the time is wrong?
|
| > > The timezone is spoofed, to combat fingerprinting.
|
| The annoying thing about this (assuming it's the same as in
| Firefox) is that the times displayed in your own local History
| page are also "wrong" i.e. shown in UTC.
| shp0ngle wrote:
| What is more satisfying than needing to enter OTP every time I
| go to check email.
|
| I already do this for work (for security theatre) so I will
| skip this
| bmacho wrote:
| Why not just disable javascript?
| [deleted]
| minipark wrote:
| Checking with https://www.amiunique.org/ resulted in a unique
| fingerprint for me. The "Canvas" and "Media devices" attributes
| are unique on their own. I had not expected this.
| notRobot wrote:
| Try restarting your browser and see if the fingerprint changes.
| If it does, that means you can't be tracked across sites using
| this mechanism.
| nbzso wrote:
| No computer in my office is running without Mullvad VPN. No mac
| without Little Snitch.
| mcsniff wrote:
| Here's to hoping they maintain this for a while. There are a lot
| of "hardened Firefox" forks around, none of them that I would
| trust to follow upstream for a long enough time to switch.
|
| I already trust Mullvad enough to use as VPN, and am likely
| willing to extend that trust to a fork of Firefox they manage,
| but truthfully, I always concerned when achieving goals means new
| ventures and projects as it may mean resources are moving to
| other areas and may impact their code product. I like my core
| providers to do one thing and do it well.
|
| Edit: I hope they bring this to Android also!
| handedness wrote:
| > Edit: I hope they bring this to Android also!
|
| "Avoid Gecko-based browsers like Firefox as they're currently
| much more vulnerable to exploitation and inherently add a huge
| amount of attack surface. Gecko doesn't have a WebView
| implementation (GeckoView is not a WebView implementation), so
| it has to be used alongside the Chromium-based WebView rather
| than instead of Chromium, which means having the remote attack
| surface of two separate browser engines instead of only one.
| Firefox / Gecko also bypass or cripple a fair bit of the
| upstream and GrapheneOS hardening work for apps. Worst of all,
| Firefox does not have internal sandboxing on Android. This is
| despite the fact that Chromium semantic sandbox layer on
| Android is implemented via the OS isolatedProcess feature,
| which is a very easy to use boolean property for app service
| processes to provide strong isolation with only the ability to
| communicate with the app running them via the standard service
| API. Even in the desktop version, Firefox's sandbox is still
| substantially weaker (especially on Linux) and lacks full
| support for isolating sites from each other rather than only
| containing content as a whole. The sandbox has been gradually
| improving on the desktop but it isn't happening for their
| Android browser yet."
|
| Source: https://grapheneos.org/usage#web-browsing
| sacrosanct wrote:
| > There are a lot of "hardened Firefox" forks around
|
| Sticking with LibreWolf for now, which has updates disabled in
| the policies section, but I frequently ping their Gitlab for
| new releases. It's annoying having to do that, but if it means
| I get security patches in time, I do it.
| SubzeroCarnage wrote:
| re Android & fork maintenance I track this here for Firefox:
| https://divestos.org/misc/ffa-dates.txt
|
| and for Chromium: https://divestos.org/misc/ch-dates.txt
| brucethemoose2 wrote:
| Firefox runs like cold molassas on Android, unfortunately.
|
| Bromite seems like its sticking around, fortunately.
| SubzeroCarnage wrote:
| Bromite has not been updated since December 12th 2022 per my
| history here: https://divestos.org/misc/ch-dates.txt
| brucethemoose2 wrote:
| Oh dear, you are right. Last commit was in January.
|
| Thorium was comatose for awhile but come back, so I am
| keeping my fingers crossed.
| SubzeroCarnage wrote:
| If you really want Chromium based consider switching to
| Brave and following my steps here:
| https://divestos.org/pages/browsers#tuningBrave
| brucethemoose2 wrote:
| Oh actually I was mistaken, looks like dev builds are still
| up here: https://github.com/uazo/bromite-
| buildtools/releases/
|
| I do not like Brave's business model (replacing web ads
| with their own, even setting the crypto thing aside), but I
| will check out your link if Bromite fizzles out.
| handedness wrote:
| > Bromite seems like its sticking around, fortunately.
|
| Only barely, unfortunately.
|
| I've since moved to Vanadium for anything untrusted and/or
| critical. It's still missing some features I'll enjoy seeing
| added, but it's improved considerably lately.
| raindear wrote:
| It's not available for smartphones.
| shp0ngle wrote:
| Isn't Tor using always out-of-date Firefox, for minimizing
| tracking on versions? Wouldn't this affect the security angle?
| abbe98 wrote:
| It is based on Firefox ESR(Extended Support Release) which gets
| security fixes backported.
| markrankin wrote:
| They don't have an iOS app like Firefox Focus. Are they working
| on an iOS app?
| jxi wrote:
| [dead]
| the_duke wrote:
| I use a custom Firefox config that tweaks and disables lots of
| features, based on this template:
| https://github.com/arkenfox/user.js .
|
| Fun fact: this makes you extremely easy to identify, because it
| gives your browser a very unique fingerprint. If JS is enabled,
| that is, which you can disable by default, but JS is simply a
| requirement for many websites to function.
|
| I wonder how they approached this problem this for the Mullvad
| Browser.
| uconnectlol wrote:
| a derivative of tor and mullvad, when tor browser is already
| second rate software (tor itself seems fine) and mullvad can't
| possibly be good since it's part of the "vpn as privacy
| mechnaism" fad. pass
|
| there's no fixing web browsers.
___________________________________________________________________
(page generated 2023-04-03 23:00 UTC)