This is an open source, rebranded Firefox and Firefox-like browsers could use some publicity. It promotes privacy and privacy can use some publicity too. Tor too.
Mullvad seems to be honest in the fact that their business model is selling VPNs and it's nice they are saying it's not enough. They are not saying that you might not need one though.
We need a Firefox with good defaults and it seems like this browser is such a thing. I'd prefer these privacy features to be in upstream Firefox but I guess world is not perfect and that Firefox still relies on revenues from Google so can't be as privacy-focused as it should.
My little concern I guess is that this browser will push for their service so it's a bit like an ad for them, at least with its name. But fair enough, and at least the business model seems healthy.
With Mullvad already being a Mozilla partner for their branded VPN, all this actually look good. They seem to be spending their money on worthy stuff.
I quite like Mullvad. I haven't needed to use them much (mostly when my ISP has wonky routing and I need something semi-urgent), but their service is pretty good, their website feels like it's designed for the more "techy users". Their billing is the least sketchiest of VPN providers, with no ticking clocks, no upsell and other nonsense.
I also like they provide a Wireguard file and a way to filter it, so it's super easy to get started.
I share a VPN subscription with my father, I use it for torrenting so my ISP can't snoop on me, and he uses it to bypass geo blocking to watch UK shows (things like BritBox, Netflix, BBC etc.) in another country. Unfortunately, there is no way to legally pay for most of these services and watch them from abroad.
I tried to get us to use Mullvad, as it was perfect for me, but for him it was constant problems with the services he used, whereas the sketchier providers like NordVPN and ExpressVPN always worked without issues.
I want to second this and add that they make it very easy to make non-recurring payments. So many modern software companies do everything they can to hook you into an endless subscription, but Mullvad is refreshing in this regard. I only use a VPN once in a while and when I need one I just throw Mullvad a few bucks for one month plan, which they make as seamless as possible.
It's a custom build of Firefox with somewhat sensible, sometimes strict, privacy respecting default settings.
There's also the Arkenfox user.js which you can put on top of vanilla Firefox, aiming for the most privacy and security possible.
https://github.com/arkenfox/user.js
My issue with these browsers, including Firefox with things like fingerprint resisting enabled, is that it breaks a lot of sites. Add a VPN to the mix and a lot of sites flat out refuse to let you interact with them, or they give you 5 minutes of captchas, or they require 2 factor login despite asking them to remember your device. I have to open some sites (banking, brokerage, health insurance) on a near-daily basis in Chrome with no extensions and no VPN instead of my regular firefox+vpn.
A lot of sites allow interaction even with the above but they shadowban you without telling you. Craigslist shadow bans and auto-spam-filters any submissions done with a VPN, and then also auto-spam-filters any subsequent submissions on the same account even with the VPN turned off.
Reddit also universally spam-filters any submissions and comments done under a VPN, and rate limits your commenting a shitload on VPNs.
Arkenfox is great, although worth noting that there are always privacy vs. security vs. usability tradeoffs. The best usability settings (in terms of sites just working at least) are generally the Firefox default and Arkenfox defaults aims for privacy mostly but they also have some of the best descriptions of available configuration available anywhere (often the only other source of any kind of information is a brief comment in the source code that assumes familiarity with Firefox code). Personally, I aim for the best security and accept that that makes me unique.
I've asked multiple times to all the brave sympathizers about "why not fork firefox, put your shnazzy customization and call it a day. By lapping up to chromium, you are only helping Google regardless of what search engine you use"
And more often than not the response has been "well we did investigate Firefox but working with it was pita so we went with easiest option"
Shit dude. You want to start a business so at least do the right thing.
If there are more Firefox forks, like there are chromium forks today, that would normalize Firefox because currently chromium is the de facto web standard.
Mullvad, who has a reputation in the HN comments for being just like... over the top amazing + great (they swear up and down they don't store traffic logs and if you don't trust them, you can pay anonymously somehow or whatever), is having a "hard time" being profitable/growing
all while
NordVPN, who has a bad reputation in HN comments for being untrustworthy and "not so anonymous", seems more well known (and therefore most likely has more paying customers and makes more money?)
What is that law called in business? when the "less good" offering wins?
Where did you get this impression? Mullvad is growing like crazy (4 times as much revenue in 2021 compared to 2020, 2022 numbers not yet public). NordVPN is obviously larger since they are older and have bought a lot of ads on Youtube but Mullvad has crazy growth and I have seen their ads in the subway here in Stockholm. Mullvad is in no way a company which struggles as far as I can tell.
> Mullvad [...] is having a "hard time" being profitable/growing
This is how I originally interpreted the parent comment as well, but they actually meant "a VPN is not enough to maintain your privacy, you also need a privacy-respecting browser."
It's because, like it or not, NordVPN is a great product. The apps are great, the design is slick, they have more servers in more countries, and offer additional value through things like Smart DNS, dedicated IP. Not to mention solid customer service.
Not sure if it's got a "law," but the reasoning seems intuitive: 1. More complex products are usually better, but being more complicated means they're harder to explain to the average customer and makes them harder to sell. 2. More widely known products get that way by stripping money out of the budget for their product to put it into advertising instead. Less money in the product means it's potentially inferior to a product that put their whole budget into development.
It's called educating your potential customers on your product.
NordVPN has spent an incredible amount of money getting their name out there.
The majority of the population hasn't a clue about what a VPN is or does. The ones that do, their only interface is "its this thing my company makes me connect to"
Of the remaining subset of people who are aware of what VPNs actually do for you, it's likely they can only name 1 or two brands: NordVPN and ExpressVPN.
So if you have the superior product, but the lesser position in the market, then get busy marketing.
Well, many libertarians will state the rules of the free market as if they were physics law, but they are not. I think they're just post-fact invented laws to justify the ideology, but that's besides the point.
The law that "in a free market, the best product wins" has been beaten by profit-driven companies with billions at their disposal. Sure, you can have a better product. But maybe it's more profitable to have better marketing, or secondary sources of profit.
It's quite telling that VPN providers sponsor so many YouTube videos... Which require login to the biggest ad-driven company... Which will identify users by their login, no matter if they have a VPN or not!
> ...Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet.
Seems like a wash overall with how Chrome for Android lacks support for extensions entirely. Firefox for Android supports uBlock Origin, which greatly cuts down on tracking and chances to be hit by broadly-targeted malvertising.
The thing is, while Firefox should have better sandboxing, the tradeoff at the moment is that with Chromium you get better security, but less control and privacy off the bat. With Firefox, you get less security, but more control and privacy off the bat.
I use Mullvad for 2 years and yeah it's been a good VPN. Global outage have been very rare, maybe it happened 2 or 3 times altogether. It happens however that some websites are blocking Mullvad servers, usually, it's just about switching to another server to get this working.
The desktop client also supports some obfuscation schemes (UDP over TCP) which is useful when you're in countries which block any kind of VPN. The default smartphone app doesn't support this out of the box, but they have some tutorials to setup Shadowsocks and OpenVPN to route the traffic over https as well
Firefox is already an an ad for Mullvad since the Mozilla VPN is rebranded Mullvad. It would not be terrible for them to become a more prominent corporate sponsor of Mozilla. Less eyebrow-raising than Google at least.
I've been a Mullvad user for a while now, and I have to say, their commitment to open source is truly impressive. They're living that philosophy by making their VPN client open source. Tor Browser with the security of a trusted VPN should be an great alternative
This time, there's strong marketing power though. It has a chance of being adopted by people interested in privacy but not really into computers. It matters a lot.
Now, I didn't really know about LibreWolf, I'll look into it for myself.
Using a VPN might have security implications (such as now, you have an additional central entity, maybe not in the same jurisdiction as you, that can list your network connections to a requesting entity), or not be an answer to your thread model.
I don't really blame them for this though. Buyers should also do their homework.
The Tor design spec literally says it is not meant to defeat a global passive surveillance panopticon like a world government. Know its limitations and it's a fine tool. By the way, the entire Internet was built for the government.
You do realize that tor is open source and has been under scrutiny by some of the worlds leading security researchers? It may not be 100% perfect, but claiming it’s useless and ineffective simply because it was born out of government research is completely asinine.
So ... it is a fork of Mozilla Firefox with privacy-friendly settings by default, some script blocking, and dns lookups done via Mullvads encrypted dns service
Sounds ok to me, I have a longish and probably out of date list of settings that I like to chance in a new instance of firefox. I trust mullvad to not log dns more than I trust my ISP and I live in the UK so unencrypted dns here is being logged and stored by order of the government.
Keeping a fork of firefox in sync with mainline firefox to get security fixes is a load of work, it is good that somebody is doing it, in this case I think the tor project is doing a lot of the work.
AFIK it's a "fork" of the tor-browser (which is a fork of Firefox) but instead of connecting to the tor network you connect to a VPN.
So you get all the in-browser tracking protection Firefox has (e.g. against fingerprinting) + the ones only the Tor browser has but without the drawbacks of the tor network and in turn without onion security.
> I have a longish and probably out of date list of settings that I like to chance in a new instance of firefox
Not a user but part of the purpose of the TOR fork is settings, anything that is detectable via JS is supposed to remain default to prevent fingerprinting.
It's partly why it's not widely popular, I don't know if this is still true but it used to be that it was supposed to be run at a specific viewport resolution regardless of your device. All in the name of making your fingerprint as close to the same as all other TOR browser users.
> run at a specific viewport resolution regardless of your device.
It's more like pretending to the website that your screen has a "common"
resolution etc. which is nearly but not quite the same as what you said.
In the past they semi required you to keep your tor window in a specific window
size for this, which just didn't work well in practice.
By now they better integrated that in the browser from what I heard, so you can resize it however you want but websites might have an "empty" border are to the left/right/bottom depending on you screen resolution, windows size etc. from what I have heard.
With a typical maximized window on 1080p you won't really notice it, on 4k you might notice that it's just "dump" up scaled from 1080p, but the person I spoke with wasn't sure if maybe they have a set of supported common resolutions instead of just one. And on a 4:3 screen he said it's quite noticeable.
I was thinking about that very thing is keeping up with patches. I suspect that tor is probably a couple of months behind firefox and then mullvad will probably be a month or two behind tor. It is easier to check between tor browser and mullvad browser because they both use git. firefox uses mercurial, so is probably harder.
Well, I’d say this is largely privacy theater for hobbyists. Like a lot of other hobbies, unreasonable suffering is often part of the fun and creates a sense of belonging. What sets you apart if you’re just browsing like every other mortal?
Edit: As mentioned elsewhere in the thread, there are still plenty of identifying bits.
This is inherited from the upstream TOR browser. It's basically designed to evade fingerprinting by making the browser's fingerprint similar across all TOR browser's users. It's indeed very inconvenient so don't use these browsers unless you're seriously care about these stuff.
I thought it'd be possible by simply turning off "Always use private browsing mode" setting, but it doesn't seem to work. Sessions are still cleared upon browser exit.
In my case, I had to turn off that setting because without it, 1Password wouldn't work.
No one wants that, most websites become broken by taking pro-privacy measures. It's about not consenting to tracking. Right now the majority of users are implicitly giving consent to tracking.
It seems like a harmless thing to be tracked, but once the likes of haveibeenpwned.com came out and the databases that fuel it, and services that provide search utility to those databases, it should become clear that being tracked across every single website on the internet is probably not what you want.
Scenario: You apply for a job, they look up your totally-clean email address, see the email linked to an ip address on some database from a leaky website you applied for a job on, the ip address is linked to a service where you used a certain password which you used on 6 other services, one of which had a database leak of your system fonts, now you can see all the accounts to services to which your system fonts were identically matched. Oh look, you were 13 years old when you joined stack overflow on an abandoned account and you posted some humorous, incorrect solutions that were down-voted to oblivion. But that's ok, they invite you to the job interview and they make a funny remark about your stack overflow answers and then offer you a job. Do you want to work there now that you know they completely invaded your privacy ?
> > The timezone is spoofed, to combat fingerprinting.
The annoying thing about this (assuming it's the same as in Firefox) is that the times displayed in your own local History page are also "wrong" i.e. shown in UTC.
Hm that seems like a mistake. If I'm reading the docs right, the Mullvad browser will let you browse the web without using their/any VPN, which mean that it's entirely possible to accidentally surf to a site without having your VPN up, and reveal your IP address to that site. To contrast, there's no way to use the Tor Browser without using the onion network so it's ~impossible to accidentally browse to site and reveal your IP address, and not just the IP address of the exit node.
OpSec is hard, and tools letting you shoot yourself in the foot doesn't help. There are plenty of other browsers out there that don't offer VPN integration, so (imo) they should have made the browser a paid feature for customers, instead of giving it away for free like the market has demanded since IE6.
I think the reason that they have made it free is to combat fingerprinting more efficiently. It would be easy to fingerprint if they have a very limited amount of users
Mullvad’s VPN software has an available function that blocks network traffic when the VPN isn’t connected, so there’s no need to patch that into the browser.
Here's to hoping they maintain this for a while. There are a lot of "hardened Firefox" forks around, none of them that I would trust to follow upstream for a long enough time to switch.
I already trust Mullvad enough to use as VPN, and am likely willing to extend that trust to a fork of Firefox they manage, but truthfully, I always concerned when achieving goals means new ventures and projects as it may mean resources are moving to other areas and may impact their code product. I like my core providers to do one thing and do it well.
"Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet."
Your quoted part seems to refer to people using the OS browser component in some contexts (eg app embedded web content) and the actual browser app in others. It's good to be aware of but claiming the resulting attack surface is the union is only technically correct. The resulting risk is not increased correspondingly as you are not accessing most content through 2 browsers.
This is good reminder, thank you. I am an advocate and user of GrapheneOS, but often find myself using Firefox because of Sync, and because of the bottom toolbar -- which is ridiculous to think about.
I understand the want to stay close to upstream and requests for such "usability" tweaks this should go to Chromium.
Alas the rigidity of the GrapheneOS project is a double edged sword.
> There are a lot of "hardened Firefox" forks around
Sticking with LibreWolf for now, which has updates disabled in the policies section, but I frequently ping their Gitlab for new releases. It's annoying having to do that, but if it means I get security patches in time, I do it.
> Bromite seems like its sticking around, fortunately.
Only barely, unfortunately.
I've since moved to Vanadium for anything untrusted and/or critical. It's still missing some features I'll enjoy seeing added, but it's improved considerably lately.
If a lot of non-Mullvad users use it, it will create a nice pool of people with at least the same browser fingerprint.
Basically, it seems like a good choice if you are already a Mullvad user and your threat model does not require the use of a Tor browser. However, if there's a significant non-Mullvad user base using it, it won't do much, as you'll just stand out as the only person using the Mullvad browser without Mullvad VPN.
The people you are looking to to regulate it are the same people who would exploit it.
I also think this approach of expecting the general public to adopt a borked browser to give deniability to people using it strategically is extremely naive. Human psychology just doesn't work like that, you might as well ask schools of fish to swim differently to hinder shark learning. To be frank, this seems like it will just create confusion vs telling people to use Tor browser.
The way to improve privacy is to provide a tool that actively enhances something incredibly well, and does everything else at least as well. If all browsers are hopelessly compromised, make something that isn't based on HTML and builds cool user interfaces directly from API calls like a videogame UI, for example.
> However, if there's a significant non-Mullvad user base using it, it won't do much, as you'll just stand out as the only person using the Mullvad browser without Mullvad VPN.
"The Mullvad Browser is a privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project. It’s designed to minimize tracking and fingerprinting. You could say it’s a Tor Browser to use without the Tor Network."
We did not, we made a front end to the Google Search API.
Our search engine performs the searches on behalf of our users. This means that rather than using Google Search directly, our Leta server makes the requests.
I wonder how many VPN providers are going to turn out to be honeypots in the long run. Every time they make it easier, I get more suspicious about the privacy really being provided. Perhaps I’m just really distrustful and cynical.
Of course, which is why you shouldn't depend on a single VPN (or just VPNs in general) if you have stuff to hide.
Opsec is an art, and there are no turnkey solutions to ultimate privacy and security. You gotta put in the effort yourself.
It's just a matter of reducing your surface area: I know for certain my government tracks my unencrypted DNS requests, and I have a static IP, so I'd rather turn Mullvad on if I'm feeling like opening an adult site. They might log my DNS, but it's a little harder for them to correlate my requests than if I were to use my home network. Not impossible, but since I am not at odds with the law, GCHQ is probably not spending billions tracking my every movement across networks.
If you need to send nuclear bomb plans to an enemy government, I hope you have a better plan than trusting the promises of any VPN network.
Mullvad has been around for quite a long time, and regularly releases third-party security audits. Is there anything they've done that comes off as a red flag to you?
> Perhaps I’m just really distrustful and cynical.
That's fine, but you should have a good reason for it
Long-term services are great targets for governments.
If you were to looking for some trust in a VPN, you would want them to offer locations in privacy friendly countries, and highlighting them as such. That would potentially funnel more used to those servers which would be beneficial. You would also want the VPN to ensure the servers in those countries are run by companies based in that country, and not be head-quartered in some other country.
Readit News
This is an open source, rebranded Firefox and Firefox-like browsers could use some publicity. It promotes privacy and privacy can use some publicity too. Tor too.
Mullvad seems to be honest in the fact that their business model is selling VPNs and it's nice they are saying it's not enough. They are not saying that you might not need one though.
We need a Firefox with good defaults and it seems like this browser is such a thing. I'd prefer these privacy features to be in upstream Firefox but I guess world is not perfect and that Firefox still relies on revenues from Google so can't be as privacy-focused as it should.
My little concern I guess is that this browser will push for their service so it's a bit like an ad for them, at least with its name. But fair enough, and at least the business model seems healthy.
With Mullvad already being a Mozilla partner for their branded VPN, all this actually look good. They seem to be spending their money on worthy stuff.
I also like they provide a Wireguard file and a way to filter it, so it's super easy to get started.
I tried to get us to use Mullvad, as it was perfect for me, but for him it was constant problems with the services he used, whereas the sketchier providers like NordVPN and ExpressVPN always worked without issues.
It's a custom build of Firefox with somewhat sensible, sometimes strict, privacy respecting default settings.
There's also the Arkenfox user.js which you can put on top of vanilla Firefox, aiming for the most privacy and security possible. https://github.com/arkenfox/user.js
A lot of sites allow interaction even with the above but they shadowban you without telling you. Craigslist shadow bans and auto-spam-filters any submissions done with a VPN, and then also auto-spam-filters any subsequent submissions on the same account even with the VPN turned off.
Reddit also universally spam-filters any submissions and comments done under a VPN, and rate limits your commenting a shitload on VPNs.
And more often than not the response has been "well we did investigate Firefox but working with it was pita so we went with easiest option"
Shit dude. You want to start a business so at least do the right thing.
If there are more Firefox forks, like there are chromium forks today, that would normalize Firefox because currently chromium is the de facto web standard.
If Firefox wants to have a competitive market share they should actively compete instead of begging people to increase their market share.
If you're looking such option for Android, you can check out Mull [1] which is available on F-Droid [2] as well and use it along with uBlock Origin.
[1]: https://gitlab.com/divested-mobile/mull-fenix
[2]: https://f-droid.org/packages/us.spotco.fennec_dos/
Mullvad, who has a reputation in the HN comments for being just like... over the top amazing + great (they swear up and down they don't store traffic logs and if you don't trust them, you can pay anonymously somehow or whatever), is having a "hard time" being profitable/growing
all while
NordVPN, who has a bad reputation in HN comments for being untrustworthy and "not so anonymous", seems more well known (and therefore most likely has more paying customers and makes more money?)
What is that law called in business? when the "less good" offering wins?
The old company: https://www.allabolag.se/5567839807/amagicom-ab
The current company: https://www.allabolag.se/5592384001/mullvad-vpn-ab
> Mullvad [...] is having a "hard time" being profitable/growing
This is how I originally interpreted the parent comment as well, but they actually meant "a VPN is not enough to maintain your privacy, you also need a privacy-respecting browser."
NordVPN has spent an incredible amount of money getting their name out there.
The majority of the population hasn't a clue about what a VPN is or does. The ones that do, their only interface is "its this thing my company makes me connect to"
Of the remaining subset of people who are aware of what VPNs actually do for you, it's likely they can only name 1 or two brands: NordVPN and ExpressVPN.
So if you have the superior product, but the lesser position in the market, then get busy marketing.
The law that "in a free market, the best product wins" has been beaten by profit-driven companies with billions at their disposal. Sure, you can have a better product. But maybe it's more profitable to have better marketing, or secondary sources of profit.
It's quite telling that VPN providers sponsor so many YouTube videos... Which require login to the biggest ad-driven company... Which will identify users by their login, no matter if they have a VPN or not!
> ...Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet.
https://grapheneos.org/usage#web-browsing
Allow me to introduce you LibreWolf https://librewolf.net/
The desktop client also supports some obfuscation schemes (UDP over TCP) which is useful when you're in countries which block any kind of VPN. The default smartphone app doesn't support this out of the box, but they have some tutorials to setup Shadowsocks and OpenVPN to route the traffic over https as well
I mean... yeah? What else should it be?
Deleted Comment
So, like LibreWolf, Waterfox, etc. ?
There's a ton of those already.
Now, I didn't really know about LibreWolf, I'll look into it for myself.
Why would they?
I don't really blame them for this though. Buyers should also do their homework.
Dead Comment
1: https://en.wikipedia.org/wiki/Tor_(network)#History
https://en.wikipedia.org/wiki/Arpanet
No it probably won't help if I want to buy fertilizer for a truck bomb.
Sounds ok to me, I have a longish and probably out of date list of settings that I like to chance in a new instance of firefox. I trust mullvad to not log dns more than I trust my ISP and I live in the UK so unencrypted dns here is being logged and stored by order of the government.
Keeping a fork of firefox in sync with mainline firefox to get security fixes is a load of work, it is good that somebody is doing it, in this case I think the tor project is doing a lot of the work.
So you get all the in-browser tracking protection Firefox has (e.g. against fingerprinting) + the ones only the Tor browser has but without the drawbacks of the tor network and in turn without onion security.
Not a user but part of the purpose of the TOR fork is settings, anything that is detectable via JS is supposed to remain default to prevent fingerprinting.
It's partly why it's not widely popular, I don't know if this is still true but it used to be that it was supposed to be run at a specific viewport resolution regardless of your device. All in the name of making your fingerprint as close to the same as all other TOR browser users.
It's more like pretending to the website that your screen has a "common" resolution etc. which is nearly but not quite the same as what you said.
In the past they semi required you to keep your tor window in a specific window size for this, which just didn't work well in practice.
By now they better integrated that in the browser from what I heard, so you can resize it however you want but websites might have an "empty" border are to the left/right/bottom depending on you screen resolution, windows size etc. from what I have heard.
With a typical maximized window on 1080p you won't really notice it, on 4k you might notice that it's just "dump" up scaled from 1080p, but the person I spoke with wasn't sure if maybe they have a set of supported common resolutions instead of just one. And on a 4:3 screen he said it's quite noticeable.
Dead Comment
Dear Santa...please stop making a safe & private internet so gosh darn friction-y :(
> Why is the time is wrong?
> The timezone is spoofed, to combat fingerprinting.
> What's this weird spacing around the websites?
> It’s called letterboxing, a function to combat fingerprinting (using your browser window size to identify you together with other measures).
> How do I stay logged into specific websites between sessions?
> It’s not possible. It’s an action to combat tracking.
Not sure if there are other measures, other than that the browser itself doesn't track anything.
Looking much better than a stock firefox, and presumably will improve over time.
[0] - https://mullvad.net/en/help/tag/mullvad-browser/
> How do I stay logged into specific websites between sessions? > It’s not possible. It’s an action to combat tracking.
Turns me off immediately
Given your stated preferences, are you actually looking for a privacy-focused browser?
Edit: As mentioned elsewhere in the thread, there are still plenty of identifying bits.
In my case, I had to turn off that setting because without it, 1Password wouldn't work.
It seems like a harmless thing to be tracked, but once the likes of haveibeenpwned.com came out and the databases that fuel it, and services that provide search utility to those databases, it should become clear that being tracked across every single website on the internet is probably not what you want.
Scenario: You apply for a job, they look up your totally-clean email address, see the email linked to an ip address on some database from a leaky website you applied for a job on, the ip address is linked to a service where you used a certain password which you used on 6 other services, one of which had a database leak of your system fonts, now you can see all the accounts to services to which your system fonts were identically matched. Oh look, you were 13 years old when you joined stack overflow on an abandoned account and you posted some humorous, incorrect solutions that were down-voted to oblivion. But that's ok, they invite you to the job interview and they make a funny remark about your stack overflow answers and then offer you a job. Do you want to work there now that you know they completely invaded your privacy ?
And yes, performing such searches is trivial.
Dead Comment
I already do this for work (for security theatre) so I will skip this
> > The timezone is spoofed, to combat fingerprinting.
The annoying thing about this (assuming it's the same as in Firefox) is that the times displayed in your own local History page are also "wrong" i.e. shown in UTC.
Deleted Comment
Deleted Comment
OpSec is hard, and tools letting you shoot yourself in the foot doesn't help. There are plenty of other browsers out there that don't offer VPN integration, so (imo) they should have made the browser a paid feature for customers, instead of giving it away for free like the market has demanded since IE6.
https://mullvad.net/en/help/split-tunneling-with-the-mullvad...
I already trust Mullvad enough to use as VPN, and am likely willing to extend that trust to a fork of Firefox they manage, but truthfully, I always concerned when achieving goals means new ventures and projects as it may mean resources are moving to other areas and may impact their code product. I like my core providers to do one thing and do it well.
Edit: I hope they bring this to Android also!
"Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet."
Source: https://grapheneos.org/usage#web-browsing
I understand the want to stay close to upstream and requests for such "usability" tweaks this should go to Chromium.
Alas the rigidity of the GrapheneOS project is a double edged sword.
Sticking with LibreWolf for now, which has updates disabled in the policies section, but I frequently ping their Gitlab for new releases. It's annoying having to do that, but if it means I get security patches in time, I do it.
and for Chromium: https://divestos.org/misc/ch-dates.txt
Bromite seems like its sticking around, fortunately.
Only barely, unfortunately.
I've since moved to Vanadium for anything untrusted and/or critical. It's still missing some features I'll enjoy seeing added, but it's improved considerably lately.
Basically, it seems like a good choice if you are already a Mullvad user and your threat model does not require the use of a Tor browser. However, if there's a significant non-Mullvad user base using it, it won't do much, as you'll just stand out as the only person using the Mullvad browser without Mullvad VPN.
I also think this approach of expecting the general public to adopt a borked browser to give deniability to people using it strategically is extremely naive. Human psychology just doesn't work like that, you might as well ask schools of fish to swim differently to hinder shark learning. To be frank, this seems like it will just create confusion vs telling people to use Tor browser.
The way to improve privacy is to provide a tool that actively enhances something incredibly well, and does everything else at least as well. If all browsers are hopelessly compromised, make something that isn't based on HTML and builds cool user interfaces directly from API calls like a videogame UI, for example.
That should be "unless there's a significant...."
https://github.com/mullvad/mullvad-browser
So basically like... hardened Firefox?
But it needs tech skill to adopt, so even if this Mullvad Browser is basically just prepackaged Arkenfox, that's great to drive adoption.
https://leta.mullvad.net
So I guess now you can go full Mullvad.
Did you make your own search engine from scratch?
We did not, we made a front end to the Google Search API.
Our search engine performs the searches on behalf of our users. This means that rather than using Google Search directly, our Leta server makes the requests.
Searching by proxy in other words.
[0]: https://leta.mullvad.net/faq
Opsec is an art, and there are no turnkey solutions to ultimate privacy and security. You gotta put in the effort yourself.
It's just a matter of reducing your surface area: I know for certain my government tracks my unencrypted DNS requests, and I have a static IP, so I'd rather turn Mullvad on if I'm feeling like opening an adult site. They might log my DNS, but it's a little harder for them to correlate my requests than if I were to use my home network. Not impossible, but since I am not at odds with the law, GCHQ is probably not spending billions tracking my every movement across networks.
If you need to send nuclear bomb plans to an enemy government, I hope you have a better plan than trusting the promises of any VPN network.
My threat model is:
ISP that has corrupted my govt to allow them to steal my data. Hide my IP from scummy sites.
My threat model is not:
Keep various TLAs from knowing everything I do online. (because good luck with that)
> Perhaps I’m just really distrustful and cynical.
That's fine, but you should have a good reason for it
If you were to looking for some trust in a VPN, you would want them to offer locations in privacy friendly countries, and highlighting them as such. That would potentially funnel more used to those servers which would be beneficial. You would also want the VPN to ensure the servers in those countries are run by companies based in that country, and not be head-quartered in some other country.