and is Vanadium’s security superior to Cromite’s security or are they around the same?
I can tell adblock is maybe one of the advantages but I feel that due to using Mullvad’s adblock DNS (on both DNS over HTTPS and TLS) I rarely ever see ads.
3 Likes
Bumping this.
Curious as well.
1 Like
I’m not up to date with Cromite development but this is from last October according to Grapheneos:
“Cromite has very problematic changes included which substantially reduce privacy and security. It reduces security more than it improves it. For example, it includes the highly problematic Eyeo filtering engine from the company behind Acceptable Ads, Adblock Plus, etc. which took over the forked uBlock extension misleading people with the name pretending to be the uBlock Origin project among other extensions. Eyeo’s C++ code is low quality and has memory corruption issues… Cromite including the incredibly sketchy Eyeo content filtering engine and stuff like additional codecs goes against what we’re trying to achieve. We also don’t think the randomization-based anti-fingerprinting approach works, among other issues”.
Also IIRC vanadium is the only browser that actually takes advantage of MTE, though I can’t find my source for that.
1 Like
Avoid using Cromite on GrapheneOS — Vanadium is a better choice for security and privacy at this time. Use Brave on non-Graphene devices (I don’t like it, but it’s objectively the only acceptable option).
The GrapheneOS team has also shared the following about the Vanadium browser:
We have several major privacy and security features currently in active development. We’re also working on usability improvements to replace Google services such as sync.
GrapheneOS frequently mention (don’t understand this as recommends) Brave for devices that don’t run GrapheneOS. However, the team has made it clear that they do not plan to prioritize releasing Vanadium outside of GrapheneOS in the near future:
If we’re adding a new feature or fixing an issue — such as an upstream Chromium bug — we don’t have to make it work outside GrapheneOS right away. It can be addressed later. While we have long-term plans to release Vanadium beyond GrapheneOS, that’s not something we’re focusing on right now."
Vanadium exists because GrapheneOS needs it. Our focus remains on the needs of GrapheneOS and its users. Releasing some of our apps outside GrapheneOS hasn’t provided significant benefits so far, and it consumes limited resources. We would need to see substantial value in supporting broader platforms to justify the effort."
@Redroyach — You’re correct. Vanadium supports Memory Tagging (MTE) and many other security functionnalities, while Cromite does not:
MTE appears to be on Cromite’s to-do list (“Sanbox related” category):
2 Likes
Yes, and a few other things like Clang’s type-based CFI.
1 Like
I’ll add that Vanadium provides the WebView on GrapheneOS, so you won’t get out of using it for that. It doesn’t really make sense to use a second, less secure browser when you could just use Vanadium.
1 Like
Vanadium is superior to any other mobile browser when it comes to security.
Vanadium doesn’t have fingerprinting protections yet, so I would personally recommend the configuration below with Trivalent substituted for Vanadium.
Thanks everyone for the input! guess I will continue on Vanadium then for years to come (I do wish there was a Vanadium guide type thing on the mobile session but I feel that the recommended settings on Chromite apply to Vanadium too)
My take is that either Brave or Vanadium will serve you fine just fine tbh.
Whichever you pick on one of those is a good choice.
There is a Wiki: Vanadium Recommended Settings
4 Likes
Vanadium is the only browser, apart from Tor Browser, that can actually fight fingerprinting, and it’s not theater, unlike Brave’s or Cromite’s “protections.”
Vanadium only runs on GrapheneOS, which can only be installed on a very limited amount of devices, which can be pretty much treated as pools of users, so we have a pool of Pixel 6a users, a pool of Pixel 7a users, and on and on.
Tor Browser or Vanadium + a VPN or Tor are the best options when it comes to fighting fingerprinting on mobile.
1 Like
A fingerprinting expert said that Brave is just fine for naive scripts. When comparing Firefox and Brave, it was stated,
There is nothing wrong or better about either of them
The DivestOS website (updated until earlier this year) said that Vanadium has no fingerprinting protections
1 Like
So is Vanadium.
What are those “fingerprinting protections”?
To properly defend against fingerprinting, you need a large user base with the same browser, extensions, content filters, and other web-facing configuration. Even when using the Tor Browser on Android, there are still things like screen size, etc. that can be used to fingerprint you.
Those who seriously need strong fingerprinting protection and anonymity should ideally be using Whonix or at least the desktop version of Tor Browser. For anyone else, Brave, Safari, or Vanadium are all fine options when it comes to fingerprinting, with Vanadium and Safari being significantly better when combined with Apple’s Private Relay, a VPN, or Tor.
2 Likes
fighting fingeprinting is essentially in a way, fingerprint protection which as you can see even @phnx said provided by @anonymous261 that Vanadium does not have fingerprinting protection.
Fingerprinting protection isn’t about just blending in with others, it’s about (and this is just one example) also randomizing fingerprint hashes like the Canvas and disabling WebGL (which brave not sure about canvas on aggressive but used to also block webgl on aggressive, but with aggressive removed now, canvas is more like disguised and WebGL will work nonetheless same way as canvas and they’re unique anyways, meanwhile FPR (Fingerprinting Protection/Resistance) Browsers like Mullvad like Tor do a better job.). Another example is randomizing values like the screen (which brave does but honestly doesn’t do all that much of an impact) [but still with these aspects it’spossible to fool sites if that is, fingerprinting is done poorly which would not be likely unfortunately.) or otherwise letterboxing to make it look like many of the Arkenfox users for the screen but I’ll leave it from there.
Which as you would be able to tell, Vanadium does None of what Mullvad and Tor and Daresay Brave (which again I alluded before that without brave’s aggressive FPR, it’s more like disguising but still being unique, but it does randomize screen resolution and stuff like that but they don’t mean that much)
Even GrapheneOS developers say that Brave has better anti-fingerprinting. What’s you’re saying could be true only if Vanadium users had a mixed IP pool and similar language, timezones, light/dark mode, screen resolution, etc
Vanadium does have basic anti-fingerprinting techniques according to the grapheneos features page
- Standard Android 16 user agent reduction is enabled early for the WebView to replace the major OS version, device model and browser minor/build/patch version with standard placeholder values
- High entropy client hints are replaced with the standard placeholder values used in Chromium’s reduced user agent for both the browser and WebView to close a loophole where Chromium is still sharing the major OS version, device model and browser minor/build/patch version with any server requesting it via client hints
- Battery API always shows the battery as charging and at 100% capacity
- Consistent browser behavior across users without usage of feature flags and seed-based trials
Brave has more comprehensive ones but given that vanadium installations look very similar if you are on the same device you have a small crowd to hide in.
1 Like
Biggest issue with vanadium is it doesn’t get rid of all ads. I consider that a nonstarter. The whole ‘use an adblocking dns’ recommendation doesn’t get rid of page breakage. If only mullvad browser made an android version
1 Like
There is Ironfox if you want a firefox based browser