Hello everyone, I like compartmentalizing my online activity and until now I’ve been using Brave for my “account browser” and for regular surfing hardened Firefox. I was thinking of keeping my google accounts to Brave, transfer the rest of my accounts to hardened Firefox and to use for regular surfing the Mullvad browser. The reason I am considering this is because I want to isolate the google ecosystem to one browser and the rest of the accounts to another thus having a different fingerprint to each one.
Will this truly help with isolating my fingerprint to each browser or is it overkill?
I wanted to also ask about the Mullvad browser. It is recommended in the Recommendations section of privacyguides that we should not modify the browser besides the security level because we want to blend in with the crowd.
Does this apply also to changing basic settings such as light theme to dark theme?
Lastly, the Mullvad browser recommends turning off DNS over HTTPS (when using Mullvad VPN).
Does this go against the anti-fingerprinting method of blending in with the crowd (because we change the settings) or should we change it as they say? If I use a different VPN does this also apply or is it only for Mullvad VPN?
A similar question to the last one has been already asked before but it was a while back and I wanted to see if anything has changed from back then.
edit: while it is certainly not the absolute worst thing you can do with respect to fingerprinting (since ‘prefers dark’ or ‘prefers light’ is a binary, it doesn’t make you anywhere near as fingerprintable as some other factors, but it still would make your fingerprint stand out from other Mullvad Users)
By using their DoH server, your DNS queries will be outside of the DNS tunnel, and going to a non-standard IP address compared to other Mullvad VPN users. Your DNS queries would still be encrypted and not visible, but a MitM could see that you are making 2 connections (one to Mullvad VPN, one to Mullvad’s DoH server), which could set you apart from the majority of Mullvad users. I believe it is also possible (but probably not common) for a remote website or server you connect to to use a script to determine the DNS server you are using, but I am not fully informed about the details.
I’m using Proton VPN and I just saw that they also recommend disabling DoH when using their VPN but their reason is that the encryption makes it harder for them to block or reroute the DNS queries.
So what you are saying is that if I use a VPN and have DoH enabled then my DNS queries will go to two servers instead of one thus standing out. I assumed that it would choose one of the DNS resolvers and not use both. Then it seems logical what you are saying, at least if also every other Mullvad browser user also disables DoH and uses Mullvad VPN.
hmm to be honest, I don’t really follow what Proton is trying to say here, they should be more specific about what context they are talking about.
My best guess is they are talking about a context where you’ve installed ProtonVPN at the network/router level, and you would like to set it up to block/reroute devices on your network from sending DNS queries to 3rd party DNS servers. DoH is (by design) harder to identify and harder to block, so in this context it would probably not be a good choice.
No, your first assumption was more correct. I was not meaning to imply both servers would get queried. Possibly it would be easier to understand visually. This is how I think the two scenarios would look (VPN and the VPN’s internal DNS versus VPN with an external DNS service):
In both cases I believe all traffic between you and the VPN server would be safely encrypted within the VPN tunnel. But in the (lefthand) scenario where you use the VPN’s default internal DNS server, your DNS queries would not exit the VPN, whereas when you use an external DNS server, your traffic does exit the VPN (still encrypted by DoH but no longer encrypted by the VPN). This is my current best understanding as an amateur
Yes I agree. I didn’t like the generality of their reasoning.
That’s interesting, I didn’t know that you could do that. That makes sense then indeed.
Ok, I think I understand. What you were saying before is that by using DoH you use an extra tunnel for accessing the DNS server of Mullvad browser instead of accessing immediately the DNS server that’s already provided by the VPN provider. Thus standing out from the rest that only uses the DNS server of the VPN.
Thanks for the detailed answers!
Maybe they should have at least posted this suggested change in their starting page or somewhere similar since its one of the few changes in the settings which they promote.
Do you have an opinion about the first question that i asked or maybe do you think its just a matter of personal taste?
My opinion is that that approach won’t hurt, and it might help. So if it’s something you are interested in doing I’d say go for it. It seems like a reasonable strategy.
You can use Dark theme or Light theme, it doesn’t matter. What matters is that you’re not sending signal to prefer always light or dark website, but this is already locked by Mullvad Browser.
I also answered on the other thread, so let me quote myself:
This is mainly for two reasons:
performance: DNS requests sent through DoH are anycasted, so you can’t be sure they will take the shortest path, and using the same server as the VPN tunnel will ensure you get the fastest response
potential detection of VPN: some services will look for mismatch between DNS requests and other types of request and might block you from using their services
As a Mullvad VPN user, there’s no advantage to use DoH when connected. DoH is there by default because we can’t assume Mullvad Browser users are using a VPN and DNS requests are encrypted.
In terms of privacy, in most case it shouldn’t matter much, because in both cases requests are encrypted.
To answer your queries, a website will be able to detect that there is a mismatch when you use a VPN connection and a DoH service that is not “matching” (for example Mullvad VPN and a DoH or another VPN and Mullvad DoH).
It’s up to you to decide whether that’s an issue based on your threat model. Usually, if you trust a VPN, you should trust them to also deal with DNS requests correctly. If that’s the case, then there’s no good reason to use DoH on top of it.
Yes, this issue was also brought to my attention. So is this specific to Mullvad Browser or is it a feature that Tor Browser already has? I mentioned in another thread that a different browser theme is used in the images shared on Tor’s support page.
Thanks for the reply and for your work. I really like the Mullvad browser.
What I understand from your website and wiki is that with the anycasted service the DNS resolvers in different geographical locations have a single IP and the route of your DNS query tries to find the closest one. If it cant find that then the next closest.
When you say that “we can’t be sure they will take the shortest path” do you mean it is possible that either the closest servers used with the anycasted service will be far from the client or that the closest ones will be unavailable for some reason?
Is there a specific reason why a service would block the client if it notices this mismatch?
Mullvad Browser inherits this behavior from Tor Browser. I can confirm that you can install any theme from the Firefox Themes, with no impact on your browser fingerprint.
In most cases, it will take the shortest path. But due to the decentralized nature of internet, you can’t guarantee it. We receive reports of non optimal routes at times.
ISP/providers/datacenters sometimes have peering agreements between each other that can affect the path of a request.
This is mainly for geoblocking, which is possible to do in many ways.