Browser Use Cases

Hello!

Surprise! Its another browser post.

Just wanted to get a second opinion and ask some clarifying questions… I’m using a couple different browsers and I wanted to talk about the best use cases for the ones that seem to be the most recommended/talked about in Pguides.

Brave use case:

• Chromium in case gecko doesnt play well with sites/services
• Staying logged in between browser sessions and syncing
• For services who already know your identity (more or less)

Librewolf/Arkenfox use case:

• Gecko is not g00gle!
• Daily driver
• Logging in to services who dont necessarily know your identity (logout with browser close)

Mullvad use case:

• Gecko is not g00gle!
• Fingerprint resistance
• No logins and vpn integration for fast & hardened browsing

Tor use case:

• Freedom!!! and cutting edge anonymity
• .onion services and dark web

IE/Safari/GChrome use case:

• Stuck in proprietary ecosystems
• Last resort

Do these use cases seem legit? Clearly personal preference will vary, I am aiming for general uses.

I dont use tor much… Im not accustom to .onion and the dark web. When are you using tor? Do you use it for general web surfing? Is there any point to using it (browser/orbot) on mobile if you are using proprietary OS?

I think the tor project is wonderful, Im having a hard time finding a good use for it outside of dark web and would like to learn more.

Arkenfox is great for custom browser profiles, since it’s just a user.js file overwriting and setting preferences. Since the community does a lot of the heavy lifting, you can create specific profiles for specific use cases instead of just using it out-of-the-box. For example, if you use I2P, you could create an Firefox profiles specifically for I2P by disabling JS by default and configuring the proxy settings to route everything through I2P by default.

Librewolf is great for anyone who wants a hardened browser, but may find Arkenfox overwhelming to deal with. It’s a good out-of-the-box solution that can be used by people who aren’t particularly tech savvy. Librewolf and Arkenfox have very similar fingerprints and are recognized by some tracking services, such as fingerprint.com, as the same identity.

I take some issues with Brave, given that it’s not as hardened as any of the above mentioned option and it’s relatively easy to fingerprint. I mentioned before in a different thread that you can visit fingerprint.com with the Brave browser and then open up an incognito+tor window inside of Brave. If you visit the site again, but with the incognito tor window, it will return the exact same identity rendering the use of tor useless. See here: Recommendation of FF Profile - #4 by Satoshi

If you need to use Chromium for some reason, I’d suggest just using ungoogled chromium instead.

Regarding Tor, you can use it for any day-to-day browsing and don’t have to use it strictly to visit onion sites on the dark net. There are other cases where you may want some degree of anonymity in which Tor can be useful. For example, in a separate thread I mentioned “hidden backups”, see here for more: Looking for ideas for my data backup setup? - #12 by Satoshi. Also useful, if you want create an online identity, but don’t want it linked to your real identity, although this does require some changes in behavior as well.

The Mullvad Browser is great, especially if you use multiple profiles (go to about:profiles). You can have different browser profiles each of them using a different Mullvad proxy location, thereby you can use it for specific sites and services while your identity remains the same. For example, you may be using one forum with one online identity for which you pick “Frankfurt, Germany” as the proxy location, while for activities associated with your real identity you may use “Zurich, Switzerland”. Thereby you can maintain consistency.

Generally I recommend trying to compartmentalize your activities as much as possible. In some cases you have to be consistently consistent while in others you have to be consistently inconsistent. If you are using Mullvad, it’s relatively easy since you can use a SOCKS5 proxy for each browser and thereby associate a specific location with your identities. With Tor, you don’t have to think about it, which is great for general browsing.

A reason why I recommend the above is because VPNs have come up in legal cases quite a bit. The VPN provider may to provide information on the specific user, but the government can see that you were using X VPN hosted at Y data center in Z location at a specific time and at that matches the online activity associated with your identity. You can obfuscate your activity by using multiple proxies with multiple browsers for multiple identities.

Lastly, I’m not making a case for one browser over another, since I use all of the above.

This is very helpful thanks!

What browser advice would you give someone who is currently required to reveal their identity for occupation/healthcare/finance/etc besides strict compartmentalizing?
(ofc no one should be in this situation ideally)

If my understanding is correct, you may want to avoid browsers like tor and mullvlad in those situations.

Onion is good, Tor Browser is not good. You should avoid any gecko based browsers, unless you really can not. Brave is good. That is an answer…

I mostly use Brave on mobile, but I also have Fennec installed. And also Kiwi and Cromium.

I could not switch to Brave on desktop (it looks like shit on desktop), using it 50/50 with Firefox (betterfox.js) there, no other browsers.

Create a new profile in Firefox with the Arkenfox user.js, specifically for times when you need to reveal your identity. You can still use RFP and other hardened functions, since you’ll limit how much data they’ll get on your device. If you’re using Mullvad as a VPN provider, consider using a SOCKS5 proxy for that Firefox profile specific to one location. That way, the identity always remains the same, but the fingerprint will be different compared to your other usage. You can also allow WebRTC or other functionality in that specific profile.

Alternatively, use Chromium if you need more functionality. I’ve experienced some issues with Arkenfox when using it for more complex platforms or WebRTC, which means you have to do a ton of trouble shooting and testing. Chromium is great, if you want to go the simple route here.

I unify all my web usage in Brave. It’s a secure browser, mostly because it’s based on Chromium. See:

https://madaidans-insecurities.github.io/firefox-chromium.html

There are many security issues with Firefox’s Gecko engine, especially on Linux. The article was updated in 2022, however, most security issues that were mentioned in the article aren’t fixed yet. So, any browser that’s based on Firefox would inherit the same security weaknesses, unless the forks specifically patched those weaknesses themselves. Nevertheless, they’re basing their software on the weak base (Gecko engine).

It’s not simply Gecko is not Google. Or whether Chromium is Google (Chrome is Google, but Chromium is not due to its license).

Regarding Tor, I am not sure whether it’s good for anonymous usage. First, your ISP/IT department would know you use Tor. Second, you need an exit node to connect to the target server, of which is unencrypted, and could be populated with malicious nodes (if not already), see: Someone Is Running Hundreds of Malicious Servers on Tor Network.

Lastly, since Tor is based on Firefox ESR, I doubt all the security fixes, even when they were classified as high impact, would be back ported from the latest release in a timely manner. At least, not all high impact security vulnerabilities from Firefox 122 are back ported to Firefox ESR 115.7 currently. See: Security Vulnerabilities fixed in Firefox 122 — Mozilla, and Security Vulnerabilities fixed in Firefox ESR 115.7 — Mozilla.

I recommend anyone who want to use Tor to read the below article first. It’s from 2016, but I think the concerns in the article are still valid.

I think, IE should be Edge

If you’re a web developer, you would be required to test your website/web app on all of them. Most clients, if not all, don’t require web devs to test their code in Firefox anymore.

To SOCKS5 or not?

It’s not an issue when you use SSL and when you use a VPN who provides both the proxy and the VPN, as is the case in Mullvad. In the case of Mullvad, you are not only using the proxy, you are using the VPN first and then the proxy. This is useful to change the IP and location the end server sees. ISP wouldn’t be able to read anything and since Mullvad owns both the VPN and SOCKS5, there’s not much of a difference.

I believe this opinion goes against the recommendation of both the Tor Project, and this Privacy Guides. That doesn’t make it invalid, but I’m curious what factors lead you to feel this way?

You should avoid any gecko based browsers

I also have Fennec Installed
[I am] using it 50/50 with Firefox (betterfox.js)

What factors lead you to make a blanket recommendation against all gecko based Browsers, when you personally use multiple Gecko based browsers?

What exactly goes against PG recommendations, Brave and Orbot are recommended. Tor Browser is not recommended in browsers section.

I just find Firefox ui/ux much better, than Brave. Just my use case.

It doesn’t have a dedicated card in this section, but observe the second paragraph from the top of Privacy Respecting Web Browsers for PC and Mac - Privacy Guides

If you need to browse the internet anonymously, you should^[1] use Tor instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by somebody in some manner or another.

1. Emphasis added to explicitly signal the presence of a recommendation ↩︎

So we still have ‘if’ here and Orbot is Tor. Check the article above about Tor Browsers, sums it enough to avoid using dated software.

Further to this, there is a whole Tor section in which…

Tor browser is explicitly recommended

This does:

Onion is good, Tor Browser is not good. […] Brave is good.

Tor Browser is the recommended Browser to use if you are connecting to the Tor Network and your OS supports it.

Only because the scope of that section has changed, the browser section is now limited to:

standard/non-anonymous browsing

Recommendations for anonymous browsing is located in the Tor section (Tor Browser is the first browser recommendation on that page):

PG: Tor Browser is the choice if you need anonymity

PG: If more complete anonymity is paramount to your situation, you should only be using the desktop Tor Browser client, ideally in a Whonix + Qubes configuration.

I use BRAVE exclusively. I use Nord VPN on all my traffic over my ISP connection. Although I have read here that NO VPN can anonymize my traffic according to their specifications they do. They supposedly interchange my IP with the IP of their Server before transmitting.
I do not sync my Browsers (across devices) but rather keep them separate. I use the BRAVE Shield on sites that allow it. My bank has no problem with this so I am ok with it. I also use uBlock origin and tune it to those sites where finances are concerned. I use a wired unit when connecting with all of these finance related sites, with a stand alone BRAVE browser only. I have it erase all data, cookies, etc immediately after finishing any session. It can even be set to erase ‘site data’ when you close a tab. I essentially only have one tab open at a time.
I have used TOR and have it installed on all my devices. I seldom use it but I support the concept for those in the world who are under government censureship and dictators.
Until recently I have used Firefox and I liked it. I no longer use anything but BRAVE. I have an android but never use Google, if I can avoid it. One cannot remove Chrome from my phone so I guess it really isn’t MY phone after all.
I will never signon under/through any of the tech titans. I setup my own accounts, or I don’t sign up at all. I use LastPass to manage my passwords and use it exclusively for all my UID/Password logons. I am pleased with my setup but I have no delusions about my ‘Privacy’. I belong to no social media sites. My achilles heal is Email. I have as yet not studied my options with regards to private email options.
I use cryptomator to create, on my units, a secure vault (full of my select files which are encrypted) and then will store the vault in the Cloud. I use the cloud for cell phone backup and secure storage of these vaults.
Now that I am getting used to these approaches, I feel more comfortable with my digital traffic. I am doing these things to learn as much as for security or privacy.
I believe the tech companies promise you security and you only have to trust them to keep your interactions private. They don’t!

It depends on how it is used and from where.

It may be completely fine to have a SOCKS proxy from a routed VLAN to vpn to a different VLAN that is direct.

It also can make sense where something else is used to provide encryption, eg v2ray.

There will be situations where you want to use Known, Unknown and Anonymous identities.

• For example there is no reason to use a VPN to a service or site that already knows who you are because you logged in with a username and password and a credit card number or address are on file.
• A VPN may make sense to prevent correlation of your IP address appearing in server logs, or for P2P related activities
• Tor Browser makes sense where you might encounter more targeted approaches like fingerprinting in order to correlate usage.

That’s not a logical valid conclusion, since there is no way for you to know whether others share the same fingerprint ID, which would mean that you can’t be uniquely tracked by fingerprinting alone.

Ungoogled chromium had some security issues in that past. Not sure whether they still exist, but it didn’t shed a good light on the project. The privacy features are not as comprehensive as for example on Brave.

We don’t recommend ungoogle chromium for a number of reasons including the disablement of CRLSets (which means a rogue CA might not be banned as quickly as it should be) or the fact binaries are produced by third party.

IMPORTANT: These binaries are provided by anyone who are willing to build and submit them. Because these binaries are not necessarily reproducible, authenticity cannot be guaranteed. For your consideration, each download page lists the GitHub user that submitted those binaries.

This is very serious for something which deals with sensitive data like banking, or whatever site you visit.

No point in claiming something is open source if you’re using untrusted binaries from who knows where submitted by who knows whom. You might as well be using closed sourced software from an .onion website.

Ungoogled chromium is an example where the degoogling movement is a cure worse than the disease. The other thing also being, it really doesn’t have any of the features Brave does in regard to shields, script blocking, or anti fingerprinting anyway.

TLDR untrustworthy browser from unknown places without any real privacy features.