First, thanks to the PG team for their work and many users for their contributions. I’ve been reading you for a long time.
I’ll try to be concise. Under desktop browsers, my understanding is that the recommendation guide suggests Mullvad 1st, Firefox 2nd and Brave 3rd. I would like to choose only one between these last two as my daily-driver for everything. But, In the case of FF, I am reluctant to Arkenfox. I know it costs little, but still.
I wonder if, in case of hardening FF as recommended by PG only via menu settings, while neither going further or applying AF, (I’ll also add uBlock, delete pocket and new page recommendations etc.) would result in a privacy level equal to a hardened Brave. Especially, now that Brave removed it’s higher level of fingerprint protection and FF supposedly activates FPP (softer than RFP) when you choose the strict tracking prevention mode.
From some previous discussions it seems that they would be on the same level in terms of privacy and in terms of fingerprint protection (I know, only fooling naive scripts, fine for most thread models). However, the guide seems to suggest that FF without AF would not be at the level of a hardened Brave:
Without using a VPN, Mullvad Browser provides the same protections against naive fingerprinting scripts as other private browsers like Firefox+Arkenfox or Brave.
In summary, I would like to clarify whether hardened FF using PG recommendations via settings menu without applying AF is just as private as hardened Brave. Is one of the two, even slightly, superior to the other?
I summon @jonah@sha123. I am especially interested in your opinion
Assuming we are talking about desktop and focusing only on the context you gave above,
TL;DR I would consider either mildly locked down Brave or mildly locked down Firefox w/ uBO to be suitable for most people, and roughly comparable in the level of privacy provided. I don’t think you’d be making a wrong choice with either option.
In my opinion, yes. mildly locked down Brave and mildly locked down Firefox w/ uBO will be more or less comparable with respect to the level of privacy they provide. There are small differences at the margins, and specific features or capabilities one browser or the other will have, but on the whole, both will provide roughly equivalent levels of privacy in practice.
People get pretty extreme and dogmatic about browser choice (myself included sometimes), fixated on extreme threat models or minutae, but I still am of the opinion that most people are well served by either Firefox w/ uBO or Brave with <5 min of config in GUI settings.
I think there is probably a better way to phrase that.
I think I understand what they are trying to articulate (that unless you hide your IP, what fingerprinting protection can hope to achieve is limited). But regardless of whether you do or don’t protect your IP (you should), the anti-fingerprinting protection (RFP) used by Mullvad and Tor Browser is substantially stronger and goes further than Brave is willing to go.
Though, my personal preference is Firefox for many reasons, I think I’d give a very slight edge to Brave at the moment (if only considering privacy in the context you’ve given and not other factors) for one reason: It’s (limited/mediocre) fingerprinting protection is enabled by default and probably currently covers more than FPP (because FPP is still new) but less than RFP.
This is probably a small-ish difference in practice, since as you’ve noted neither is suitable for defeating advanced FPing, and defeating naive FP-ing is apparently not very dependent on ‘blending in with a crowd.’ Also because both browser’s first lines of defense against fingerprinting is just to simply outright block known and suspected fingerprinting scripts from running in the first place.
No. The point we are making with this statement is that for Mullvad Browser and Tor Browser to work at their optimal level, it is a requirement to blend in with a crowd on the network level as well. There is not a spectrum here when it comes to advanced scripts, either you are making an effort to thwart advanced fingerprinting scripts, or you are not.
Tor Browser has this built in, so it is not a concern. Since it is optional with Mullvad Browser, we have to note this fact.
When it comes to non-advanced/naive scripts, I think our statement that Mullvad Browser provides the same protections as other browsers is accurate. I haven’t seen evidence that it provides “substantially stronger” protections against naive scripts as you are claiming.
Brave will be superior than any Firefox configuration if you don’t install uBlock Origin, as content blocking is a critical defense against the naive fingerprinting scripts we are talking about, and Brave has these shields built-in by default.
Alongside uBlock Origin, it is more debatable.
I’m reading through our desktop browsers page again now and I think it does give a good overview of the strengths and weaknesses of all these browsers, as well as Arkenfox, so I am not sure what else you would like me to add here.
I personally think Firefox should be removed as a recommendation entirely. A hardened brave browser is significantly more secure while arguably being more private.
I assume you mean Firefox ONLY , not including Firefox’s Variants such as Tor / Mullvad? For Firefox ONLY, it is quite debatable but I see your point and I tend to agree. Just with Firefox removed, there’s no Gecko based browser is suitable for masses, at all, as PG rejected Librewolf already.
Yes, Mullvad Browser and Tor have clear and valid use cases. Honestly it’s the existence of Mullvad Browser that makes regular Firefox a questionable choice imo.
I have additional thoughts about this new topic too, but I don’t really think we need to divert every single topic that mentions Firefox into a conversation about whether Firefox should be recommended or not.
After thinking about this a bit more, the way I would interpret why FF+AF was specifically mentioned is in part because that section was written 2 years ago, At the time it was written, RFP was the default for Arkenfox, and FPP didn’t exist yet.
Currently FPP does exist, and is enabled automatically when you enable ETP strict mode, and has also become the default for Arkenfox. So afaict, at the current moment the Anti-FP feature used will be the same (FPP) if you use Arkenfox defaults or Firefox configured per PG’s recommendsimilarations. In either case RFP can still be manually enabled if you prefer.
Bocking fingerprinting scripts is builtin functionality in Firefox, In the context of fingerprinting uBO would be an added layer of content blocking on top of what is already present in Firefox.
In the default configuration, Firefox blocks “known” fingerprinting scripts.
With ETP Strict mode enabled (or in private browsing mode), it blocks “known and suspected” fingerprinting scripts.
The upstream source for these blocklists is disconnect. This is also briefly discussed in this AF issue
Reply to Jonah re: fingerprinting which doesn't directly relate to the OP
We are in full agreement on that. Actually, based on past discussions I think we tend to be in agreement on most things with respect to browser fingerprinting, and I think the desktop browser section is really solid overall. Which makes me think it’s likely that one or both of us has misinterpreted something or misspoke above.
[edit: It was mostly me misinterpreting the statement. After reading the section in full (not just the bit quoted in the OP), most of my initial disagreement is gone, and I think that section is pretty well written]
My initial objection to the statement quoted in the OP isn’t a disagreement with the substance of what was said, but with (what I see as) a lack of clarity in how it was phrased. The way it is currently written [1] communicates the importance of protecting your IP, but it can also be (mis)read to imply that Brave w/ a VPN would offer the same level of Anti-FP protection to Mullvad Browser w/ a VPN (which I’m almost certain we would both agree is not an accurate takeaway).
I haven’t seen evidence that it provides “substantially stronger” protections against naive scripts as you are claiming.
I didn’t intend to make any statements about naive scripts specifically
All I mean to communicate is that as a feature RFP goes further and protects more than what Brave is doing or will likely ever do. In what contexts that added protection is needed, and what other strategies should be used in parallel are important, relevant, but distinct practical questions to answer.
I don’t see any conflict between saying, (A) RFP as a feature is stronger and covers more than what Brave offers, and (B) but in the specific context of naive scripts, either one is probably adequate.
“Without using a VPN, Mullvad Browser provides the same protections against naive fingerprinting scripts as other private browsers like Firefox+Arkenfox or Brave.” ↩︎
Thanks jonah. I am referring to hardened (only via settings menu PG guide recommendations) Firefox + uBlock vs. hardened Brave (also via settings menu PG guide recommendations).
This is what doesn’t seem to be clear. Seems that the guide suggest that only if I add Arkenfox to Firefox will it be as private as a hardened Brave, while a hardened Firefox (+ uBlock) changing just settings via PG recommendations won’t. Which is your opinion on this debate?
Thanks always for your effort putting comprehensive answers xe3. So, can we conclude that today it may no longer be necessary to apply AF or that the importance of doing so would be very small?
So Brave has for now overall the slightly edge but this might easily change in the future with FPP progression? And, with other privacy factors I understand you’re referring to Chromium monopoly, among others, right?
Thank you phnx. I’ve read many times about the potential security risks of FF, including Madaidans and the various professionals whose opinions he also refers to, as well as the GrapheneOS team, Daniel Micay, BeerIsGood, Kuketz or even you.
Clarify that I have no opinion, I’m not professional. Everything seems to indicate that this is the case, but I don’t know to what extent it is so serious in practice as to choose Brave over FF, because perhaps the latter, despite all the Mozilla bs and being FF in some other aspects inferior, is a healthier privacy project long-term.
Also, just to add info, regarding FF security, I’ve been following the posts from a Reddit user who supposedly is an experienced professional and it’s company does browser security certifications for companies and governments, auditing the code and the internal behaviour.
He claims that while being true that Chrome or Edge are more secure, FF is only slightly less secure. And that Brave, in turn, is slightly less secure than Firefox due to increased attack surface from Web3 and other features that can’t be fully disabled. He says that because of this Brave issue, only Chrome, Edge and FF are officially certified for high security environments for now, although he qualifies that all of them, including Brave, are perfectly secure.
Analyzing it’s data traffic and telemetry, he states Brave is more private by default, and that FF has more of it than he would like, although it can be easily disabled. He personally uses his own modified FF.
I’d digest this with certain skepticism regarding the rank but I tend to agree that this is probably how they may ended up stacking when talking about security. They are probably very close, Brave and Firefox trading some blows, I’d not stress too much on security in both. Not sure about the Tor and Web3 claim that was made about Brave but recently I started also questioning some of the security practices that Brave apply or the lack of them like was discussed in this thread. The thing that I’m not a big fan in the reddit post is that I feel that the author is discounting quite a bit the Firefox problems. Again, I think they may tend to be very close. **
Privacy wise people get very confused in many ways how to measure the efficiency of a browser, as you can see in this video:
**Edit: Also never heard any expert mentioning this Ulaa Browser that it is its comments.
vs. hardened Brave 
(also via settings menu PG guide recommendations).
