Before anyone says anything, I’d like to point out that I am not suggesting recommending these browsers, though that would be preferable, but I do think there should be a guide on how to properly configure these browsers for the best privacy and security.
Many people cannot or do not want to switch from Chrome to Firefox or Brave. They might need to use webapps or access websites that do not work on Firefox, or they just don’t like changing browsers. There will be guides for Windows and iOS since some people have to use those operating systems. Why not guides for Chrome and Edge too?
Chrome and Edge, while lacking the fingerprinting protection and tracking protection found in Firefox and Brave, do have their advantages. They’re more secure browsers, especially Edge on Windows since it can utilize MDAG. One could use Chrome or Edge for security-sensitive activities like banking and Firefox or Brave for everything else. This could increase attack surface as you now have two browsers installed on your computer, but the benefits of this outweigh the risk.
So even though Chrome and Edge likely won’t be recommended, though I think they should, I still think there should be a guide or recommended configuration for these two browsers. While Firefox and Brave would be considered preferable, some people may not be able to use either of those browsers and have to use Chrome or Edge instead.
Regarding Microsoft Edge, I think this would make sense as part of our eventual Windows guide, as there are use-cases where someone may prefer to use it over another browser.
While I understand that it would perhaps make sense to have a configuration section for Google Chrome, seeing as it is used quite widely, I’m not exactly sure what those configuration recommendations would be.
Furthermore, I don’t see the use-case for Google Chrome. If you’re going to want additional security, would it make sense to choose Microsoft Edge, seeing as it allows you to disable JIT?
I’m sure you have ideas on how this would actually look, so please let us know!
For Windows, definitely, and users are already trusting Microsoft by using their operating system. For other operating systems, it depends on whether they value security (Edge) or privacy (Chrome).
Here’s what I have so far:
Enable enhanced security mode on all websites. Only disable on certain sites that break with it enabled.
Microsoft Edge Secure Network I don’t think is ready yet but it will be similar to iCloud Private Relay. This may be a privacy concern since Microsoft controls the servers, but it may be useful for those who cannot use a VPN. Does Microsoft Edge Application Guard (MDAG) bypass VPNs like ProtonVPN and Mullvad?
Chrome and Edge do allow users to disable JavaScript and enable on certain websites without the need for an extension. Disabling JavaScript does make you stand out, a lot of websites will not work without it, and it does not prevent tracking, but it can reduce attack surface. This would be for advanced users who understand the benefits and risks as most people won’t need to disable JavaScript, but it is one reason to prefer Chrome browsers over Firefox browsers as Firefox requires disabling JavaScript in about:config and doesn’t allow whitelisting sites.
I generally don’t recommend installing any extensions at all, uBlock Origin Lite may be useful for those who wish to have the convenience of blocking ads.
I’d recommend clearing cookies and site data as well as browsing history on exit. Unfortunately Chrome doesn’t allow clearing history on exit, so one would have to use incognito mode to disable storing of history.
I didn’t think it did but I couldn’t remember where I found it. That said. I think Microsoft Edge Secure Network should be mentioned for this reason though a lot of users aren’t comfortable sharing their data with Microsoft, but it’s useful for those in a public Wi-Fi network or wanting to hide their IP address.
Microsoft Edge does have required telemetry that can’t be disabled, which would be a concern for some users, but this isn’t an issue since the telemetry is necessary to deliver browser updates, certification revocation updates, and more. I do not recommend blocking these connections. Not all telemetry is bad and sometimes paranoia about telemetry is worse than the telemetry itself.
If people don’t want to change browsers from Chrome even to Brave, I don’t think they will change these settings either to be honest. The only scenario would be when you need Google Sync
I think you’d be surprised at the friction that changing web browsers can pose for the vast majority of people. While I don’t think anyone’s suggesting that Privacy Guides should recommend Google Chrome over an alternative, like Brave, I definitely see the value in offering guidance on how to change default settings, and which settings to change.
It seems to me that the wider issue for guides on browsers like Google Chrome is about scope. Our target audience—at least, in the Writing Style guide—is “average, technology using adults”, or “average computer users”. There are definitely good questions (like what you should expect from an average adult who is somewhat proficient with computers), but they seem best kept for a separate thread.
To this point, some of the crux issues might be
whether advice on configuring settings could be given in a way that isn’t an endorsement (if that were the decision), or
whether such advice is within the scope of the Privacy Guides project, etc.
(I don’t have any answers: I just thought I’d chime in)!
True, but I don’t think recommending the average person using Chrome to clear their cookies on site exit or disable Javascript is going to work out well. If they are going to that effort, then they really should switch browsers anyway. I guess the easy things would be to turn off FLOC, get uBlock Origin (if we’re being honest - the chance of it being exploited is very low and it provides a lot in terms of blocking potentially malicious ads and annoyances which are far more dangerous) and disable third party cookies but even that last one can cause site breakage.
On that note I think the same could be applied to Brave and Firefox. Asking users to manually place exceptions for every site they want to keep cookies on is very cumbersome. It’s honestly way more practical to just use private browsing when it’s not necessary to sign in.
I explicitly stated that disabling JavaScript would be for advanced users. Yes, there are valid use cases in which Chrome and Edge are preferable over Firefox, such as for web apps and security-sensitive stuff like banking. The only inconvenience there is to clearing cookies on site exit is having to login each time one opens their browser, but that’s probably better for security and privacy anyways.
If advice for changing settings in Windows and iOS is allowed, then I see no reason to not have a guide for changing settings in Google Chrome since so many people have to use it. Neither of these browsers would be listed as recommended desktop browsers but there could be a browsers section in Knowledge Base.
Don’t you mean topics? FLOC has been deprecated for months.
WebKit is not a secure browser engine as it doesn’t support site isolation among other things. In general, one should use Chromium browsers only and avoid anything else except maybe Firefox. Chromium browsers have to use a lot of energy because it is required for multi-process sandboxing and site isolation. This isn’t an issue.
Lightweight browsers are much less secure than Chromium as they typically don’t have sandboxes and exploit mitigations nor is there much security research done on the project. Take Pale Moon for example. It’s based on extremely outdated Firefox code, still uses XUL which was deprecated years ago as it was a huge security risk, still supports other plugins which have been dropped years ago, and lacks fingerprinting protection, enforcing HTTPS, and other privacy features. It is essentially a security and a privacy nightmare yet it has only received a few CVEs. Why? Because nobody bothers to report the countless vulnerabilities that Pale Moon has and very little security research if any at all is done. Microsoft Edge offers more privacy than any lightweight browser including the ones with no telemetry.
A question. Okay with offering guides to configure Chromium browsers, but, I do not know, I say. Wouldn’t it be better, while we’re at it, to make guides for Chromium browsers that don’t attack privacy as much as Edge and Chrome do? I say this because you talk about Edge and Chrome, but there are other powerful Chromium that I think we should take into account, such as Vivaldi or Ungoogled. Website, about privacy in browsers.
No because other Chromium browsers are not secure as they are behind in updates. Vivaldi skips every other Chrome version meaning it’s users are exposed to unpatched vulnerabilities for a month at a time. Ungoogled Chromium does not automatically update and it’s patches degrade security.
Also, Spyware.neocities.org is an alarmist fake news and conspiracy theories website. To them, everything is “spyware”. TOS;DR isn’t a bad resource but it’s always better to link to the official terms of service and privacy policy rather than use a third-party resource.
Honestly, I’m starting to think that this website should be called SecurityGuides, not PrivacyGuides
-_-
I don’t mean to say that the site doesn’t do its job, of course it does, it just seems to sacrifice privacy in favor of security, even if we are talking about Google and Microsoft.
About Vivaldi, I didn’t know it took so long to receive Chrome updates, my bad. In this case this point if I see it well counterargued, not like the 2~3 days of Librewolf, but well, it’s another topic.
I want to make one thing very clear here. Conversations that you have on this forum with other members are not reflective of the Privacy Guides team or have anything to do with our official recommendations.
Please refer to the banner at the top of this page:
This discussion forum contains community and personal advice, tool suggestions, and proposed changes; none of which have been approved or vetted for accuracy. If you are looking for advice right now, today, visit privacyguides.org.
Furthermore, I would like to comment on this:
Honestly, I’m starting to think that this website should be called SecurityGuides, not PrivacyGuides
I reject this notion. Privacy and security are not a binary either/or thing. A thing that we see a lot in the community is that people seem to think that these things are unrelated to one another.
What’s the use in “privacy” if you’re using a system that has known unpatched vulnerabilities, for example? That means that the ways to exploit your system (and therefore potentially compromise your privacy) are publicly available.
Security, in many cases, is a prerequisite for privacy. I will agree with you that something that is secure is not necessarily private, and that is why we carefully consider our recommendations to navigate these nuances, but conversation about this topic also needs to be nuanced instead of a binary privacy/security paradigm.
This website is about privacy and security, none of which are. On windows you can uninstall those bloatware/spyware for libre wolf (harden firefox fork) or Use brave.com browser. Then you use those to add your security “hardening” with those.
What’s the point of being secure if they track us and don’t respect our privacy? Are you even listening to yourselves? You are talking about Chrome and Edge, you are literally talking about the two browsers that those of us who care about privacy should avoid the most.
I really don’t understand you guys. It’s true that security is important, of course, but this is outrageous. Would you recommend a ProtonMail that has full access to read every single detail of your emails, and share them with third parties? or a Tor that tracks your every move within its network? Outlook is a secure and stable email client, so come on, what are you waiting for to make it a guide and recommend it among your PRIVACY GUIDES?
Come on, please, it’s one thing to be permissive and quite another to take us for a ride.
Be coherent at least, please, I do not say that you do not have part of reason, but I insist, from there to recommend Chrome and Edge before other projects widely more dedicated or at least committed to privacy, is a joke, and not exactly a good one.
Privacy just means the big corporations aren’t tracking you. Security is what keeps outside parties like hackers from tracking you.
Except they don’t. Google is good at keeping hackers from reading your emails, but they still read them. PGP can prevent Google from reading emails but it’s very limited as it doesn’t support forward secrecy nor does it encrypt metadata. Google also forbids use of insecure email clients, which is another reason why Gmail is so secure.
Security is necessary to have privacy, and I do recommend a lot of open source products, including Signal and GrapheneOS, but the reality is open source and proprietary, privacy-respecting or no, has nothing to do with security. Google Chrome and Microsoft Edge are the most secure browsers and because of that they offer good privacy from hackers and malicious websites, but they are not private in themselves. Because security is necessary, those browsers can be made private whereas Pale Moon cannot.
Sometimes the best options for privacy are the ones that aren’t committed. For example, Microsoft Office is the recommended office suite for Windows as LibreOffice is insecure. Google Pixel devices are the only secure phones and all other phones should be avoided. Stock Android is far more secure than all custom ROMs (including DivestOS which exists solely to provide harm reduction for those who cannot afford the newest Google pixel and should only be used as a last resort) except GrapheneOS and all Linux phones.
Security is what keeps outside parties like hackers from tracking you.
Security is what prevents adversaries (literally anyone with malicious intent, not just hackers) from accessing information or gaining control over systems you do not wish them to.
Except they don’t…
Please explain the exact security vulnerabilities that Proton has, that GMail does not. Otherwise this is just promoting FUD.
Google Chrome and Microsoft Edge are the most secure browsers and because of that they offer good privacy from hackers and malicious websites
So they’re the most secure purely because they’re big corporates? What evidence do you have? Large open source projects have proven to fix flaws faster than big corporates… Google themselves agree. Source
Microsoft Office is the recommended office suite for Windows as LibreOffice is insecure
Recommended only according to you. How is LibreOffice insecure? No evidence just more tinfoil FUD
Google Pixel devices are the only secure phones and all other phones should be avoided.
Another generic misleading statement. Yes they are likely the most secure on the market that doesn’t make all other phone insecure by default. If you create a list of security risks/attack surface a mobile phone poses and the effectiveness of the controls in place to mitigate those risks and then used that to score the phones then ONLY if the Pixels received a significantly better score could you say that they’re the only secure phone. If the s22 mitigated 85% of security risks and the Pixel 88% does that make the Pixel the ONLY secure phone? No it makes it the most secure.
Stock Android is far more secure than all custom ROMs
By ‘Stock Android’ you mean the version of AOSP that Google runs with its
proprietary blobs…?
Or the cleaner GSI direct from AOSP themselves (albeit with its own usability drawbacks).
You’re spreading a lot of FUD in these statements, please link real evidence before making absolute statements, your advice can hurt others…