How secure is the Mullvad Browser, because Privacy ≠ Security

Hi,

I would like to know how secure the Mullvad Browser is.
So for example how long does it take for security fixes? If it turns out that a security fix is applied a week later than on Firefox, that’s unacceptable for me.
Also I’m using Ubuntu and Mullvad Browser using just one deb file (as far as my limited knowledge can tell) for both Debian and Ubuntu doesn’t seem right. Because Ubuntu has, as far as I know, different configurations than Debian…especially the Apparmor stuff.
And since it’s neither snap or flatpak, there is also no sandbox at all, right?

I could go on, but I’m not a security expert, so maybe the security experts here could weigh in on this.
Maybe I should just use the standard Firefox snap on my Ubuntu if my priority is security and not privacy?
Because unfortunately privacy ≠ security.

thanks in advance :slight_smile:

Less secure than any sane Chromium browser.

4 Likes

Afaik flatpaks reduce Firefox based browsers internal sandboxing by blocking namespaces and chroots. See: Does Flatpak weaken Chromium/Firefox's sandbox? - #9 by sha123
https://bugzilla.mozilla.org/show_bug.cgi?id=1756236#c3

Browsers have sandboxes, which are much more sophisticated than those of Snaps or Flatpaks. Don’t use browsers as a Flatpak, Snaps are usually fine.

1 Like

In the past 6 months, we have released after maximum 2 days from the Firefox release date. I am tracking the data to make sure we improve our process as much as possible.

If an emergency release is done by Firefox, we release it immediately (in other cases, we do additional testing).

9 Likes

Thank you for the answer @ruihildt, but why is your post marked as the solution? I didn’t mark it as the solution and I made this thread. Also it was marked as the solution even before 24 hours passed after I made this thread. Gives me the feeling, that someone doesn’t want to talk too much about this topic. Although this is just a feeling of course.

A fast application of security fixes is only part of the story here. I’m also interested about the sandbox stuff and general “harmony” with my operating system, if you can call it that, which is Ubuntu in my case.
I know that a browser has it’s own sandbox, but I was told, that flatpak or snap, whatever is better in this case, has additional sandbox(-features) on top of it and is therefore more secure, or is this not true?

Also how exactly is the Mullvad Browser deb file adjusted to Ubuntu, which I am using? Not only that Debian and Ubuntu have different configurations…even the different Ubuntu versions have different configurations. So I’m thinking that the Mullvad Browser seems to work on Ubuntu, but under the hood there could be some security weaknesses, if I don’t know, maybe some Apparmor configuration doesn’t exactly fit to Ubuntu version X.
So what exactly is done by you to always have the best security imaginable for EVERY Ubuntu version, since Ubuntu is a supported distro by the Mullvad Browser? Although thinking about it…since there is for example no snap version of the Mullvad Browser, which probably could add additional security, if done right of course, “best security imaginable for EVERY Ubuntu version” is probably already not the top priority.

TLDR: It’s like you made a car with the Mullvad Browser that can theoretically bring the user from point A to point B. But have you also made a secure car, that can drive safely on every Ubuntu lane (I mean version with “lane”), or can you only can guarantee good security on Windows…although I don’t know how exactly you can ever be secure on Windows, especially with things like Windows Recall coming or Windows being closed source.

Many brand new users like yourself will post “drive-by” questions similar to this and do not mark solutions, so occasionally a moderator will do so on their behalf if an accurate/authoritative answer has been received. I believe you should be able to un-mark solutions in your own thread if the answer is unsatisfactory to you.

1 Like

First I want to make clear I have no ability to mark my posts as solution.

Unfortunately I have no knowledge about sandboxing, so I’d suggest opening an issue in Github or Gitlab and a dev would possibly be able to answer you.

Thanks for the information. It just doesn’t make sense, that a moderator already marks a post as the solution although not even 24 hours passed or I had a chance to answer. If you would have marked it as the solution after a week or a month without new posts in this thread, that would be logical. But not after only a few hours. But whatever, lets move on, because that’s not the topic of the thread here.

As previously said, Flatpak makes it worse for browsers, not better.

Use their instructions to install from Mullvad’s Debian/Ubuntu repo. It even includes adjustments for Ubuntu, like a dummy Apparmor profile to allow unprivileged user namespaces for the browser.

Would Snap’s additional sandboxing hinder a sophisticated attacker, who was able to break out of the stronger browser sandbox? Probably not.

???

What has any of this to do with Windows?

  1. Even if Flatpak makes it worse, then how about snaps? I mentioned both.
  2. “It even includes adjustments for Ubuntu, like a dummy Apparmor profile to allow unprivileged user namespaces” → Im not saying, that there is a problem, I’m just cautious because there was/is a problem even with the Tor Browser on Ubuntu regarding Apparmor, see Security features warning links to Firefox installation support page with incomplete info (#43101) · Issues · The Tor Project / Applications / Tor Browser · GitLab . Maybe that is exactly what you meant with “unprivileged user namespaces”.
  3. “Would Snap’s additional sandboxing hinder a sophisticated attacker, who was able to break out of the stronger browser sandbox? Probably not.” → Nobody said, that the snap format is the ultimate defense against everything, but if done right, it can probably add additional security. And if you start cutting corners regarding security once, you probably will do it many times more in the future. Although I understand, that ressources can be limited.
  4. I mentioned Windows, because from what I read so far online, it seems Mullvad is prioritizing their Windows-version of the Browser, which either already has or could lead to cutting corners at their Linux-version of the Mullvad Browser.

And don’t get me wrong, I don’t want to make the Mullvad Browser look bad, not at all. I’m even still considering it for my second browser choice, after the Tor Browser of course, but I’m just not convinced yet, that they also do everything in the security department and not only everything in the privacy department. Because you can have good security with bad privacy, but not good privacy with bad security. Therefore security must be prioritized in such a way, that you always take the route of maximum security, which here could include making a snap version and maybe something else.
Also I want to hear more opinions on that topic, before I decide. But I still appreciate your posts here and who knows, maybe you will be able to convince me.

I already answered:

If you think that Tor Browser is secure enough for your needs, Mullvad Browser is, too.

Btw if you use Tor Browser on Ubuntu, there is a chance that it will be less secure, because you probably didn’t use an Apparmor profile, which is needed on recent versions of Ubuntu to get the namespace and chroot layer of the sandbox to work. If that’s the case you should write a dummy Apparmor profile which allows everything including namespaces.

  1. “Snaps are usually fine” → Then we agree, that Mullvad should at least make a Mullvad Browser snap, if they want better security for their browser?
  2. “Btw if you use Tor Browser on Ubuntu, there is a chance that it will be less secure, because you probably didn’t use an Apparmor profile, which is needed on recent versions of Ubuntu to get the namespace and chroot layer of the sandbox to work.” → I use Tails, so hopefully there is no problem like that. But yeah, I’m pretty disappointed with the people behind the Tor Browser. Makes you think: If they can’t even do this right, where are they also cutting corners on security or privacy?
    As far as I know, they still didn’t fix this problem yet. Really shameful actually.

I guess the number one rule also applies here: Trust no one (completely), not even the people behind the Tor Browser.

Why at least?

Firefox usually detects this and gives a warning on first start with a link to the documentation on how to fix it, I would assume that this holds true for Tor Browser running on such a system. Tor Browser probably has good reasons for why they don’t ship the profile by default, e.g. not requiring more privileges or not leaving files behind on deletion of the Tor Browser folder.

On a general note: You repeatedly made accusations on a topic that you are not even beginning to understand. You should really take a step back and realize that there are sometimes good reasons, why things are made this way, even if you don’t understand why, yet.

“Why at least?” → Well, if the snap format can add additional security, if done right of course, why not do it?

“Tor Browser probably has good reasons for why they don’t ship the profile by default, e.g. not requiring more privileges or not leaving files behind on deletion of the Tor Browser folder.” → First of all their communication of this problem was bad, in my opinion. And in the end you should give people a choice, if you’re not 100% sure what way to go, and I mean a choice for normal users that don’t even know what namespaces is.
Ubuntu announced restricting unprivileged user namespaces on october 9th 2023, see their blog post. The people behind the Tor Browser had over a year to make adjustments and/or at least communicate it in a very good way. But what they’ve done or rather not done you could say, is not looking good, if you take into account how much time they had.

You are misunderstanding them. Their point was: “Snaps are usually fine”, not “Snaps are usually more secure”. Snaps are fine means its usually okay to use snap browsers but not flatpak browsers (since snap exposes sandbox through some flag idr). It does not imply snaps necessarily add more security to browsers.

You are starting from a bad assumption that anyone is cutting corners by not making a snap/flatpak/appimage/insert your favorite packaging format. These are just packaging formats and projects are free to decide whether to support them or not. Once the packaging format is chosen, it can be made reasonably secure. Snaps have their own set of issues with security.

They are doing it perfectly fine, with solid results, for years now. Again, not supporting your favorite packaging format does not mean they are compromising.

Your question has already been answered. Tor browser and Mullvad browser are reasonable secure, similar to firefox in security if configured correctly, and slightly less secure than chromium (due to it lacking strict site isolation even after fission, among other reasons). That is the best any tool can guarantee. Rest depends on your opsec. You have to secure your OS, your browsing practices, etc. No tool will help there.

The most insecure part of your browser is always sitting between the chair and the computer :slight_smile:

I could give “You are misunderstanding” and “starting from a bad assumption” right back at you, without bad faith of course.
I never said or implied that I have a favorite packaging format. I don’t care about what packaging format is used. I only said, if a specific packaging format, whatever it is, can add additional security, then why not use it?
I admit, that I’m not expert enough to decide if snaps or flatpaks can add additional security, but I haven’t heard anywhere, that if you do it right, with snaps and/or flatpak you will at best have only the same security as just using a deb file.
From my point of view, snaps and flatpak aren’t really that new, so a project/company that has not at least put out a statement on why they are not considering snaps or flatpak, looks like they are not doing the best possible. Or have I overlooked such a statement?

I am no longer sure about this. Tor Browser security? - #2 by SkewedZeppelin seems to suggest that the flatpak is better.

Like I said, a statement from Mullvad, why they are not considering snaps or flatpak, would be great. If it’s a financial problem, then it’s understandable, although on the other hand: Can your browser, the Mullvad Browser in this case, really be a secure browser, if they can’t afford to go the extra mile regarding security? Probably not.

But again, why is there still no statement from Mullvad on why they are not considering snaps or flatpaks? I’m not the first to ask this question. Not really a good look for Mullvad and the Mullvad Browser in my opinion.

There is an unofficial flatpak. An official one is planned. Flatpak Support · Issue #6 · mullvad/mullvad-browser · GitHub

1 Like