GrapheneOS posted on Mastodon regarding (also) Mullvad Browser:
“These do not have robust solutions for fingerprinting with JS enabled at all and have very poor security.”
Source: GrapheneOS: "@Life_is_Beautiful@infosec.exchange > They have…" - GrapheneOS Mastodon
I said it before and I’ll say it again: You can have good security with bad privacy, but you can’t have good privacy with bad security.
Vanadium doesn’t have any specific fingerprinting protection yet. They don’t want to implement fingerprinting protections which ultimately don’t work.
There are plans to have fingerprinting mitigations in Vanadium but it’s not being worked on at the moment.
Yes I know, thus the:
Even without fingerprinting resistance they still recommend Vanadium for most users over Brave. I’m not sure if I personally agree with that recommendation, but for each their own I guess.
Just wanted to clarify for anyone reading because the part after that made it seem like they weren’t interested in fingerprinting protections.
Too bad they state this without actually going into any sort of details.
@Anon47486929 I now realize I didn’t make clear at all I was referring to the fingerprinting with js statement, and not the security aspect as we entirely rely on Firefox upstream advance for that part.
Looking at the conversations, I have no idea what is lacking from their point of view, which is why I feel it’s a lost opportunity.
For those using immutable / Atomic distributions (such as the ublue ones), would it then be better to layer browser packages via rpm-ostree? Usually they take a Flatpack, brew, and distrobox / containers first approach, and suggest layering packages is a last resort.
Is there any drawbacks to using it in a distrobox?
Also fun fact: SecureBlue actually have a preconfigured hardened Chromium inspired by Vanadium so if you’re using that then probably use that
Just try to leave the browser’s sandboxing intact. Don’t use the Flatpak version. Which other method of installation you choose is up to you.
@ruihildt Regarding to the privacy of Mullvad Browser, do you know whether enabling Mozilla Account via about:config (i.e. identity.fxaccounts.enabled set to Ture) would make the browser stand out from others, or would increase its attack surface?
Thanks.
Bluebuild is interesting. I gather you just “roll your own” packages into it as desired, using the same build system as the ublue folks.
I’m considering replacing Aurora-Dx with SecureBlue, and have been watching that thread closely. Not sure what the official PG status of that project is yet.