I’m trying to get better at using the Mullvad Browser and have questions about whether or not to log in to accounts. I want to understand in which specific situations logging in might be acceptable or even recommended. I know there are already other posts on this topic, but I’m creating this one to provide more context, highlight use cases, and centralize the information. The focus is on the Mullvad Browser, but I believe some of this also applies to the Tor Browser.
These are the reasons I’ve come up with so far (and they make sense to me, even though I’m still trying to fully understand it all)
Situations in which you probably should NOT log in
The ephemeral nature of the browser
By default, the Mullvad Browser does not save cookies or browsing history between sessions (that’s what it’s designed for). Logging into an account that needs to remain “persistent” goes against the browser’s purpose.
Accounts containing PII or sensitive information
If the account already contains my real information, the website already knows who I am. It doesn’t make sense to use the Mullvad Browser to hide something that’s already linked to my identity. Furthermore, some services may detect Tor/MB and request additional verification, suspend the session, or block the account.
Focus on anonymity
Every login creates a link between the account and the Mullvad Browser fingerprint. Even if the fingerprint matches that of other users, the website will identify you individually.
Incompatibilities and site issues
Many sites don’t work well with anti-fingerprinting protections. That doesn’t mean you can’t use an account, but the Mullvad Browser is primarily recommended for general browsing without logging in.
Situations in which logging in may be acceptable
Disposable/temporary/non-sensitive accounts
Accounts created just for one purpose, with no real personal data.
Accounts created and used exclusively in Mullvad Browser
Ones that have never been logged into from a regular browser (no prior fingerprint history to correlate against). This avoids cross-browser linking.
Short, controlled sessions only
Log in only when necessary, complete the task, and then click the “new identity” button or close your browser.
Additional questions
Do sites actually flag or detect that an account is using Mullvad Browser? Is this more of a Tor thing, or does Mullvad get the same scrutiny? Is it just the fingerprint, or are there other signals?
Even without logging in, Mullvad Browser users aren’t completely identical (there are slight differences). So in some cases, does it make little practical difference whether you log in or not?
Does staying logged in for a long time increase tracking within that session? Is there still tracking even across different sessions?
Thanks in advance for any comments or corrections. Appreciate it!
However, someone here, please correct me if I’m wrong. Isn’t there a persistent mode that’s going to be made for Mullvad specifically for logins? And if memory serves correct, I think Arkenfox is going to sunset when that becomes available. Again, correct me if I’m wrong, someone.
yes I’m also curious about this. Recently found out that I was easily fingerprinted on fingerprint.com on my librewolf setup with FPP/canvasblocker and letterboxing (no VPN). Having RPP for logins causes issues. Would prefer not to switch back and forth between browsers
I haven’t seen such a recommendation in the official support guide or anywhere, but if you know of one, could you share it with us? I prefer to use software in accordance with the official documentation.
Anonymity isn’t a feature promised by this browser or Mullvad VPN anyway.
There’s no benefit to using it, but is there any downside? I don’t think so. Perhaps websites might consider the ESR versions (which come pre-installed by default in distributions like Leap and Debian) to be outdated and prefer to enable their content on any browser that offers more modern features. A while back, the Element web app didn’t support Firefox ESR.
Tor traffic is already being detected and blocked, but I can say that, aside from the restrictions I’ve experienced due to VPN usage with the Mullvad Browser, I haven’t encountered any blocking issues.
I also didn’t find an official recommendation, but this seems to be what many in the community suggest. I believe this guidance is mainly given to beginners due to the first reason I listed: “The ephemeral nature of the browser.” However, the other reasons for avoiding logging in seem to depend on the specific use case and threat model of each situation.
There don’t seem to be any significant downsides, really depends on the situation. I would argue that there are potential downsides, as certain sites that have low trust in users/accounts who use MB or Tor may apply restrictions, suspensions, or blocks based on fingerprinting. However, it does seem possible to protect your fingerprint and use an account in the browser without major issues.
Anyway, my goal is to turn Firefox into a Mullvad Browser (protecting my fingerprint with Arkenfox, RFP, and other modifications). That’s why, it usually ends up being more practical to just use the Mullvad Browser directly. I reserve Firefox and Brave only for accessing content that’s broken or incompatible with MB. Since I’ve never needed to keep an account logged in, logging into MB isn’t an issue in my specific case. If that need comes up, as others have mentioned, there’ll probably be a persistent mode in the future.
CanvasBlocker was recommended by Librewolf if I turned RFP off, but apparently it doesn’t seem to be doing much in the face of advanced fingerprinting techniques
I’ve been using Mullvad’s browser daily, as the primary browser. No issues with anything notable. The TOR-style windowing might not be for everyone. I use it for shopping, browsing, proton, etc.
I don’t see this as an issue but a pro. Its good practice to log out when you are done accessing a server/website. A convenience/security and privacy balance here - different for everyone.
This really isnt sold for anonymity. It provides privacy. TOR would provide anonymity with a new identity (TOR identity).
I haven’t dealt with this myself too much.
Could you clarify on this a bit?
My recommendation would be use it how you are comfortable, but keep adblock and DNS based blocking enabled to limit ads and tracking from running.
Users aren’t all the same. There are differences in SO, IP addresses, browsing behavior, and manual changes. If you can be tracked based on these characteristics, does logging in pose a real risk? Or is it irrelevant?
Overall, I don’t think there’s a problem with logging in. However, it would be interesting to hear other perspectives besides the ones I’ve already mentioned.
Be careful with DNS, which Mullvad may redirect to servers in England. Although audits show these servers don’t store browsing history, in a country like England, this could be deceiving.
can we just set it to quad9 instead? that’s the one that I currently use and trust but good to know there are some concerns with Mullvad. Are there any similar concerns with Quad9? based in Switzerland
I described the risk associated with logging into accounts in Mullvad.It is not recommended to make changes to the settings in this browser (you should just trust the DNS from Mullvad).