For the sake of completeness, while we’re considering Mull I will also open a thread for Mulch, a Chromium-based browser from the same developer. Mulch does have its advantages, and is occasionally recommended here and in our other communities as an alternative to Mull, Firefox, and Vanadium:
However, while I do think it would make a better general recommendation than Vanadium, I don’t really think we should recommend Mulch for the same reason I also don’t think we should recommend Vanadium, namely the lack of content blocking functionality and the lack of fingerprinting protections, both of which Brave provides.
That being said, a security-focused browser that doesn’t have Brave bloatware might be more useful than I think, and could serve as a good foil to the Gecko warning proposed in the Mull discussion…
I still just kind of think that the privacy protections that Mulch/Vanadium lack are so egregious that it probably makes them both out of scope for our recommendations. If you disagree, convince me otherwise
I do agree with recommending Mulch, and I would also agree with recommending Vanadium for GrapheneOS users.
Where I wouldn’t agree is recommending Gecko browsers for Android, even if there is a warning. PG already recommends Tor Browser, which is Gecko-based, but it at least brings anonymity to the table. But it still has the same issues:
At the moment, the only browser with any semblance of privacy is the Tor Browser but there are many ways to bypass the anti-fingerprinting and state partitioning. The Tor Browser’s security is weak which makes the privacy protection weak. The need to avoid diversity (fingerprinting) creates a monoculture for the most interesting targets. This needs to change, especially since Tor itself makes people into much more of a target (both locally and by the exit nodes).
Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn’t have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn’t happening for their Android browser yet.