I understand that the Tor browser (and other Firefox-based browsers) is not as secure compared to Chromium, so I came up with this solution. In this user profile, I will only use Vanadium, and Vanadium will only be used for logging in and using accounts created on Tor, not for browsing other websites. I would like to hear everyone’s thoughts on this plan.
I believe my threat model only needs to address two points:
Preventing adversaries from linking my other digital footprints (connections with and without VPN).
Preventing adversaries from identifying my true identity.
This isn’t my strong suit but I’d imagine fingerprinting would be a problem. Usually I’d say it’s not worth stressing over but if you’re going through the trouble of using dedicated profiles with Tor, I’m assuming it’s something you’ll want to take into consideration.
Tails or Whonix is ideal but if you must use a smartphone, using the Tor Browser on a dedicated GrapheneOS profile might not be a bad option. The Firefox security issues mostly pertain to protecting you from malicious websites, but if you’re just looking to use “trustworthy” websites like social media, it really shouldn’t turn you away from the Tor Browser.
I understand the fingerprinting issue. My thought is, “If my fingerprint is so ‘unique,’ wouldn’t it overlap with my fingerprints in other user profiles?” As for what you mentioned about “the weaknesses of the Tor browser being only related to protection against malicious websites,” I believe that’s not entirely accurate, because if the “trusted websites” I log into are compromised, they will also attempt to undermine anonymity.
A fingerprint is simply the sum of all the counted metrics, for example resolution, devicePixelRatio, Canvass measurements, installed fonts etc and whatever else can be collected.
As Vanadium is not ever used by standard with Tor, this creates a unique fingerprint because now that browser will have a Tor IP address, but not be Tor Browser - along with all the above metrics plus others).
Use profiles will do nothing to modify your browser fingerprint
Create your profile with Tor and Vanadium, then get a fingerprint for it. Go to another profile and get a fingerprint there as well. If they are the exact same, change some minor settings to see if that changes anything.
I don’t know whether this news is good or bad because the fingerprint seems to be largely hardware-based. However, there are two points that seem to be positive:
Since the fingerprint is so ‘unique,’ it seems that only a few modifications are needed to make it different (unlike other conventional browsing).
Even if the fingerprint is hardware-based, people with the same hardware seem to have the same identification code.
The person asking me to post on their behalf has enough ability to operate hardened distributions like Whonix and secureblue, but has not yet learned to configure AppArmor, Firejail, or SELinux on their own.
Are you saying if Reddit for example were hacked, the attackers could use it to deploy malware? That seems incredibly unlikely for such a large website and if such an attack were successful, it’d surely only be worth doing if the attackers already have a 0-day for Chromium since that’s what the vast majority of users would be using.
Or if you’re just talking about websites trying to undermine your anonymity, that’s what the Tor Browser is built to protect against. Whereas Vanadium would do a better job at protecting you from a malicious website that is trying to infect you with malware. They’re two separate things.
because the fingerprint seems to be largely hardware-based. However, there are two points that seem to be positive: