I saw this thread and it confuses me. I have been using Mullvad Browser as my primary browser for multiple months now. Since Mullvad Browser and Tor Browser have very similar fingerprints, does the advice using Tor in a VM apply? Should I just use Firefox + Arkenfox as my primary browser and use Mullvad Browser or Tor Browser whenever I need to?
What are you trying to accomplish here? That’s not clear so it’s hard to answer for what you should do and why.
Tor Browser is the top choice for a reason. VPNs do not provide anonymity and anonymity-focused distributions like Whonix and Tails provide additional benefits that you just won’t get with using Mullvad browser on a typical Windows/Mac/Linux host.
That doesn’t mean Mullvad browser is useless. A lot of people are annoyed by how many websites block Tor or by how slow it is, so using Mullvad Browser + a recommended VPN service can be an acceptable compromise for many people. Whether that’s a good compromise for you in particular depends on your threat model.
Quoting Privacy Guides on Arkenfox:
Mullvad Browser provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad’s VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to.
So if you’re looking for improved anti-fingerprinting, it seems like Arkenfox might be a step down from Mullvad Browser. Again, that’s not to say it doesn’t have a use, it just sounds from your post that it isn’t the direction you’re looking to go in.
2 Likes
Did you test Mullvad and Tor at www.fingerprint.com? When I did, Mullvad always showed the same fingerprint. Shutting down the browser or changing vpn location didn’t help. Tor showed a different fingerprint if I changed to a new circuit or restarted the browser (which tends to use a different circuit afaik)
This is kinda the point of it. You are supposed to share the same fingerprint with many users.
3 Likes
Well, the comment just confused me. I don’t know whether the benefits of me using Mullvad Browser is reduced in any way having a different system than everyone else. @phnx says in the comment “if you need anti-fingerprinting, then use Tor in a VM” or here that @KevPham commented on. I have been completely fine with using Mullvad Browser as my daily driver and combating fingerprinting is part of my threat model.
I know. See my comment above though.
If you can tolerate using Mullvad Browser as a daily driver, keep using it. I don’t see the need to run Mullvad Browser in a VM unless your threat model requires protection against targeted browser exploits, in which case you should be using Tor Browser anyway.
1 Like
Firstly, there are two main kinds of tracking that this forum talks about. (1) Naive tracking and (2) Advanced tracking.
- Naive tracking occurs when websites detect the values of your browser metrics. Browser metrics can include fonts, screen resolution, time zone, etc.
- For example: If a website has two visits whose detected values are the same (i.e., same fonts, screen resolution, and time zone), then the website owner can conclude that the two visits are from the same person.
- Browsers like Firefox and Brave prevent this kind of naive fingerprinting by randomizing the values and preventing them from leaking and stuff.
- Advanced tracking occurs when websites try to detect when you are randomizing the values of your browser metrics.
- I’m not entirely sure how they do this since this is not my field.
- But browsers like Tor and Mullvad prevent this kind of advanced fingerprinting by creating a “crowd” of browsers which all have the same browser metric values. If everyone has the same fonts, screen resolution, and time zone, then everyone has the same fingerprint.
It does not. Context is important. What @phnx was likely referring to here…
… was advanced anti-fingerprinting for people of high threat models. Although both Mullvad and Tor combat advanced fingerprinting, Tor is uniquely for those with high threat models who also need verifiable anonymity, where their browsing habits are not linked with a persistent identity.
The context here is different because you are talking about low stakes, everyday browsing. Your threat model is comparatively low and does not require anonymity, only anti-fingerprinting. Because of this, Mullvad coupled with a VPN is sufficient for the job. That is the standard advice for low stakes, everyday browsing. You do not need to couple it with a VM to reap its anti-fingerprinting rewards.
As discussed above, the advice that @phnx and @KevPham gave is for people of high threat models who are aiming for anonymity, not just anti-fingerprinting in itself. Your threat model is for low stakes, everyday browsing. It is not standard advice to use Mullvad in a VM for this low level of threat model.
Arkenfox prevents naive tracking, not advanced tracking. Mullvad Browser prevents naive tracking and advanced tracking when coupled with a VPN. Therefore, it would be a step down to use Arkenfox. Since Mullvad doesn’t require a VM for you to reap its anti-fingerprinting rewards, you are find to keep doing what you’re doing currently.
This is why threat modeling is important. What do you mean by, “whenever I need to”? Do you mean whenever your browsing is high stakes? Mullvad is fine for low stakes browsing and anti-fingerprinting. If you need to do high stakes browsing (i.e., you need anonymity), then that’s when you need to follow the advice of @KevPham and @phnx and use Tor (in a VM).
2 Likes