Trivalent seems like the most secure browser for Linux, but I’m wondering how this compares with the current recommended Mullvad Browser (and I suppose FireFox w/ Arkenfox and Brave if anyone is quite knowledgeable).
I’m mainly asking as I don’t fully understand the technical differences enough to make a strong enough decision on which to use for specific use case. For example, how would these browsers compare (with respect to privacy and fingerprint resisting to blend into the crowd) for these common use cases:
Accessing DRM content such as a streaming service (authentication tied to payment services + general DRM compatibility, general tracking)
Logging into bank accounts (authentication strongly tied to PII, assumed general tracking)
Logging into a random site but possibly suspect tracking (authentication with no strongly tied PII)
General web browsing (no authentication, general tracking)
Using sites actively hostile towards privacy (social media / strong tracking)
Not sure if the above scenarios are comprehensive enough for analysis as well. But I’m seeking help in determine what browser to use in specific scenarios. I.e. only use Mullvad Browser if you don’t plan on logging into any site (not sure if true, just an example).
Can’t speak for either browser but based on these use cases:
Don’t.
This is security-sensitive and tied to your actual identity so using any sort of VPN or Tor is useless at best.
If it’s not tied to your real IP address or other PII, use a VPN or Tor for this. Fingerprinting doesn’t matter for this use case.
Using Tor or a VPN and anti-fingerprinting can help here.
Same as 4 but use dynamic content filtering to whitelist scripts, uBlock Origin advanced mode or uMatrix (unmaintained since 2020).
So use whichever browser works better for your threat model. For #2, use the more secure browser. For #3-5, the more private browser whichever it may be.
Trivalent has almost all essential privacy features other than anti-fingerprinting, so you can use that for non-anonymous logins where you already have a fingerprint.
If you want anti-fingerprinting for nearly every other usecase, there’s Brave for security and Mullvad Browser with a VPN for stronger anti-fingerprinting.
Curious, how come Mullvad Browser is not in this recommendation? As for searching, I use SearXNG self-hosted contained within a VPN, or Leta.
Good callout, I definitely don’t use the advanced mode as much, but I should.
I generally try to have my VPN on at most times, aside from use case 2 as you described.
My threat model is more-so guarding against surveillance capitalism. With this, this boils down to the anti-fingerprinting capability for Mullvad Browser and Trivalent.
It seems like I should try for the following:
Mullvad Browser w/ no extensions for my generic searches and logged off activity
Trivalent, and consider installing uBlock Origin (Trivalent has blocking build-in by default). Need to see if cookies are deleted by default.
Advanced fingerprinters aren’t on my threat model so Mullvad Browser isn’t necessary for me. Brave has more security, along with self-hosted AI integration
Trivalent, and consider installing uBlock Origin (Trivalent has blocking build-in by default). Need to see if cookies are deleted by default.
Reminder that you can use profiles liberally in Trivalent to keep several configurations around for different use cases. If you want extensions like UBO-lite for certain sites but not others, or you want certain sites installed as a PWA alongside certain extensions, you can use profiles to define separate configurations for each. Another example is the WebRTC setting. You might want this changed to a different setting for in-browser voice applications (e.g. Discord PWA) but left on Trivalent’s default for most sites.
How does one “use” this in practice? Do you just search for things in StartPage and then click “Visit Anonymous View” for everything or do you have a life hack?
Mullvad Browser’s anti-fingerprinting causes several potentially undesirable side effects, including setting locale to US English, timezone to Iceland and reported screen resolution to unrealistic rounded sizes like 1400x900. This might trigger anti-fraud protections on some websites (eg. banks, financial services, online shopping).
I use browsers in virtual machines to enhance security, prevent IP leaks and craft different browser fingerprints to avoid identity correlation. VM isolation offsets Firefox security concerns in scenarios where Firefox/MB/TB are beneficial for privacy and anti-fingerprinting.
VPN is not always useless for accessing bank or other KYC-ed accounts, especially if your internet connection and home ownership/rental are not tied to your identity.
Logging into KYC sites where your identity is already known defeats the purpose of using a VPN. A VPN will only protect you if you created your account through a VPN and have never logged into it through your real IP. Just to be on the safe side, use a separate browser with a different fingerprint and never connect to the same site through your real IP if possible.
VPNs are vulnerable to traffic analysis and website fingerprinting attacks which means your ISP could obtain information about your activity despite the encryption. Mullvad at least mitigates this with DAITA but I don’t think any other provider does.
Not if the purpose of using the VPN with the KYC site is keeping my location(s) private from the website or keeping the website usage less obvious to the ISP and other potential observers (best done with chained VPNs and traffic obfuscation techniques such as Mullvad’s DAITA).
Yes, using a VPN will not remove all prior website logs, but there is an opportunity to protect IP addresses of future locations.
Either way you slice it to me it seems that no browser is perfect. No browser can completely prevent fingerprinting because I’ve found whenever you do that or you manipulate it so much any bigger site will pick up on that and stop you right there in your tracks. Using incognito in certain browsers sometimes provides even less protection. So it might be a good idea to take your browsers through some fingerprinting tests and get to see how they react in certain situations with certain settings. Then the main thing that you need to do is figure out the most optimal settings in that browser to harden it to the point where your not frustrated with things breaking all the time and then make sure that you have one of the settings as “forget me when I leave the website" and constantly make sure that those cookies are in fact clear.
Either way it seems like to a degree it’s a lost cause. There are ways that sites can literally predict that it’s you even when you switch browsers and give you an accuracy rating of like 97.7% that they feel that you are visitor xxxxxxxxxxxxxxxxxxx which they assigned you from the first visit in the other browser.
Or if they use blind signatures to prevent correlation, like Nym does. Even if a VPN doesn’t use blind signatures, it’s not very likely for lower threat models that a reputable, PG recommended VPN will try to go after you with your IP address