What is best between Brave (with PG's hardening tutorial) and Vanadium? And why?

The title says it all: what the most secure/privacy friendly option between Brave set up as recommended here and Vanadium as served by GrapheneOS’ team?

1 Like

What do you mean?

What part of @poubellier’s question is unclear?

Have you tried Mull?

Thanks, i was like really, what did i not say clearly?

No, but i used to have Firefox, and as stated on PG’s website (and other privacy communities): On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla’s engine, GeckoView, has yet to support site isolation or enable isolatedProcess.

If you are looking for more of a “security focused” browser, try Mulch. If you are looking for a privacy focused browser in between Brave and Vanadium, I have no idea. I have been basically using Brave and Mull all of my life, so I have no ideas

There is no point in using Mulch on grapheneOS. The hardening is mostly taken from the Vanadium project but doesn’t do this as well as vanadium takes advantage of system modifications in grapheneOS.

Vanadium is focused on security, while Brave has a lot more features. Which is better depends on your preferences and priorities.


Ok so in short Vanadium is more security focused while vanadium is more privacy focused? Again, in short.

I think you meant Brave in the 2nd phrase, right? And I don’t think that’s an accurate characterization. It’s more just that Brave is more configurable. It features stricter ad-blocking, dark mode, browser sync, and the option to clear data on quit.

There’s actually a similar thread on the graphene os forum: Vanadium - privacy questions - GrapheneOS Discussion Forum . I think the user called matchboxbananasynergy gave a relatively helpful comparison.

If you’re looking to defeat fingerprinting, despite its security weaknesses, use the Tor Browser.

Beyond that, the best you can do is fool naive fingerprinting. Someone who actually puts effort in doing that will not be fooled by the usual tactics that other browsers employ.

If someone doesn’t want to use Vanadium and doesn’t want anonymity (in which case Tor Browser would be the best), I would recommend Brave.

Brave has anti-fingerprinting defenses that will, again, fool naive scripts, so you can use it for your day-to-day, if you prefer.


Sorry, indeed i meant brave.

Thank you for the link. I’m also active on the graphene’s forum but did not see this post.

For a long time I’ve been wanting to turn people’s attention to a major issue related to Chromium-based browsers on Android that everyone seems to ignore, maybe even disregard, or is just not aware of.

The biggest gripe the users of Vanadium (and other Chromium-based browsers on Android, except Brave) will have during their browsing experience, is that since Vanadium doesn’t have any adblocking extensions/features integrated — it can’t block the placeholders of ads, cookies, banners, and so on; it simply can’t do cosmetic filtering. However, the most important aspect of it, is that some websites will detect that you block ads via DNS, and prevent you from showing their content to you.

Let me show you how it works with real-world examples. I’m going to show you two screenshots of websites made in a Chromium-based browser without any adblocking features integrated, and those browsers are therefore unable to do cosmetic filtering. Such browsers are Chromium browser itself, Chrome, Vanadium, Mulch, etc. Below are the screenshots from these two links:

Now, the user is forced to disable their adblock to view this page, allowing all the bad stuff to be loaded into the page and into browser. All the ads (which can very often lead to malware, and it happens a lot. This is the most important reason to block ads — for users’ security. A user could even just accidentally tap on an ad which can lead to a harmful website and malware) and tracking scripts and other bad stuffs are now loaded and active, and this is very bad. If we had cosmetic filtering integrated, like Brave on Android has, it would act like an anti-anti-adblock and, in simple words, would interact with the page directly and modify it to block such notices, and then you would be able to view the website freely.

But there are options to circumvent this, of course. The simplest way is to use a web proxy online and fetch the website you want to view from it. Here’s such a proxy for example: https://www.proxysite.com. There are other proxies, of course, just search “web proxy online”. Note that the proxy will be able to see what websites you visit via it.

Adblocking via DNS is a very simplistic and somewhat primitive approach to adblocking which is easily circumvented by websites, as websites can easily detect which requests are blocked by a client, and punish those who block requests to ads, as we can see from the above examples. Adblocking via DNS only blocks requests made to ads, tracking stuff (such as .js scripts), and so on. Adblocking via DNS is not able to do cosmetic filtering and remove cookie notices, placeholders of ads, and so on, and it is a very important aspect of a painless browsing nowadays.

Adblocker integrated into Brave works on a low level and is basically a whole Ublock Origin baked into the browser, and without going into technical details — it interacts directly with the page you are viewing. It is able to do cosmetic filtering, that is: it is able to “surgically” remove cookie notices, banners, ad placeholders, and other visual stuff from the page. For a much smoother and trouble-free user experience, this is a crucial feature. For this reason, I would recommend using Brave for those who use GrapheneOS (and for Android/iOS users in general), as it will make their life much easier and their browser experience much better. I’ve been using a browser without adblock integrated into it for a long time, and it is a big damn pain in the a** due to the issue I’ve described above, and due to the issues I will describe down below. If Vanadium users don’t want to use Brave, then there’s Cromite with Adblock Plus patch, but I haven’t looked into this browser and haven’t used it, so I don’t know whether it can do cosmetic filtering, so test it for yourself.

Vanadium is a masterfully security-hardened browser, but it is for those users who have a specific need for such high security. It’s for those who may have an elevated threat model which requires taking serious security measures, for example journalists, activists, politicians, famous/rich people, etc. For people who are under higher risk of being targeted than regular people. My opinion is that for the majority, Vanadium’s security is an overkill and using Brave on Android/iOS will highly improve people’s browsing experience. On a desktop we have Ublock Origin for both Chromium‐ and Gecko‐based browsers, so all those issues don’t apply there, as one can use whatever browser they like. On Android, one could also just use Mull browser for example, which is Gecko-based and supports extensions, including Ublock Origin, hence Mull has the ability to do cosmetic filtering. But I don’t recommend Gecko-based browsers on Android as they are very slow and degrade browsing experience heavily, not even mentioning their worse security.

Let me show you other consequences of a lack of cosmetic filtering, because they are really quite significant. All the issues below would be solved by having the ability to do cosmetic filtering.
In the screenshot below there’s an ad placeholder which takes up a lot of space and degrades user’s experience by forcing them to scroll down a lot:

The next screenshot is some Russian website and there’s an ad placeholder which shows that the resource (an ad) was unable to load:

The next example is particularly painful:

Here we have a cookie notice which is simply unskippable/unclosable. It doesn’t matter what you tap: “Reject All”, “Allow All”, “Cookie settings” — the cookie notice won’t close itself. You also can’t close this notice by tapping on the ×. This happens because we block DNS requests which are sent to this cookie notice. Therefore, this cookie notice cannot accept any requests from us, and even if we tap “Allow All”, the cookie notice will not able to accept our internet request, notifying them that we accepted their cookies. All in all, we are unable to interact with and close this cookie notice due to DNS adblocking and, at the same time — a lack of cosmetic filtering.

Happily, all those issues related to unskippable cookie notices and anti-adblock notices can sometimes be circumvented either by opening the website in a desktop mode, which, however, degrades the UX severely, because the user now has to deal with zooming into small text, and also website’s buttons and other stuffs may be incompatible to interact with on a phone. Another option is to open the website via a proxy. A casual user, however, may not be aware of these tricks, especially of the proxy. What I want to highlight by all these examples, is to how important for a browser to have cosmetic filtering in case a user blocks ads via DNS. If a browser doesn’t have it, it’s just better not to use any adblocking (no matter the way how a user blocks ads), so people could browse the internet relatively painlessly, that is: with ads and all the bad stuff, but without bothering to tinker with websites to make them work. In the future, I bet that more and more websites will slap an “anti-adblockwall” on them, making adblocking even more difficult. Therefore cosmetic filtering will be essential if one wants to browse without pain. The worst case is that the whole web will be DRM’d due to the WEI proposal, and any alteration of websites will be impossible.

1 Like

There are two rules that I follow:

  1. Disable JavaScript and only whitelist sites that really need it.

  2. Don’t visit awful, abysmal sites that are loaded with ads, don’t work without JavaScript, and ask for the adblocker to be disabled.

With this, I never needed built-in content filtering.

1 Like

Of course there is. Chromium still leaks a lot of things. Even Brave leaks what other sites you’re logged in to. It’s a good practice to use one browser to do general browsing and another to log in to accounts. Maybe even have a 3rd browser to log in sites that are more sensitive. Using all of Vanadium, Mulch and Brave in GOS may not be a bad idea if you don’t want to juggle several user profiles.

1 Like