This is an open source, rebranded Firefox and Firefox-like browsers could use some publicity. It promotes privacy and privacy can use some publicity too. Tor too.
Mullvad seems to be honest in the fact that their business model is selling VPNs and it's nice they are saying it's not enough. They are not saying that you might not need one though.
We need a Firefox with good defaults and it seems like this browser is such a thing. I'd prefer these privacy features to be in upstream Firefox but I guess world is not perfect and that Firefox still relies on revenues from Google so can't be as privacy-focused as it should.
My little concern I guess is that this browser will push for their service so it's a bit like an ad for them, at least with its name. But fair enough, and at least the business model seems healthy.
With Mullvad already being a Mozilla partner for their branded VPN, all this actually look good. They seem to be spending their money on worthy stuff.
I quite like Mullvad. I haven't needed to use them much (mostly when my ISP has wonky routing and I need something semi-urgent), but their service is pretty good, their website feels like it's designed for the more "techy users". Their billing is the least sketchiest of VPN providers, with no ticking clocks, no upsell and other nonsense.
I also like they provide a Wireguard file and a way to filter it, so it's super easy to get started.
I share a VPN subscription with my father, I use it for torrenting so my ISP can't snoop on me, and he uses it to bypass geo blocking to watch UK shows (things like BritBox, Netflix, BBC etc.) in another country. Unfortunately, there is no way to legally pay for most of these services and watch them from abroad.
I tried to get us to use Mullvad, as it was perfect for me, but for him it was constant problems with the services he used, whereas the sketchier providers like NordVPN and ExpressVPN always worked without issues.
Problems with services are to be expected when using Mullvad. Their IPs are all recognised as originating from datacenters. You might be lucky, but often not.
Sketchier VPN providers use "home ips" and rotate them regularly in order to defeat Netflix or other services blocking them.
Sketchier providers often use dubious methods to acquire their exit nodes.
Often they pay someone to include their code in a "free" software or browser extension (or malware) that allows them to route traffic through the host.
Oxylabs is one of the larger examples whose record is somewhat dubious.
IIRC the mylobot botnet is responsible for providing the vast majority of residential (home) IP addresses for residential VPN providers (who are then sold to expressvpn/nordvpn). The whole business is incredibly shady and nefarious and nordvpn/expressvpn must know from whom they contract their residential vpn services from.
BHProxies is the largest residential proxy provider on the internet and almost all of their proxies are acquired through the botnet above.
Seconded. I refer to them as shady because I have no way of knowing what they do with your data. I didn't even consider that they'd have a whole botnet market going on too. This definitely needs to be more public.
Agreed - I assumed they had some way of getting IP addresses that don't come from an AWS/Azure/Google/whatever datacentre block but I just assumed they bought residential blocks from ISPs or something like that.
Is there a source for expressvpn actually using BHProxies? I had no clue it was that sketchy. It is owned by a public company, so that's pretty substantial news if true.
I would be very skeptical of the claim, quite worrying to see multiple people accepting that as a fact without any kind of evidence to support the claim.
I'd be shocked if any of the major VPN providers were involved with illegal residential proxies. It just doesn't make sense, can you imagine just how unstable and slow those connections would be? Why would they risk being legally liable when there exists legal residential proxy providers that get their IP's from people that voluntarily share their connection (honeygain etc.)? I've never heard of any of the big VPN providers offering residential connections. As I understand the VPN providers that promise support for netflix and similar streaming services just acquire newer IP's from time to time but the connection still goes through a regular datacenter, definitely not from some random dude's home.
The proxy market is more so targeted towards developers who scrape data and criminals that do credential stuffing/other criminal activity.
I'm not saying I trust the above claim (I have no idea) but this
>can you imagine just how unstable and slow those connections would be
Yes, yes I can and they are. I tried them some time ago before I found out how shady they are and encrypted connections were like 2 Mbit while Mullvad gave me many many times faster bandwidth with higher encryption. Their support was completely useless.
It annoys me that the only way to access iPlayer from abroad is via a VPN. Surely opening it up and allowing international customers to pay some form of license fee could be a nice little revenue stream for the BBC? I'm guessing the reason is just "licensing issues" but if they're making the programmes then what's the problem? I'm sure there's an international market for watching the world class output from the BBC.
a few years ago I moved outside the UK and spent the best part of 3 months (on and off) trying to access BBC content, legally, still holding residency, paying domiciliary and employment taxes, and paying for a bladdy TV loicence
of course, I wanted to do this for as close to free as possible, since plugging an aerial into a tv at home also cost next to nothing
VPNs were already being detected and banned. I tried at least 4 extensively, including tcp, udp, socks, wg, obfuscated servers, etc. to no avail
dodgy residential/mobile proxies were too unreliable for live 720p m3u streams, not to mention expensive
I went through a few cheap linux VPSs with UK ip addresses, forwarding their web streams to my tv outside the UK, until I found one that seemed to work well. so much so I even invested in some fancy routing through intermediary countries for almost jitter-free stability
until a few weeks later, back to the same old shite -- everything 403 Unauthorised
after yet a few more weeks of furious head-scratching shame over the stable-now-vanished CBeebies and BritComs daily consumption, I concluded and confirmed the BBC had just started detecting and banning datacentre IPs more aggressively
it was at this ebb I discovered the wonderful world of illegal IPTV streams and adopted a fuck you too, BBC attitude
I used a small independent proxy company that I paid £50 a year annually through PayPal. I think they must've been small enough to fly under the radar of the detection algorithms. When I went onto google maps connected to the proxy, it always thought I was in Dubai, which gives you an idea of the clientele.
Maybe it was something to do with the fact that it was a Proxy and not a VPN, though I'm not sure if this makes it any less detectable. I even had a Firefox extension that automatically turned on the proxy when opening iPlayer tabs! It worked very well, though I wish I could've paid the license fee and just got access.
I dabbled with free and cheap paid-for proxies which were either injecting javascript or too flaky for live video. I saw a few of those smaller providers, but the initial outlay would have been too risky, because I am convinced the BBC throw a lot of money at residential geolocation, so if they haven't already their IP address blocks will be blacklisted at some point in the near future
interesting about Dubai though, makes me wonder if they have some sort of expat or economic deal with them. if Google thinks you're there, you can bet BBC do too. I discovered they use multiple CDNs and delivery mechanisms as fallback/best effort for the gamut of user agents, network health and device capabilities, which sometimes (but not always) sieved most (but not all) VPN and proxy locations in an indeterminate (yet authoritatively intentional) fashion, so perhaps Dubai is whitelisted on one of those. who knows. sometimes it's like rolling dice. inconsistency and implied mischief sure are strong deterrents. might investigate further at some point if I can swallow some bile first
I also used some UK shell provider (via SOCKS proxy + Putty) in the past and it worked really well. My guess is that there’s some there’s kind of threshold/concurrent connection that iPlayer looks at per IP address.
It’s pretty silly though, I would absolutely pay for a TV license if given the opportunity. Dear BBC: Shut up and take my money!
how far in the past ago, during nascent video streaming pre-VPN days? with live tv as well as VOD? if there is a relatively cheap, concrete solution I did not uncover which has been stable for over a year I would buy that wizard a thimbleful of scumble
This was about 15 years ago, definitely before when VPNs got popular… Clarkson was still hosting Top Gear. I seem to recall getting so irked that BBC America was something like 6-12 months behind current Top Gear episodes that it lead me down this path of ‘stealing’ iPlayer. It actually opened the door for me to content that I would have otherwise seen or known about, like obscure comedy shows on Channel 4 or the much better UK version of Ramsay’s Kitchen Nightmares.
The shell provider I used was Phurix, not if they are still around or not.
Can you or someone explain why so many Brits want to watch UK television from abroad?
I’m French living abroad and have never missed French TV. The quality of the content is just very sub-par compared to American shows. They just don’t have the budget to compete. Is the UK different because it’s English speaking and perhaps it has access to a wider market and thus more capital?
The BBC has some extremely good content... nature documentaries (David Attenborough), science shows (Horizon), archaeological/history (Digging for Britain), comedy (Ghosts), comedy/news/current affairs (Have I Got News For You). The US does big budget shows very well, but for a wide variety of content I really miss the BBC when I can't access it. I'm obviously biased though.
> Can you or someone explain why so many Brits want to watch UK television from abroad?
As an example, Doctor Who sometimes releases new episodes. BBC doesn't just have UK television — they have an "on-demand" offering that actually works, and isn't sparsely populated with 15% of the episodes like some other services (cough Xfinity cough).
Interesting. I'm British and I enjoy quite a lot of French TV: Engrenages (Spiral), Le Bureau des Légendes (The Bureau), Au service de la France (A Very Secret Service), etc.
for me it was for watching live BBC News (BBC World News didn't cut it), and a few weekly quizcoms. plus a couple of kids' channels. there is a vast difference between UK- and American-centric channels which didn't appeal
Perhaps roll your own VPN using a home router that can act as a VPN server? That way you can use your home internet connection...assuming its upload speed is fast enough.
A shame BBC can't accommodate its paying customers who happen to be abroad.
yes in hindsight, had I known the BBC would stoop, I could have set up something from an actual home IP. whether that be forwarding their web streams or forwarding a few OTA DVB-T2 streams. but even that could require physical presence for emergency debugs, reboots, retunes..
With the cultural capital that BBC had especially 7 to 10 years ago, I'm pretty sure they would have been at league with Netflix and the like if they had opened it up. Dr Who was huge back then in the US, and you had Sherlock and a few other shows. I think people were just pirating it (?) but lots of people I knew were huge fans.
Given a) they started experimenting with iPlayer pretty early in the streaming came, and b) they have a huge and valuable back catalogue, it's always amazed me that they didn't open up pay-per-view and subscription options for an ex-UK audience.
I've always suspected there's a good reason why not behind the scenes - maybe because a successful PPV operation would lend huge weight to people in the UK seeking to abolish the license fee?
There was something called Kangaroo [1] which was a partnership between BBC, ITV and C4 but it got blocked by the competition commission. Now it's run under Britbox I think!
Shows are often made by production companies on contract and licensed for domestic distribution. Licensing for international distribution might be significantly more expensive.
They might get some revenue, but they would need to build and maintain a streaming service with payments, and that’s not free. They might also be limited by contracts with local broadcasters, which give them exclusive rights to online distribution within their country, even if they do not exercise them now.
> … he uses it to bypass geo blocking to watch UK shows (things like BritBox, Netflix, BBC etc.) in another country. Unfortunately, there is no way to legally pay for most of these services and watch them from abroad.
how are people supposed to react to this ? Those are two reasons why legal providers make life so difficult for innocent people. The response will be to enable more intrusive record keeping and more very-low bandwidth for me, because of you.
I want to second this and add that they make it very easy to make non-recurring payments. So many modern software companies do everything they can to hook you into an endless subscription, but Mullvad is refreshing in this regard. I only use a VPN once in a while and when I need one I just throw Mullvad a few bucks for one month plan, which they make as seamless as possible.
It's a custom build of Firefox with somewhat sensible, sometimes strict, privacy respecting default settings.
There's also the Arkenfox user.js which you can put on top of vanilla Firefox, aiming for the most privacy and security possible.
https://github.com/arkenfox/user.js
My issue with these browsers, including Firefox with things like fingerprint resisting enabled, is that it breaks a lot of sites. Add a VPN to the mix and a lot of sites flat out refuse to let you interact with them, or they give you 5 minutes of captchas, or they require 2 factor login despite asking them to remember your device. I have to open some sites (banking, brokerage, health insurance) on a near-daily basis in Chrome with no extensions and no VPN instead of my regular firefox+vpn.
A lot of sites allow interaction even with the above but they shadowban you without telling you. Craigslist shadow bans and auto-spam-filters any submissions done with a VPN, and then also auto-spam-filters any subsequent submissions on the same account even with the VPN turned off.
Reddit also universally spam-filters any submissions and comments done under a VPN, and rate limits your commenting a shitload on VPNs.
Arkenfox is great, although worth noting that there are always privacy vs. security vs. usability tradeoffs. The best usability settings (in terms of sites just working at least) are generally the Firefox default and Arkenfox defaults aims for privacy mostly but they also have some of the best descriptions of available configuration available anywhere (often the only other source of any kind of information is a brief comment in the source code that assumes familiarity with Firefox code). Personally, I aim for the best security and accept that that makes me unique.
I've asked multiple times to all the brave sympathizers about "why not fork firefox, put your shnazzy customization and call it a day. By lapping up to chromium, you are only helping Google regardless of what search engine you use"
And more often than not the response has been "well we did investigate Firefox but working with it was pita so we went with easiest option"
Shit dude. You want to start a business so at least do the right thing.
If there are more Firefox forks, like there are chromium forks today, that would normalize Firefox because currently chromium is the de facto web standard.
Mullvad, who has a reputation in the HN comments for being just like... over the top amazing + great (they swear up and down they don't store traffic logs and if you don't trust them, you can pay anonymously somehow or whatever), is having a "hard time" being profitable/growing
all while
NordVPN, who has a bad reputation in HN comments for being untrustworthy and "not so anonymous", seems more well known (and therefore most likely has more paying customers and makes more money?)
What is that law called in business? when the "less good" offering wins?
Where did you get this impression? Mullvad is growing like crazy (4 times as much revenue in 2021 compared to 2020, 2022 numbers not yet public). NordVPN is obviously larger since they are older and have bought a lot of ads on Youtube but Mullvad has crazy growth and I have seen their ads in the subway here in Stockholm. Mullvad is in no way a company which struggles as far as I can tell.
> Mullvad [...] is having a "hard time" being profitable/growing
This is how I originally interpreted the parent comment as well, but they actually meant "a VPN is not enough to maintain your privacy, you also need a privacy-respecting browser."
It's because, like it or not, NordVPN is a great product. The apps are great, the design is slick, they have more servers in more countries, and offer additional value through things like Smart DNS, dedicated IP. Not to mention solid customer service.
Not sure if it's got a "law," but the reasoning seems intuitive: 1. More complex products are usually better, but being more complicated means they're harder to explain to the average customer and makes them harder to sell. 2. More widely known products get that way by stripping money out of the budget for their product to put it into advertising instead. Less money in the product means it's potentially inferior to a product that put their whole budget into development.
It's called educating your potential customers on your product.
NordVPN has spent an incredible amount of money getting their name out there.
The majority of the population hasn't a clue about what a VPN is or does. The ones that do, their only interface is "its this thing my company makes me connect to"
Of the remaining subset of people who are aware of what VPNs actually do for you, it's likely they can only name 1 or two brands: NordVPN and ExpressVPN.
So if you have the superior product, but the lesser position in the market, then get busy marketing.
Whatever you want to call it, and whatever it means to you, it must be done in some way, like it or not. Or you can sit here and complain everyone's using the big name that sucks and nobody uses your superior 100% artisinally, crafted from free-range conflict-free code, ethically "superior" app.
> So if you have the superior product, but the lesser position in the market, then get busy marketing.
Easier said than done I imagine. Big brand VPN providers charge several times more for the "same" service, or make you sign up with 3 year commitment to even come close to Mullvad's monthly pricing.
Well, many libertarians will state the rules of the free market as if they were physics law, but they are not. I think they're just post-fact invented laws to justify the ideology, but that's besides the point.
The law that "in a free market, the best product wins" has been beaten by profit-driven companies with billions at their disposal. Sure, you can have a better product. But maybe it's more profitable to have better marketing, or secondary sources of profit.
It's quite telling that VPN providers sponsor so many YouTube videos... Which require login to the biggest ad-driven company... Which will identify users by their login, no matter if they have a VPN or not!
Adam Smith's The Wealth of Nations was published in 1776. I suppose you could say that was "post-fact" as it drew on what was happening at the beginning of the Industrial Revolution and the English and Scottish agricultural revolutions among other things, but "invented" would seem a bit of a stretch.
> The law that "in a free market, the best product wins" has been beaten by profit-driven companies with billions at their disposal.
Of course, given that law then the other possibility you appear to have dismissed is that the market is not free.
I must admit I don't know much about economics. I do get tired of people dismissing arguments with free market 101s - the world seems much more complex than that, and the big capitalists have become specialists at exploiting the market for their gains.
But then I'll day: maybe these guidelines are outdated, 250 years later. For example, does the best product win? Not if the product is complex enough and people cannot quickly measure its quality. There's 10$ crap and 100$ crap, and fake reviews, and paid reviews, and swapped products, and misleading marketing.
What's the best product? A good product will be generally be one that is:
- available
- at a price that the producer makes a profit
- at a price that the buyer can afford
- and does the job
Many such products may exist in a market, some "better" than others but that would be a subjective opinion. The problem with a non-free market e.g. one with monopolies or interference from governments in the form of subsidies, is that it interferes with the above list and you end up with inferior products (in terms of the above list) to those you would've had in a free market. Even the "producer makes a profit" part would be worse because there are less producers making profits, and thus fewer products, higher prices for those products remaining et cetera.
Advertising is not a bad thing in a free market. Fake reviews and the rest are, but they lead to less trust, as we see occur with Amazon, and you would go to a more trusted competitor but Amazon is a monopoly so…
> ...Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet.
Seems like a wash overall with how Chrome for Android lacks support for extensions entirely. Firefox for Android supports uBlock Origin, which greatly cuts down on tracking and chances to be hit by broadly-targeted malvertising.
> More bizarrely, there’s an open Bugzilla and GitHub issue on that, both a few years old.
I can understand why it's not a priority at this point, at least, given that Firefox on iOS is currently a reskin of Safari, and the door is reportedly about to open for actual competition among iOS browsers due to increasing anti-trust pressures on Apple.
It would make more sense to me to address this with a real port of Gecko to iOS, and then you can just run the full version of uBlock Origin for Firefox on your iPhone.
The thing is, while Firefox should have better sandboxing, the tradeoff at the moment is that with Chromium you get better security, but less control and privacy off the bat. With Firefox, you get less security, but more control and privacy off the bat.
I use Mullvad for 2 years and yeah it's been a good VPN. Global outage have been very rare, maybe it happened 2 or 3 times altogether. It happens however that some websites are blocking Mullvad servers, usually, it's just about switching to another server to get this working.
The desktop client also supports some obfuscation schemes (UDP over TCP) which is useful when you're in countries which block any kind of VPN. The default smartphone app doesn't support this out of the box, but they have some tutorials to setup Shadowsocks and OpenVPN to route the traffic over https as well
Firefox is already an an ad for Mullvad since the Mozilla VPN is rebranded Mullvad. It would not be terrible for them to become a more prominent corporate sponsor of Mozilla. Less eyebrow-raising than Google at least.
I've been a Mullvad user for a while now, and I have to say, their commitment to open source is truly impressive. They're living that philosophy by making their VPN client open source. Tor Browser with the security of a trusted VPN should be an great alternative
This time, there's strong marketing power though. It has a chance of being adopted by people interested in privacy but not really into computers. It matters a lot.
Now, I didn't really know about LibreWolf, I'll look into it for myself.
Using a VPN might have security implications (such as now, you have an additional central entity, maybe not in the same jurisdiction as you, that can list your network connections to a requesting entity), or not be an answer to your thread model.
I don't really blame them for this though. Buyers should also do their homework.
> Brave scrubs sites of ads and ad tracking, then replaces those ads with its own advertisements, which are not individually targeted but instead aimed at an anonymous aggregate of the browser's user base.
Separate point: calling Google an "advertising company" is way off the mark. Google runs the biggest online ad exchange in the world, requiring lots of advertisers to buy keywords and other ways of addressing customers, and publishers to partner with Google for a (small) cut of the gross revenue Google makes matching bids to asks.
Brave doesn't do any of this cloud surveillance based ad-tech. We leave ads off by default, but when a user opts in, all the ad matching is local to the browser against a catalog that's the same for a large cohort by region and human language. Ad impressions are confirmed by a Privacy Pass variant protocol. Users get 70% of the gross.
There isn't a great category for what Google is, it already won its own "google it" verb. But among many other things, it is a huge ad-tech player. Brave is small, user-first, privacy-by-default, and ads are opt in. See the difference?
That's completely false. We've been unable to get Gregg to correct his story, but we never replaced ads in pages.
We don't aggregate anything into Federated Learning, all opt in (off by default) machine learning is local to the browser. Chaum blind signature protocol (Privacy Pass standardized this) to confirm.
I know it's fun to repeat misinformation on hacker news out of ill will, but many people have verified our claims from open source audits, network audits, and more. Comments like yours just look sloppy or even malicious, even on HN.
Eich is divisive, sure, but Brave is not a secure browser any more than Firefox is, with a lot of phoning home and crypto widget, that like them or not, are out of place in a browser you want to trust.
Ideally my browser and all the software I use do not connect and fetch data unless I tell them to. A browser should not be "bundled" with extra widgets for convenience.
I don't care about Brendan Eich quite as much as I care about the Google / Chrome monopoly, and Brave just makes this monopoly stronger by depending on Chrome. By being Chrome, actually.
I want the web to be built around something else than ad-/tracking-supported software and Brave is being very self-contradictory with this.
Don't use Brave if you care about the global picture / tracking around the globe.
We started on Gecko. By many measures, big spreadsheet, Chromium won. We would be dead on that short hill you want us to charge up and take with spears against Maxim guns. I share your dislike of monoculture or evolutionary kernels that win by market power more than merit, but having us die for no benefit isn't the way to overcome Google.
Brave rewards is opt-in, off by default. If you dislike ads, don't enable it.
I suggest you consider that your big-picture thinking is short sighted. Instead of spears vs. Maxim guns, the better trope and line of attack is judo: use Google's weight against it, by differentiating a level up in a way that puts users first and if they opt in, pays them 70% of the gross.
(I'm assuming you are educated on how our private ad system works. If not read my comments in the past year or so, easy to find from my profile.)
Brave is a separate fork and completely unreliant on Chrome. It also is the most privacy-focused browser so it's the opposite of "tracking-supported software".
If Chrome disappears, Brave ceases to exist. Brave totally relies on Google developers working on Chrome and do the vast majority of what it takes to build the browser. Brave only does superficial work in comparison. Brave may itself be privacy-focused but only exists thanks to Google's business model which is mostly tracking the world.
So, yes, Brave is mostly funded by tracking since it is mostly Chrome with some lightweight work on top of it.
Correct, completely forked from Chromium (not Chrome) and in separate development. Brave continues to roll out superior features while the rest of the Chromium world lags.
It does not matter that Brave lives in its own, separate source repository. This code is regularly rebased on Chromium.
Your cookies rely on the flour you use to make them even if they have chunks of chocolate that the flour doesn't have. No flour, no cookies. (Except in this case it's even worse, the cookies is already done, you just add some colors...).
I too can take chromium and put it in my own git repository and change some minor stuff. It will be "forked" and "separately" developed but it would not mean a thing.
We rebase and look at all the changes, neutralizing not only on-by-default tracking Google puts in Chromium for its own benefit, but many other experiments and flagged features. We carry forked files too.
Of course, we can't maintain all of the upstream ourselves, although we wish Google had fewer typists adding bad or marginal things; but neither can Samsung, Opera, or even Microsoft. But if Google stopped maintaining, the remaining Chromium browsers would carry on.
Your comments suggest a lack of familiarity with our GitHub.
It's not perfect (since its funding is mostly Google) but Firefox is my current browser of choice. It notably has very good support for blocking tracking and unwanted stuff thanks to uBlock Origin, which works best on Firefox according to its main developer [0]. And while it is funded with Google's money (which is a huge caveat), I still hope this changes in the future. Firefox could be funded differently. [By the way] maybe Mullvad browser is an interesting choice for this exact reason?
Other (independent) initiatives like NetSurf [1] and Ladybird [2] are on my radar. NetSurf has been around for a while; Ladybird seems impressive, achieving some great progress and result with little resources. I should actually try Ladybird more seriously when I get the chance, and maybe contribute if I find the time :-)
Wut? Citation needed. I’m sure you don’t mean his support of Proposition 8 in 2008, because Barack Obama professed the same belief in 2008… making him, in this formulation, a homophobe.
I don't think we need an umpteenth discussion about this here, it has already been discussed to hell. This is getting old. Just search Brendan Each on HN [1], this discussion happens any time he is mentioned here.
Or just read the summary on Wikipedia [2].
There's a lot of material on this topic, it's easy to make up one's opinion on this if you are genuinely interested.
But if these details are to play a factor in browser selection, one should reflect on the myriad of undesirable associations involved in going about daily life.
Just typing this reply involves an entire supply chain associated with individuals and organizations of questionable character.
To apply this same level of sensitivity to daily life would be to mostly unhook oneself from modern society.
I care deeply about the safety and freedom of the LGBTQ+ community, and find little value in allowing someone else’s lack of acceptance of me dictate my life. Doing so is a form of “doing something” that does nothing but widen the gap to actual change, which can only ever happen via open dialogue.
I think there are plenty of reasons not to choose Brave based on the actual technical merits of the product.
Sure, I'm not disagreeing with you and this is actually an interesting philosophical topic to discuss (I mean it, I'm genuinely interested in this and have been wondering where to put limits on this kind of stuff).
But wondering whether is Eich homophobic? Meh. Bored of these discussions. I have set my opinion on this. It's been discussed enough.
I tend to avoid fast food in general, but I try not to orient my life around actions (or avoiding actions) that are unlikely to have any impact, especially if they involve spending more of my own energy.
Avoiding Chik-Fil-A at all costs: primarily affects me.
Being willing to frequent a Chik-Fil-A because a friend somewhere else on the political spectrum enjoys it: potentially opens an opportunity to talk.
Most of my family and their circles fit that latter description, so this is not a hypothetical. Any chance of influencing them is actively harmed by choosing/avoiding fast food based on tribal allegiance.
None of this should be construed to mean that I find their leadership team and public stances acceptable.
It has everything to do with your comment? I'm inviting anybody interested on the topic to go read about it themselves instead of rehashing the same subject again and again, since I believe everything about this has already been said already?
> You libeled someone without providing any proof at all.
On the contrary, please notice how I carefully and deliberately stated nothing about Eich, not given my opinion on this and not taken sides here.
It would not be smart, it would invite people who have opinions on this to further push this discussion.
Barack Obama opposed prop 8 in 2008, and certainly never donated money to the campaign like Eich did. There are dozens of articles about it.
But he also opposed gay marriage, so to some extent he was homophobic, at least for political reasons. He later changed his mind on it, likely also for political reasons.
But shame on you for using such disingenuous bullshit tactics to make your homophobic point: “If you call Eich a homophobe, then you also have to call <insert beloved liberal figure> a homophobe!”. For one, it ignores the fact that people’s minds can change over time, whereas Eich has never changed his stance on gay marriage and has never disavowed the money he spent trying to stop it. And two, it’s just a red herring argument and attempted hypocrisy trap.
And worse, it’s a fucking terrible hypocrisy trap. There are millions of people who support gay marriage but never supported Barack Obama, and millions more who supported Obama precisely because they didn’t want gay marriage and thought they could trust him to not change his mind on it. Obama may be beloved by some liberals, but he is a hypocrite to many on a multitude of reasons, ranging from his gay marriage flip flop, to his support of the patriot act, to the promotion of indefinite detention and torture to federal law, to the fact that he continued the pointless Iraq war for his entire term.
There is no opt-out to not use a VPN. There's... the Mullvad logo, which seems pretty reasonable. Certainly more reasonable than injecting their own ad network into your pages and pushing your home-rolled cryptocoin.
I have been using brave for a long time, and the only places where crypto is mentioned is in the new tab window. You have to opt in to add replacement.
The Tor design spec literally says it is not meant to defeat a global passive surveillance panopticon like a world government. Know its limitations and it's a fine tool. By the way, the entire Internet was built for the government.
You do realize that tor is open source and has been under scrutiny by some of the worlds leading security researchers? It may not be 100% perfect, but claiming it’s useless and ineffective simply because it was born out of government research is completely asinine.
So ... it is a fork of Mozilla Firefox with privacy-friendly settings by default, some script blocking, and dns lookups done via Mullvads encrypted dns service
Sounds ok to me, I have a longish and probably out of date list of settings that I like to chance in a new instance of firefox. I trust mullvad to not log dns more than I trust my ISP and I live in the UK so unencrypted dns here is being logged and stored by order of the government.
Keeping a fork of firefox in sync with mainline firefox to get security fixes is a load of work, it is good that somebody is doing it, in this case I think the tor project is doing a lot of the work.
AFIK it's a "fork" of the tor-browser (which is a fork of Firefox) but instead of connecting to the tor network you connect to a VPN.
So you get all the in-browser tracking protection Firefox has (e.g. against fingerprinting) + the ones only the Tor browser has but without the drawbacks of the tor network and in turn without onion security.
Yes, but beware that many websites are broken when “resistFingerprinting” is enabled. That’s why that mode is not enabled by default or an opt-in option in Firefox’s settings UI.
I've ran into a couple ones that have some canvas-based features that break when resistFingerprinting is on. They get some visible noise added on top (which does indeed thwart fingerprinting, but also makes it harder / weirder to use those features).
I believe you can turn off the canvas-based meddling per-site. There's a small icon that appears on the left of the URL input box on affected sites that allows you to do this.
The Tor desktop browser is based on Firefox ESR (Extended Support Release), Mozilla’s LTS branch of Firefox that receives security fixes for 14 months. The Tor Android browser is based on Mozilla’s regular Firefox Android browser, updated every four weeks.
> I have a longish and probably out of date list of settings that I like to chance in a new instance of firefox
Not a user but part of the purpose of the TOR fork is settings, anything that is detectable via JS is supposed to remain default to prevent fingerprinting.
It's partly why it's not widely popular, I don't know if this is still true but it used to be that it was supposed to be run at a specific viewport resolution regardless of your device. All in the name of making your fingerprint as close to the same as all other TOR browser users.
> run at a specific viewport resolution regardless of your device.
It's more like pretending to the website that your screen has a "common"
resolution etc. which is nearly but not quite the same as what you said.
In the past they semi required you to keep your tor window in a specific window
size for this, which just didn't work well in practice.
By now they better integrated that in the browser from what I heard, so you can resize it however you want but websites might have an "empty" border are to the left/right/bottom depending on you screen resolution, windows size etc. from what I have heard.
With a typical maximized window on 1080p you won't really notice it, on 4k you might notice that it's just "dump" up scaled from 1080p, but the person I spoke with wasn't sure if maybe they have a set of supported common resolutions instead of just one. And on a 4:3 screen he said it's quite noticeable.
Not sure how it's designed but if I was designing a system of reducing detectable entropy from viewport size, I'd make a fixed list of available resolutions. First all the common resolutions (1920x1080, 2550x14540 and so on), and in addition to that maybe just "snapped" grid sizes in 64p pixel increments. If you use a window size that doesn't match, it should just render the viewport to the closest smaller allowed size, and fill the border with something (e.g. the background color of the page). Perhaps that's exactly how it works?
Yes, that's how it works, if you're talking about the setting privacy.resistFingerprinting.letterboxing. To my memory, the list is any multiple of 200 on width and any multiple of 100 on height. So at this moment my viewport is, I believe, exactly 1200x900.
Bear in mind that it's a minority of people that hit F11 to browse fullscreen, they still have toolbars, so it's not as common as you'd think for the viewport to match a common screen resolution like 1920x1080.
Yeah the ones you want I guess would be 1920x1200 with the height reduced by common (say Windows 10/11) taskbar and tooobars. It's never going to be perfect but you'd at least want to minimize letterboxing for the most common fullscreen setups on the most common platform(s). But you could throw in 1920x1200 full screen as well for good measure.
Perhaps it would be better to letterbox randomly with say 20px width and 20px height, so it's just 1 chance in 400 to even return to the same reported screen size? That way you'd be even harder to track than if you are the only person running exactly 1000x800.
I was thinking about that very thing is keeping up with patches. I suspect that tor is probably a couple of months behind firefox and then mullvad will probably be a month or two behind tor. It is easier to check between tor browser and mullvad browser because they both use git. firefox uses mercurial, so is probably harder.
Some people just want to pick a different point on the tradeoff between convenience and privacy.
Imagine User A uses Fastmail every day, logging in manually every morning. User B uses Fastmail every day, with a saved login cookie. How is User B's privacy any worse? What would User B gain from not having that choice?
It's not a matter of user choice, it's a matter of maintenance and product integrity.
User B's privacy is objectively lessened by allowing tracking cookies, but that is their choice. What is out of the user's control is what mullvad chooses to spend their time supporting.
If mullvad allows users to turn off a privacy feature, now that's a permutation they have to test for. It's also an attack vector they've enabled, either through user carelessness or social engineering. Mullvad wants to be able to say "here's a browser, it's 100% private" and not have to say "as long as you do X, and don't do Y, and...". Every other browser already does that.
A possible scenadio might be that one day the user wants to log in to their other fastmail account, which they don't want to be linked to their main one in any way.
The GP said "some people" not everyone. Some people want all the convenience and the illusion of privacy; the benefits minus the cost. It's human nature to want something without paying for it, just as it is human nature to pretend that desire doesn't exist
What I'd like is a Mullvad container in regular Firefox so I can choose what sites to open in it, or rather make it the default and move a site to another container if I want permanent cookies. I use temporary containers now but the extra fingerprinting features appeal to me.
Your browser can still be fingerprinted without cookies. The site just needs enough unique information (user agent, timezone, screen size, IP, operating system, country, etc.) to form a trackable identity.
This is a surprisingly effective one when combined with other users of your network. A couple of years ago, I started getting Facebook ads for things I'd never looked at, but that I knew my wife had looked at. We don't share any devices, and she doesn't even have a Facebook account.
It's pretty troubling how invasive shadow profiles are.
There are 200 countries on this earth, and not all of them have the luxury of an uncorrupt, actually-democratic set of genuine public servants who wish only to create utmost benefit for the largest number of people.
If you have that, you're a minority. And if you believe you have that, but actually you don't, you'll find out only after it's too late to save it. It's prudent instead to assume and act like you don't have it in either case.
Indeed, some of the greatest democracies have been set up precisely to that end.
For many, online privacy isn't at all about advertising. It's about working to a common good of rights and freedom for all.
Rest on your laurels all you like, but don't deride others who refuse to. It is only through the efforts of such people, and in the past those like them, that any of us have the ability to take any such rest at all.
> Most of us are self-aware that I'm not that important to be specifically targeted.
Of course, not in the sense that the FBI, Wagner Group, or the boogy man are going after you today (but you never know what the future holds) - however data brokers and large companies have a financial incentive right now to know as much about everyone as possible and the information they collect is increasingly being used to decide your insurance rates, give you employment, etc.
>People who live a privileged life and have nothing else important going on in their life choose this hill to die on.
I mostly agree, however privacy issues impact the less privileged more, for example women seeking abortions in unfriendly states, teenagers learning about queer issues in a toxic community/family, people fleeing abusive relationships (the effort some stalkers do is truly insanity), minority groups (e.g. undocumented immigrants). Sure these groups can't dedicate lots of mental energy to privacy but plug and play browsers like this one make it easier and even if you are highly privileged protecting your privacy makes it more acceptable for others to do so too.
You're clearly not thinking enough about this. It's not just about ads. For just one example, think about the data acquired regarding fertility and abortion, and how it can be used with respect to some law alterations.
There are many other examples for present and potential futures, so no this isn't just about ads.
Well, I’d say this is largely privacy theater for hobbyists. Like a lot of other hobbies, unreasonable suffering is often part of the fun and creates a sense of belonging. What sets you apart if you’re just browsing like every other mortal?
Edit: As mentioned elsewhere in the thread, there are still plenty of identifying bits.
This is inherited from the upstream TOR browser. It's basically designed to evade fingerprinting by making the browser's fingerprint similar across all TOR browser's users. It's indeed very inconvenient so don't use these browsers unless you're seriously care about these stuff.
I thought it'd be possible by simply turning off "Always use private browsing mode" setting, but it doesn't seem to work. Sessions are still cleared upon browser exit.
In my case, I had to turn off that setting because without it, 1Password wouldn't work.
No one wants that, most websites become broken by taking pro-privacy measures. It's about not consenting to tracking. Right now the majority of users are implicitly giving consent to tracking.
It seems like a harmless thing to be tracked, but once the likes of haveibeenpwned.com came out and the databases that fuel it, and services that provide search utility to those databases, it should become clear that being tracked across every single website on the internet is probably not what you want.
Scenario: You apply for a job, they look up your totally-clean email address, see the email linked to an ip address on some database from a leaky website you applied for a job on, the ip address is linked to a service where you used a certain password which you used on 6 other services, one of which had a database leak of your system fonts, now you can see all the accounts to services to which your system fonts were identically matched. Oh look, you were 13 years old when you joined stack overflow on an abandoned account and you posted some humorous, incorrect solutions that were down-voted to oblivion. But that's ok, they invite you to the job interview and they make a funny remark about your stack overflow answers and then offer you a job. Do you want to work there now that you know they completely invaded your privacy ?
So in this scenario, if only you had used the Mullvad browser then... you wouldn't have have found out this employer snoops on their employees and might have accepted their job offer? You've concocted a scenario where a privacy-focused browser ends up causing you problems.
I'm not advocating for this browser specifically, only encouraging more people to take pro-privacy and online safety measures.
It's pointless to say the problem is the employer, or the hacker who released the data, or the programmer who relied on bad algorithms, or the admin who didn't secure the data. One way or another, this data will get leaked, the old hashing and encryption techniques will be broken and there will be people searching through it all. Forget about the government, at least they are beholden to law and maintaining the appearance of adhering to it. Substitute employer for neighbor, girlfriend or internet stalker and you have equally valid scenarios which are even more disturbing in my mind.
> > The timezone is spoofed, to combat fingerprinting.
The annoying thing about this (assuming it's the same as in Firefox) is that the times displayed in your own local History page are also "wrong" i.e. shown in UTC.
Hm that seems like a mistake. If I'm reading the docs right, the Mullvad browser will let you browse the web without using their/any VPN, which mean that it's entirely possible to accidentally surf to a site without having your VPN up, and reveal your IP address to that site. To contrast, there's no way to use the Tor Browser without using the onion network so it's ~impossible to accidentally browse to site and reveal your IP address, and not just the IP address of the exit node.
OpSec is hard, and tools letting you shoot yourself in the foot doesn't help. There are plenty of other browsers out there that don't offer VPN integration, so (imo) they should have made the browser a paid feature for customers, instead of giving it away for free like the market has demanded since IE6.
I think the reason that they have made it free is to combat fingerprinting more efficiently. It would be easy to fingerprint if they have a very limited amount of users
Mullvad’s VPN software has an available function that blocks network traffic when the VPN isn’t connected, so there’s no need to patch that into the browser.
Does it offer the same system-wide protection as the desktop VPN product; or, does it only use the VPN for socks-proxied traffic through the extension-created SOCKS port, and so those protections are applied within the browser; or, it doesn’t protect against temporary interruptions; or, orher?
I can’t experiment with this during my workday, and we’ve reached the limit of information available without running it and testing, so I can’t help resolve this further right now.
Using Mullvad (2023.2) split tunnel on my Windows 11 machine with qBittorrent 4.5.2. Every IP tool I know of is showing only my Mullvad IP. What tool are you using that indicates a leak of your real IP?
Mullvad was set to use wireguard. qbittorrent set to use only the mullvad adapter. qbittorrent log showed that it's listening to that adapters ip but found that external ip was mine (upnp was turned off). Then I checked with https://ipleak.net/ torrent address detector. and it also showed my real ip.
Here's to hoping they maintain this for a while. There are a lot of "hardened Firefox" forks around, none of them that I would trust to follow upstream for a long enough time to switch.
I already trust Mullvad enough to use as VPN, and am likely willing to extend that trust to a fork of Firefox they manage, but truthfully, I always concerned when achieving goals means new ventures and projects as it may mean resources are moving to other areas and may impact their code product. I like my core providers to do one thing and do it well.
"Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn't happening for their Android browser yet."
Your quoted part seems to refer to people using the OS browser component in some contexts (eg app embedded web content) and the actual browser app in others. It's good to be aware of but claiming the resulting attack surface is the union is only technically correct. The resulting risk is not increased correspondingly as you are not accessing most content through 2 browsers.
This is good reminder, thank you. I am an advocate and user of GrapheneOS, but often find myself using Firefox because of Sync, and because of the bottom toolbar -- which is ridiculous to think about.
I understand the want to stay close to upstream and requests for such "usability" tweaks this should go to Chromium.
Alas the rigidity of the GrapheneOS project is a double edged sword.
> There are a lot of "hardened Firefox" forks around
Sticking with LibreWolf for now, which has updates disabled in the policies section, but I frequently ping their Gitlab for new releases. It's annoying having to do that, but if it means I get security patches in time, I do it.
> Bromite seems like its sticking around, fortunately.
Only barely, unfortunately.
I've since moved to Vanadium for anything untrusted and/or critical. It's still missing some features I'll enjoy seeing added, but it's improved considerably lately.
I do not like Brave's business model (replacing web ads with their own, even setting the crypto thing aside), but I will check out your link if Bromite fizzles out.
If a lot of non-Mullvad users use it, it will create a nice pool of people with at least the same browser fingerprint.
Basically, it seems like a good choice if you are already a Mullvad user and your threat model does not require the use of a Tor browser. However, if there's a significant non-Mullvad user base using it, it won't do much, as you'll just stand out as the only person using the Mullvad browser without Mullvad VPN.
The people you are looking to to regulate it are the same people who would exploit it.
I also think this approach of expecting the general public to adopt a borked browser to give deniability to people using it strategically is extremely naive. Human psychology just doesn't work like that, you might as well ask schools of fish to swim differently to hinder shark learning. To be frank, this seems like it will just create confusion vs telling people to use Tor browser.
The way to improve privacy is to provide a tool that actively enhances something incredibly well, and does everything else at least as well. If all browsers are hopelessly compromised, make something that isn't based on HTML and builds cool user interfaces directly from API calls like a videogame UI, for example.
Can you say more about the API calls, what would that be exposing of the user? I think it's difficult since most new apps are using Electron, or V8 scaffolds... but really nice idea
> However, if there's a significant non-Mullvad user base using it, it won't do much, as you'll just stand out as the only person using the Mullvad browser without Mullvad VPN.
"The Mullvad Browser is a privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project. It’s designed to minimize tracking and fingerprinting. You could say it’s a Tor Browser to use without the Tor Network."
We did not, we made a front end to the Google Search API.
Our search engine performs the searches on behalf of our users. This means that rather than using Google Search directly, our Leta server makes the requests.
I wonder how many VPN providers are going to turn out to be honeypots in the long run. Every time they make it easier, I get more suspicious about the privacy really being provided. Perhaps I’m just really distrustful and cynical.
Of course, which is why you shouldn't depend on a single VPN (or just VPNs in general) if you have stuff to hide.
Opsec is an art, and there are no turnkey solutions to ultimate privacy and security. You gotta put in the effort yourself.
It's just a matter of reducing your surface area: I know for certain my government tracks my unencrypted DNS requests, and I have a static IP, so I'd rather turn Mullvad on if I'm feeling like opening an adult site. They might log my DNS, but it's a little harder for them to correlate my requests than if I were to use my home network. Not impossible, but since I am not at odds with the law, GCHQ is probably not spending billions tracking my every movement across networks.
If you need to send nuclear bomb plans to an enemy government, I hope you have a better plan than trusting the promises of any VPN network.
Mullvad has been around for quite a long time, and regularly releases third-party security audits. Is there anything they've done that comes off as a red flag to you?
> Perhaps I’m just really distrustful and cynical.
That's fine, but you should have a good reason for it
Long-term services are great targets for governments.
If you were to looking for some trust in a VPN, you would want them to offer locations in privacy friendly countries, and highlighting them as such. That would potentially funnel more used to those servers which would be beneficial. You would also want the VPN to ensure the servers in those countries are run by companies based in that country, and not be head-quartered in some other country.
I didn't say it prevents tracking, I was offering a litmus test for a VPN to the question of red flags. If it doesn't pass the litmus test, preventing tracking is the least of your concerns.
I am disappointed to see that it doesn't integrate with Mullvad VPN at all. I have Mullvad VPN but I use it too less because I don't want all traffic on my mac going via VPN (e.g all kinds of random IDEs and websites). All I want is one browser which always uses VPN. But Mullvad has no split tunneling on mac AFAIK, and on windows also you can only block some apps from VPN, instead of saying that only this application will use VPN. This is one feature I really miss from PIA.
It's not about speed. There are many websites where your identity is linked in some fashion (e.g Your bank). I don't want my bank to block my account because I was in one continent in the morning and another in afternoon. The same goes for other critical accounts. I know I know, this is all unlikely, but why bother with it if it can cause a lot of headache. e.g. I know of people whose facebook accounts got blocked and were asked to provide some id since the accounts were opened from two different geographies.
Basically sending all traffic via VPN seems a big headache to me.e.g. Using gmail from a VPN doesn't help me at all.
Firefox allows you to assign proxies to individual containers. You could create a "Mullvad" container, set it to use Mullvad's SOCKS proxy and then configure a list of websites to always open in that container. That should allow for nice segregation on the level of individual tabs.
They haven't documented this feature [1], but it's part of the official "Multi-Account Containers" extension. It can be found in MAC -> Manage Containers -> Select -> Advanced Proxy Settings at the bottom.
> I know of people whose facebook accounts got blocked and were asked to provide some id since the accounts were opened from two different geographies.
Ah, I see. Unrelated to VPNs, but if you want another anecdote: I had my FB account blocked because I physically moved to another country, and some months in I decided to recover the password to my account (which I hadn't used in a year or more).
Now, I 100% agree that this was a _super_ suspicious-looking series of events, but out of all possible ways to verify my account, how did FB choose to check my identity?
"Please login with a device that you had previously used to access this account. You must do so within 30 days or your account will be permanently disabled." Of course my old devices were in my old place in another country, and I wasn't going back within 30 days.
Fortunately I only used FB to join some IRL groups or to talk to the occasional person who had no other messenger, so it was no great loss, but I can imagine it would have been a major hassle for some people.
Curious how usable it is for anything with CloudFlare. CloudFlare doesn't like browsers that block fingerprinting, and it doesn't like Tor Browser in my experience, and when I use Mullvad I also get way more CloudFlare Captchas, often getting stuck in an infinite loop. I'm focusing on CloudFlare because it seems half the sites I use are behind their firewall now. (e.g. I have to switch from Brave to Firefox every time I want to use ChatGPT...)
I use LibreWolf (hardened Firefox) with Mullvad VPN and in my experience have hardly had any issues with Cloudflare (occasionally I might get a single Cloudflare captcha but this doesn't happen often). Tor browser, on the other hand, gives me tons of captchas and is barely usable.
Cloudflare is bad for the web by now. There is way too much in their hands as well. I observe the same as you, infinite loops, that make me leave the sites where it happens. Probably many others experience the same, but the website owner will never know, because they put the blindfolds on.
Unfortunately it is hard to suggest alternatives. But maybe HN has some ideas how to self host something effective to avoid having to use something like Cloudflare?
Hmm, I just gave it a try with https://fingerprint.com/ and each time I restarted the browser it says it is my first visit. This is really a nice surprise, as fingerprint.com tends to always recognize your previous visits.
Update: "In permanent private browsing mode, cookies and site data will always be cleared when Mullvad Browser is closed." It has this setting ON by default.
I was wondering! For an English-speaking audience it feels like it might be a poor brand. It's not exactly a "nice-sounding" name. Though to be fair, they might not be trying to win mindshare, so careful branding might not be a concern.
I appreciate that to a technical audience this can usually feel like a super pedantic bit of nonsense. But for the other 99% of browser users, this kind of thing can matter!
To be fair, this is a very pseudosubjective thing. I know my data point. And I feel my data point is plausible as a trend. For example, you don't need to do studies to know that "Diarrhea Browser" would be a bad name.
Edge? I think it's sharp and techy and modern. So it seems at least... valid. But it also screams, to me at least, the classic Microsoft branding thing of, "this feels like a bunch of 50 year olds in a room declared what they believe to be cool and hip."
Then again. `iPad` was broadly laughed at when it was announced, and through sheer repetition it has been accepted and I don't really even notice the weirdness of the name anymore. So maybe with enough success, Mullvad would be adopted.
I bet “should begin with the letter E” was one of Microsoft’s requirements for selecting a new browser name so they could continue to use IE’s familiar “e” app icon.
Right. I'm struggling to understand the need for this. Does this browser provide some seamless access to some free-tier Mulled service? If not then it seems like a marketing difference to the TOR browser, which can be used with a VPN and have the TOR bit switched off.
This page[0] lists the differences from the Tor browser[0]. It has the Tor specific features removed, different default extensions, enabled webRTC, and added Mullvad's DoH resolver.
I'd really like a VPN service to recommend streamers where they don't automatically show your location and IP if you happened to not be logged in for whatever reason. It's a UX that lands a lot of people in trouble when they visit the websites to check them out on stream. Ironically streamers with VPN sponsorships, too.
Be nice if this stuff were hidden by default with some reveal button to show the information, both on the website and browser extension as an alternative to the other options out there. Otherwise I love recommending Mullvad to everyone.
Checking with https://www.amiunique.org/ resulted in a unique fingerprint for me. The "Canvas" and "Media devices" attributes are unique on their own. I had not expected this.
As a DuckDuckGo fan as well, I'd have loved to see them/DuckDuckGo develop their browser on the top of Firefox with Mullvad as a partner with deep integrations.
I have mixed feelings about this. On the one hand, this seems like a legitimately good product. On the other, I can't help but feel this would have had greater impact had the Mullvad team collaborated with the LibreWolf project. Sure they wouldn't be able to market it as directly, but I think their user base would be much bigger.
Edit: it seems NoScript is also included which... I'm not sure I personally agree with? But I'm also not a privacy expert so maybe I've missed something, but ublock origin should cover that operability. Someone with experience please correct me if I'm off base here.
Fun fact: this makes you extremely easy to identify, because it gives your browser a very unique fingerprint. If JS is enabled, that is, which you can disable by default, but JS is simply a requirement for many websites to function.
I wonder how they approached this problem this for the Mullvad Browser.
I gotta say I have found Mullvad to be refreshing; they have good apps (you can get it running on most Linux systems with very little work) and I don't have to remember a password, just an ID number.
Stupid simple stuff, been using them for a long time (and guess what? no info shared, they don't EMAIL me every time they have a discount for a 3 year subscription discount like some VPN companies)
They just seem very honest and straight forward with their marketing. Never a bad moment.
They are. Mullvad browser seems to be aimed at users that want a hardened Firefox out of the box with additional Mullvad extensions, while Firefox with Mullvad installed manually is all manual setup.
> Dns Over HTTPS (DoH)
> Mullvad Browser is configured to use Mullvad DoH for all DNS requests, without fallback. In the settings, you can also configure it to use Mullvad Adblocking DoH.
If you trust Mullvad to see all your traffic (including every IP you connect to), it seems okay to trust them to see your DNS queries (that will return the very same IPs you will later connect to)
The last time I tried the Tor browser, it did not sufficiently handle browser finger prints. I don't have high expectations out of this project either, but at least they offer a firefox extension. I'd have to dig into it to determine how effective it is, but as it stands there are other firefox extensions that already do an excellent job.
Simply download the Tor browser and evaluate its performance on one of the many browser fingerprint [1][2] and browser leak [3][4] web services. The last time I checked, it didn't pass every test.
Isn't passing every test going to make the browser uniquely unique? My impression is that they want it to be 'fingerprinted' but look like 1,000,000 other Tor browsers so they can't be told apart.
I've tested the site with the Tor Browser and it told me "Yes! You are unique". I've downloaded my fingerprint, closed the Tor Browser and did it again and again it was unique. So they couldn't link the two sessions together which is good. A jsondiff of the downloaded files only showed "canvas" as different which I guess gets generated randomly on every visit?
I just diffed the fingerprint[0] of 6 Mullvad browser sessions across 2 different devices and it was a unique fingerprint in every case[1]
It mixes a lot - fonts returned, media devices, the canvas ID - it's pretty good and similar to what you expect from the improvements out of Tor Browser
[0] using amiunique and fingerprint.js (now fingerprint.com) - which most of the nefarious ad networks use
[1] not that just as with Tor, you have to quit the browser or click the 'new identity' menu button. just closing a tab/window and re-opening is not enough. I've always believed that there could be a UI hint to this in private browsers with a unique color/background in the menubar as an indicator
Maybe Mullvad uses some techniques to randomize the unique fingerprint over time in order to not get tracked? So you’re basically identifiable for only a certain period of time until the tracked identity becomes invalidated.
Even after installing Privacy Badger, my fingerprint remained unique and unchanged, with 17.65 bits of identifying information.
For comparison, after I disabled JavaScript, blocked remote fonts, disabled cosmetic filtering, and blocked large media elements using uBlock Origin, my fingerprint was no longer unique, and it dropped down to 9.55 bits of identifying information. Obviously, I don't recommend people do this, but it was fun to check it out.
Browser fingerprinting is exactly that. And the browser leaks are an even more concerning issue that must be confirmed. Websites want to know who you are or at least that you're not a bot. As a pro-privacy user, you don't want websites to know either of those things. That's low-hanging fruit that a few simple browser tweaks can help with.
Important Note: Tor browser isn't truly private as it connects to Firefox services on start-up, even if you disable all options that require these. (Unlike zero telemetry / "no automated connections" browsers like the Orion browser - https://browser.kagi.com/ - or the PaleMoon browser - http://www.palemoon.org/ that actually do respect your browser settings).
This seems deliberate as no attempts have been made to fix this despite repeated highlighting of this issue online by many concerned users.
(I haven't verified if the Mullvad browser has the same problem).
I like Mullvad but it can actually be challenging to purchase a subscription in the US. Most prepaid cards block the purchase. Sure, you can use it with a fully tracked card etc. but that's not really the target audience.
It is, although then the next problem is getting Monero in the US with their clutterfuck of cryptocurrency regulations, so you have to find an exchange that works with Monero and actually works in the US, then give them your identity and bank account information and hope they don't think you're suspicious and block you.
You could acquire a different crypto on a US exchange such as BCH and then use a DeX which doesn't require any personal information to swap into Monero. You could buy a Mullvad giftcard on Amazon but then Amazon would know that someone at your address has a Mullvad subscription.
Installed it on Windows and just get this error on start: "Profile Missing
Your Mullvad Browser profile cannot bе loaded. It mау bе missing оr inaccessible."
Interesting! A few years ago I started a similar project, essentially a clearnet fork of Tor called Aegis. Problem was, it makes a lot of the modern web very broken. A very niche corner of the web browser market - but a lot of things like WebRTC and Widevine (unfortunately) are what most users would expect. I'd imagine there's the possibility there will be no H264 support either?
Nice to see more Firefox related forks though, hopefully help gain more ground on the web for alternative engines.
Mullvad also states that it disabled the Firefox password storage feature, because it's supposedly insecure. But the articles supporting this view (i read) seem to be written by third-party password storage friends. Their arguments are weak (like "some managers used to do bla bla, which was insecure") and don't apply to Firefox. Is there a strong argument specifically against Firefox passwords and password sync ?
Why not. I have a crazy idea. How about building an edge service that renders pages on the edge on identical HW and SW and then just stream it to end users. Could be built with Cloudlfare workers and Puppeteer for instance. People are already doing crazy things in automatic tests so I don't think there is a need to shy away because of the need for client side scripts. Or just run a Chromium instance.
There's already some work to that direction with cloudflare workers... but I really differs on why people would look for that; in a bit more convoluted case, for example, it would be destined for browsing nested pages of instagram, facebook, reddit, and so on... so it's bit difficult to that, especially with things that require auth...
much more a coordination problem that an engineering one
My example is simple. This is for tracking and fingerprinting. At the same time. This all may soon fall into the mobile tracking problem. Like in my country. By having a mobile turned off is in itself a tracking point.
Sorry, you are def right; could you expand a bit on how -what you mention- works? How come that by having a mobile turned off is in itself a tracking point?
As I suspected, this browser, just like the Tor browser, does NOT protect you from basic browser leaks. There are gaping issues and after looking at the github issues, the maintainers are certain that their current strategy is effective. This makes me continue to question this project and Mullvad.
[1] WebGL finger print is device specific and persistent.
[2] Font finger print is device specific and persistent.
[3] TLS finger print is device specific and persistent.
[4] DNS is routed into USA by default. Incidentally, there are frequent dropped requests using this browser [5].
These are just a few that I spotted. Let's proceed with the discussion as though the above issues were not present.
After looking at the issue tracker, this project wants each Mullvad Browser user to look the same, per OS [6]. Blending into a crowd on the surface seems like a good idea, assuming the crowd was large enough, but that "per OS" detail is a big gotcha.
I personally don't see why a source-modified browser shouldn't be able to achieve perfect uniformity. It's especially suspicious to me that the Tor project never achieved it, despite having had multiple years of developer effort dedicated to this goal, and backed by funding. IMO, browsers should never have been flooded with so many uncontrolled privacy breaking features in the first place.
Modification of the browser is discouraged for any reason, including enhancing privacy features [6]. Now read that again, and this time assume hostile intent.
I mentioned in a different comment that the alternative to uniform blending is randomness. Some of the fingerprints in the browser are already randomized. Plausible randomness is far superior to trying to build up a large enough crowd and simultaneously solving the uniformity issues. The entire javascript engine should be ripped apart and reassembled so that all privacy invading features can only function for client-side specific tasks but cannot speak with the networking and storage features.
Can anyone explain how this won't, putting it diplomatically, attract certain 'dark web' types, and in turn bring mullvad under the microscope of law enforcement?
Hmm I am sure this is well intentioned, but I am a bit scared this will just further chip away on FireFoxes market share which doesn't look good to begin with.
i turst the tor browser because of the protocol it uses (the onion protocol), not because of the browser i use it with.
Even if mullvad is fully open-source and very transparent about it, i think it is not a good idea to use a browser and a vpn from the same vendor.
They have full access to your internet data, and they now (if you use this browser) full controll over the browser you use.
Do I correctly understand that it does not have a mechanism by which to connect to Mullvad, much less mandate it? The only thing I see is the ability to manually detect externally-initiated VPN status. This seems like a key and significant departure from Tor Browser to me in terms of protection.
An extension that has no user prompting or even status indicator, and that will permit the user to browse the web without a VPN connection or warning by default.
It appears that the process is to 1) open Mullvad Browser 2) (externally) open Mullvad VPN and connect to it 3) click on the Mullvad Browser Extension icon and connect it to the Mullvad proxy. Only after this will the proxy be used and the connection secured.
Contrast this with Tor Browser's process of 1) open Tor Browser. It will only work after it automatically connects to Tor and secures the connection. Do you see the significant difference?
I wonder if one day we'll get a group of devs with the balls to propose the world with a real disruptive web engine (instead of using vanguard/blackrock ones): for instance plain and simple C + assembly.
Another useless skinjob of Firefox for folks too conditioned and paranoid to use Tor Browser or know how to edit about:config themselves, by a company selling literal snakeoil ("trustworthy VPN").
Unlike other VPNs, Mullvad states what they protect against and what they don't. This browser seems to bridge the gap about what they previously couldn't.
Considering there's no vendor lock-in and the browser is open source, I think your criticism is completely unwarranted.
Both Chrome and Firefox are working on native iOS versions in preperation for the expected opening up of iOS this year so would imagine they can just fork that and release their version.
It looks like they might use Mullvad's DNS Over HTTPS by default in the Mullvad browser and this would probably be the biggest privacy thing, but whatever your default DNS is might be a larger privacy thing. Your ISP or Google's 8.8.8.8 traveling unencrypted is probably a bigger issue.
It looks like Mullvad is also based off the Firefox ESR (extended support release) version that the Tor Browser uses while LibreWolf would be more up-to-date: https://news.ycombinator.com/item?id=35421718
Simple and straightforward language makes it easy for users to understand the features and functionality of the extension. Screenshots of the extension in action, which helps users get a better idea of what to expect when using it.
Overall, the Mullvad browser extension is an excellent resource for anyone interested in enhancing their online privacy and security. The page is well-designed, informative, and easy to use, which makes it an ideal choice for users looking for a reliable and effective VPN browser extension.
Signatures don't validate, I guess I'll pass for now.
$ gpg --verify mullvad-browser-linux64-12.0.4_ALL.tar.xz.asc
gpg: assuming signed data in 'mullvad-browser-linux64-12.0.4_ALL.tar.xz'
gpg: Signature made Fri 31 Mar 2023 01:15:54 AM CST
gpg: using RSA key E53D989A9E2D47BF
gpg: Can't check signature: No public key
a derivative of tor and mullvad, when tor browser is already second rate software (tor itself seems fine) and mullvad can't possibly be good since it's part of the "vpn as privacy mechnaism" fad. pass
If a user cares about privacy and security why would they be using an outdated, unsupported OS? That would be like double dead bolting the front door but leaving the window next to it wide open.
My point is that if it's just Tor Browser without Tor, then there's functionally no reason to have that build be incompatible with Windows 7.
Unless they deliberately coded it in like
if OS=Win7/Win8 ; then Crash ; else Run
Which would be a dick move, especially because Firefox, on which Tor Browser and Mullvad Browser are based, still supports Windows 7.
---------
Now to your point.
It is absolutely possible to run Windows 7 reasonably securely.
Well..., depends on your usecase.
But the way in which I keep it secure might be a little cumbersome to some.
My router runs PFSense with Suricata, and I encrypt my DNS traffic.
I run a combination of Peerblock(while no longer maintained, it works splendidly in whitelist mode)[1], and Simplewall Firewall[2].
I run a combination of uMatrix(which again, while no longer maintained, it works great in whitelist mode)[3], and NoScript[4] on my Firefox web browser which I run inside Sandboxie[5].
There are also various services that are insecure and must be turned off - UPnP, Print Spooler, RDP etc.
I run mostly FOSS software.
The few proprietary closed source software(Games, Sublime Text) that I do run, I run them in SandBoxie or QEMU.
Here are my reasons for not upgrading:
I've modified my `UXTheme.dll` to significantly change my "Desktop Environment" to suit my workflow, and I've heard from people I know to be credible, that latter Windows versions(8 onwards) break system UI modifications when they update, and they don't work quite as well afterward.
My modified Win7 UI is way too important to my workflow.
Python have stopped releasing binaries for Win7 after 3.8.10[6] but I'm okay with it. If I do need the newer Python versions for something, I'll just use my Linux Desktop or run Linux in a virtual machine for a Python quickie.
Windows 7 is extremely stable. While not as stable as Linux, I often have uptimes of over 350 days, before a BSOD, by which point I can foresee a crash coming and reboot.
To lean into your metaphor, Microsoft is now shipping operating systems with "open windows" everywhere(way more open windows than my "insecure" Windows 7 has), and we, as users, are having to rebuild the ISOs they release, to make them more "privacy friendly"(yes I'm aware of the difference between privacy and security but they're really interchangeable here), and even then, we're having to use 3rd party "de-bloaters" and Batch/Powershell scripts off of Github, just so the majority of those proverbial windows are closed back up again.
This really shouldn't have to be the case, but it is.
Microsoft have decided that they would rather their bread be buttered by advertisers than by the actual users of their software.
With Windows 7, I know there's an open window that I can't shut, but I have an electrified fence surrounding my compound, with security cameras and loaded turrets pointed towards that open window and other open windows in my house.
I know where Windows 7's security limitations are, and I can mitigate against that, elsewhere.
But I will admit, I don't go around recommending laypeople to use Windows 7 though, as the barrier to securing it is high. Even after securing it, the user has to be careful.
In my humble opinion, Windows 7 was the last true Microsoft Operating System. It simply does what is asked of it, and moves out of the way.
All Microsoft need have done was support Powershell, DirectX, give Win7 a "security updates as a service" business model(which I would've gladly paid for), and make WSL for it(Cygwin is excellent but WSL would be nicer).
I know there is 0Patch, a 3rd party company who sell security updates for Windows 7, but I would've appreciated official Microsoft security updates.
I would switch to Linux, if there was a robust equivalent to Autohotkey on Linux, and the games I want to run, worked on it.
So yeah, I still run Windows 7.
I can't see myself ever upgrading to another Microsoft OS, ever again.
And I am, and I cannot emphasize this enough, exceedingly happy with it.
I was about to type a long comment in response to yours, but then I realized I could just link you a video[1] that goes into detail explaining all the ways in which Windows 7's UI is customizable, in ways that Win 8 onwards are simply, not.
The video is 1 hours 17 minutes long, so feel free to speed it up a little.
As I mentioned in my previous, it really depends on your usecase.
In my usecase, it's extremely secure.
But, I'll be back after 5 to 10 years, and if I'm still using Windows 7, and if I remember you, I'll reply to you again, letting you know how well it's been going for me.
This is an open source, rebranded Firefox and Firefox-like browsers could use some publicity. It promotes privacy and privacy can use some publicity too. Tor too.
Mullvad seems to be honest in the fact that their business model is selling VPNs and it's nice they are saying it's not enough. They are not saying that you might not need one though.
We need a Firefox with good defaults and it seems like this browser is such a thing. I'd prefer these privacy features to be in upstream Firefox but I guess world is not perfect and that Firefox still relies on revenues from Google so can't be as privacy-focused as it should.
My little concern I guess is that this browser will push for their service so it's a bit like an ad for them, at least with its name. But fair enough, and at least the business model seems healthy.
With Mullvad already being a Mozilla partner for their branded VPN, all this actually look good. They seem to be spending their money on worthy stuff.