[1] WebGL finger print is device specific and persistent.
[2] Font finger print is device specific and persistent.
[3] TLS finger print is device specific and persistent.
[4] DNS is routed into USA by default. Incidentally, there are frequent dropped requests using this browser [5].
These are just a few that I spotted. Let's proceed with the discussion as though the above issues were not present.
After looking at the issue tracker, this project wants each Mullvad Browser user to look the same, per OS [6]. Blending into a crowd on the surface seems like a good idea, assuming the crowd was large enough, but that "per OS" detail is a big gotcha.
I personally don't see why a source-modified browser shouldn't be able to achieve perfect uniformity. It's especially suspicious to me that the Tor project never achieved it, despite having had multiple years of developer effort dedicated to this goal, and backed by funding. IMO, browsers should never have been flooded with so many uncontrolled privacy breaking features in the first place.
Modification of the browser is discouraged for any reason, including enhancing privacy features [6]. Now read that again, and this time assume hostile intent.
I mentioned in a different comment that the alternative to uniform blending is randomness. Some of the fingerprints in the browser are already randomized. Plausible randomness is far superior to trying to build up a large enough crowd and simultaneously solving the uniformity issues. The entire javascript engine should be ripped apart and reassembled so that all privacy invading features can only function for client-side specific tasks but cannot speak with the networking and storage features.
