I’m the Never Ending Pie Throwing Robot, aka NEPTR.
Linux enthusiast, programmer, and privacy advocate. I’m nearly done with an IT Security degree.
TL;DR I am a nerd.
It’s a panel of tests for browsers. It isn’t the clearest what each mean (without doing a little research) and not all categories and subcategories have equal importance. I still like this website though just for the listed information.
I recommend Fedora or openSUSE Tumbleweed.
Lol, understandable.
It seems like an interesting setup. I don’t really have too much to say other than nitpicks.
Why not use Mullvad browser for both scenarios. Mullvad with security level safest should block all JS. You could create a 2nd profile for safest only mode.
Using Linux .desktop launcher scripts, you could:
-P)Related to your choice of host OS, I personally avoid Debian for desktop because it is slow to adapt (cus its Debian). I know it isnt directly applicable to situation since your main concern seems to be anti-fingerprinting, but a secure base is important. I’d like to know your reason for picking it. I don’t dislike Debian and I still use it for different things (mostly VMs and some dev work).
Thanks for the rant, I liked your write-up.
I think it may also help some people to create simple decision flowcharts to help with acting consistent and avoid making simple mistakes with a complex threat model. Basically a scenario and the decision tree. Say for example someone is using QubesOS and needs to keep consistent what each qube is for and why.
Of course creating charts that show your strategy and make your decision predictable is itself just even more privileged information you now need to protect.
Also, any effective threat model also requires consistent reevaluation to assess the effectiveness of your methods and adjust with the evolution of threats.
Which would that be *pulls out the deathray which terminates fun places on the internet*?
It wont be a problem because from the Live USB you can mount the encrypted drive in the file explorer app (Dolphin on KDE) after supplying the encryption password.
No
/jk obvi I like Python
Understandable, thank you for your (and contributor’s) work on this project. I am happy that i dont need to compile Fennec with hardening from source for each update.
Maybe consider enabling RFP for private browsing. Is letterboxing enabled?
Ok, might want to make that more clear under the section about issues inherited from Mull which still mentions RFP.
Your explaination seems sound.
To a slightly lesser extent, Id also suggest avoiding noscript for the same reason. uBlock Origin can do everything that NoScript can and NoScript contributes as a metric to create your overall fingerprint. If need strong protection against fingerprinting, use Mullvad or Tor Browser. Use Librewolf if you need to customize, or want to change the defaults.
No, because the Mozilla’s new policy doesnt apply to forks.
The fingerprint protections in Librewolf already protect against canvas fingerprinting. You actually make ourself stand out even mkre by using it. Even with RFP disable, ETP still protects against canvas fingerprinting.
Idk why, it doesnt say anything on their gitlab about changing that. Maybe it is a problem with the build process? I remember on Mull a couple months ago i did a clean install and RFP was disabled. You can just enable it if you want.
It is important if you care. They sign releases with the same Tor Browser key. Instructions are found on this page: https://mullvad.net/en/help/verifying-mullvad-browser-signature
You need 2 files (both are on the download page):
The basic process is as follows:
Note: Ignore warning about the key not being signed with a trusted key (we skip an unnecessary step for a begineer walkthrough)
You can double check everything I said by looking at their instructions.
Technically, the best way to blend in is to avoid changing the behaviour much from the default. I would still advise the below settings because they do improve your security, and anti-fingerprinting against naive first-party fingerprinting scripts (all 3rd party scripts/iframes should be blocked, see below: uBlock Medium/Hard). If you need protection against advanced fingerprinting use Tor/Mullvad browser.
uBlock:
Change uBlock blocking mode to Medium or Hard using the instructions on their Github wiki. Can cause site breakage on shitty websites (eg sites that import large JS libraries from remote sources). It is a substantial improvement over default, see the wiki for medium mode: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
Enable filterlist Privacy>Block Outside Intrusion to LAN (Access to LAN is used to fingerprint or by threat actors during reconnaissance phase of hacking)
Consider enabling other filterlists included in uBlock. Try to minimize enabling extra lists from the default to avoid further fingerprinting.
Librewolf:
Enable limiting of referrers under LibreWolf Preferences>Privacy>Limit cross-origin referers
Enable letterboxing under LibreWolf Preferences>Fingerprinting>Enable letterboxing
For me, no matter how good their browser is, I ain’t going to use it. If someone forks it to remove the BAT crypto nonesense id consider using it. I’ve been tempted to compile chromium from source and just add brave-core content/fingerprint blocking. Ideally, any fork would maintain the same general fingerprint with brave.
For now, Cromite is the way to go in-terms of hardened Chromium with built-in adblocking and without Google nonesense. The only downside is their choice to use Adblock Plus engine, but this is for the technical reason that engine is inferior to uBlock Origin and Brave Shields. The inclusion of ABP doesn’t effect privacy (ik people will understandably mention the ABP scandal) because they forked ABP and use custom filter lists, which is still a very good benefit above vanilla Chromium.
The ones I liked the most was Kusal and Lessac.
I personally like flatpak and its build system. Flatpak applications are sandboxed by default and don’t require root during any part of installation, reducing the risk of malicious/broken software damaging the host. They also are available for basically any base distro, meaning i can use the same apps if a ever distrohop and i can even just copy over the config folders as if nothing happened.