Which Privacy-focused Applications Do You Trust?

Yeah, from all that I know Mullvad is the only alternative to Librewolf regarding privacy protection without compromises out of the box - so these two are the least shitty browsers we can get…

1 Like

At least in terms of firefox, in the chromium land is there anything better than brave? I know there is https://privacytests.org/, but that doesn’t list all the browsers, on the other hand, if your browser is not big enough to get on the list, you might as well not use it… Android is a nightmare to choose a browser, there is no allrounder available there :frowning:

Brave is not trustworthy. Not a single bit - it’s CEO is the definition of fishy scumbag, and one of it’s employees is running this test suite. More information on Wikipedia, in the internet, this topic, this forum and elsewhere - I’d say (and do it again and again): Don’t. Just don’t.
For chrome-based browsers I use ungoogled-chromium, but only for websites where Librewolf is not working at all.

Android is a total different kind of beast - there is not a single brwoser I would touch, all of them are bad. Bad in like REALLY REALLY DON’T. Hence I use GrapheneOS - vanadium is almost okaish - wish it would have a local adblocker, but as a local adblocker would lower it’s privacy (and GrapheneOS is making no compromises regarding security AND privacy) I have to live with it.

4 Likes

That’s right, if you click on the “About” page you will see the disclosure down toward the bottom. Brave definitely has a long and storied history of doing shady things over and over, so running this website with their thumb on the scale is certainly no shocker.

They have been talking about adding an in-house adblocker for years, but so far nothing to show for it. Vanadium also just does not have much in the way of features, period. You can’t import bookmarks, for example, which seems like it should be a standard feature. It’s fast and supposedly secure, but without even an adblocker it’s definitely no privacy browser.

I have been using Mull for a while now. It is a privacy-hardened version of Fennec (based on Firefox). You can get it on F-Droid.

When I first started using GrapheneOS, Mull was a little janky but they have definitely smoothed out a lot of the bugs over the years. These days it works fine. It’s as close to Librewolf as you’re going to get on an Android device.

2 Likes

It’s a shame mozilla doesn’t do tab sandboxing on android when iirc it should just be a build flag. One feature I miss hard in mull and firefox forks is tab grouping, best feature on android chromium browsers, it sucks that its missing.

The problem with Mull (as with every Firefox-based Browser on Android) is that it is sacrificing security for privacy - one can do that, but I won’t ever do that. And this is only true for me because I use a DNS-based adblocker for my phone at any given time (blocklists within Unbound DNS). Without that I maybe would also use Mull. But Mull (especially if you use the adblocker) generates a unique fingerprint - this punches a giant hole in every privacy approach…

Either way, imo if anyone wants to do anything in a browser, they should stick to pc, not only mobile sites are harder to navigate, the browsers offer less protection, for a quick lookuop of stuff its fine, but just make a note and do it in a proper browser when you get the chance.

Mans dem. Create a separate thread please. :person_shrugging:

Mull definitely does better with this than Vanadium on my phone, even though I have several extensions installed on Mull and none on Vanadium.

Mull, with several extensions enabled:

Only one browser has the same fingerprint. 16.44 bits of identifying information. Probably I could get a better score with fewer extensions enabled, etc.

Vanadium, no extensions:

100% unique fingerprint, 17.44 bits of identifying information.

Here, test for yourself: https://coveryourtracks.eff.org/

Not having an adblocker enabled is worse for privacy and security, because a lot of ads have tracking capabilities or can be their own attack surface. uBlock origin is enabled in so many browsers by default, it is not a fingerprinting risk these days. It’s basically standard.

I use NextDNS and get DNS-based ad and tracker blocking as well, but DNS-based blocking is limited with what it can do. It’s totally worthless for YouTube, for example.

I know they have done some security hardening in the browser, but until Vanadium addresses this major flaw it’s just not good enough in my opinion. I consider it a prototype browser.

3 Likes

tests like cover your tracks are inherently flawed. they can only compare to other visitors who have used the site and with how small that niche is, the test is basically useless.

also i would recommend privacyguides.org and their forums for privacy related news and recommendations. knowledgeable community and good reasoning for recommending or not recommending stuff. PS: check their forums if you think something should be recommended but it isn’t. sometimes software that they dont recommend explicitly can also be used for privacy, the recommendations are just starting points to build off of.

Hidden

Privacy guide recommendations vs all the products offered from Proton:

  • Proton mail :heavy_check_mark:
  • Calendar :heavy_check_mark:
  • Drive :heavy_check_mark:
  • VPN :heavy_check_mark:
  • Pass :heavy_check_mark:

To me it seems like they’re fan of Proton product (paid recommendations ‽)
Personally I don’t like Proton & there are multiple valid reasons not to recommend Proton products.

Reference:

4 Likes

It sounds like you haven’t actually looked at the page yet. I encourage you to check it out if you get a chance. When you do, you will see that comparing your fingerprint to other users who have visited the site is only one metric on the page. Most of the report they provide is other information, which is specifically relevant only to the browser you are testing against and has nothing to do with other people using the test.

In my opinion, the test very effectively illustrates how easy it is to identify and track any given browser, and provides some good insight into what information your browser is sharing with other websites that you may not be aware of.

Anyone who has an issue with this is not reading the information carefully.

“According to Proton Mail’s transparency report, it is legally obligated to follow Swiss court orders if Swiss law is broken, and in 2020 Proton Mail received 3,572 orders from Swiss authorities and contested 750 of them.[70] Due to the encryption utilized, Proton Mail is unable to hand over the contents of encrypted emails under any circumstances, but according to Proton’s privacy policy, Proton Mail can be legally compelled to log IP addresses as part of a Swiss criminal investigation.[71] For this reason, the company strongly suggests that users who need to hide their identity from the Swiss government use their Tor hidden service/onion site.”

The information they are talking about is IP data, which–as Proton themselves point out–can be easily hidden by using Tor or a no-log VPN when they use the email service. Even Proton’s own free VPN is suitable for preventing this information from being collected, because under Swiss law VPN data does not have to be logged by the provider.

If a user is under criminal investigation and they are not taking a precaution as rudimentary as using a VPN when they go online to send email, that is essentially a case of user error. The suggestion that Proton should break the law and risk being shut down in order to take a bullet for those folks is ridiculous.

They use AES-256 which is not proprietary. https://en.wikipedia.org/wiki/Proton_Mail#Encryption

3 Likes

i will try to be calm as i respond to this.

hmmm. maybe instead of jumping down the conspiracy rabbit hole, just think for a second that maybe the reason they recommend proton is that… proton is actually good?

everyones is entitled to their own opinion. good on you even if you choose to have a tinfoil hat one.

lets address all of these 1 by 1:

  • compliance with swiss court order. since proton operates in Switzerland, therefore they must comply with both swiss laws AND swiss court orders. not doing so would be breaking the law which is a criminal activity. protons purpose is to provide privacy for users, not a hub for illegal activity for criminals.

  • imap and pop3: nowhere on the page you linked does it mention proprietary encryption. but if you’re so far down the conspiracy rabbit hole, you’ll hallucinate issues where there are none. and if you dont trust their proprietary encryption then dont use bridge. read your emails via a web browser.

  • now the first of the two shady websites you link to. “disturbing” facts about protonmail. states no facts. just a bunch of FUD and repeats CIA, NSA and honeypot like those words will drive page views a thousand a minute.
    receiving a donation is not the same as selling the company. the donation was from FONGIT which is a swiss non-profit foundation which supports entrepreneurs and guess what kind of new business proton was at the time? and proton did not receive any donations from the US gov, CIA or Obama. there is no proof except some non-existent web archive links which may never have existed.
    the article is from 2021. proton stopped using radware in 2018. radware provided ddos protection on demand and all traffic that passed through their servers was… surprise, surprise… encrypted.
    regarding metadata. let me educate you about emails since you clearly lack the knowledge or the ability to do any research. emails metadata includes senders email, destination email and the subject. with me so far? now guess what information is needed to deliver an email from a sender to a recipient? that’s right the email addresses. email metadata not being encrypted is a problem with the email protocol itself and not with proton.
    email format. i ask once again. have you ever considered thinking about something especially stuff you read on a shady website by an unknown guy? EML is the email format used by every email provider. so if proton users want to send emails to other people guess what format proton needs to use to store their emails? its not CIA.

and the rest of that spiel can be debunked via this link(post). please read it and consider not believing everything you see on the internet as gospel without thorough research.

  • and the last link from a website called dig deeper. from the name of the website you’d really think the author would dig deeper into reading comprehension.

if you’re signing up through TOR or a VPN, ProtonMail requires SMS confirmation:

and right below that is a screenshot that shows sms verification is NOT mandatory and an email can be used. this is a sign up requirement for every email provider. and you can donate via monero which does not reveal any personal info.

the encrypted messages can also only be sent to other ProtonMail users, unless using the paid account (update: actually, a friend has told me that the latter isn’t true anymore, though you have to upload the recipients’ public PGP keys to ProtonMail if you want to use them).

how else is this supposed to work? do you think gmail or outlook support encrypted emails at all? this is how you would exchange encrypted emails with users of such services because sending encryption keys first in unencrypted form would be extremely stupid, no?

regarding analytics the author conveniently glosses over the fact proton uses a locally hosted version of matomo which in itself is open source.

and the author comes across as stupendously stupid when they criticize the retention of data for active accounts indefinitely. thats how an email service works. so long as your account is active your data will be retained unless its deleted. are you and the author of the “article” seriously that bad at understanding basic language?

once again please stop believing everything you read on the internet. again, especially be wary of shady websites that no respected publication, forum or researcher has ever endorsed.

EDIT: proton has its issues. its not above criticism. but those issues are of a kind far, far different than this FUD.

3 Likes

my apologies. i did not visit the link as i assumed not much has changed since the last time i checked a couple years back. you are correct browsers share an extreme amount of information and fingerprinting is extremely easy even with a bunch of precautions. i think the arkenfox-user.js wiki explained it but i will have to search for the link later but the essence was that trying to “blend-in” is virtually impossible with a broswer that isnt mullvad or tor because of the amount of information available to websites

Hidden

I don’t have a clear opinion on this as country specific laws varies & they’re never perfect. If you follow the law then what Snowden, Julian_Assange did are clearly wrong… Whistleblowers mostly break the law…to some extent unethical ??

nowhere on the page you linked does it mention proprietary encryption

I read it somewhere…https://github.com/thunderbird/thunderbird-android/issues/626#issuecomment-97068458

receiving a donation is not the same as selling the company.

Nothing to disagree here. I never said I’m completely agree with all their arguments. Somebody mentioned them in their discussion (here) in matrix room, so I read it to make my own opinion.

let me educate you about emails since you clearly lack the knowledge or the ability to do any research. emails metadata includes senders email, destination email and the subject. with me so far? now guess what information is needed to deliver an email from a sender to a recipient? that’s right the email addresses. email metadata not being encrypted is a problem with the email protocol itself and not with proton.

Yes I’ve read that from others arguments. What do you expect from the sites which criticize negative points about their product reviews…

have you ever considered thinking about something especially stuff you read on a shady website by an unknown guy?

I read a lot of blogs & often came across many good blog posts from unknow people. Good or bad you can only judge if you go through them. I’m not from tech background, I don’t understand how encryption works, how emails works etc… my understanding is based on others view. That’s why I mentioned them as reference.

For example : https://signal.org/blog/the-ecosystem-is-moving/ (Moxie Marlinspike)

One potential benefit of federation is the ability to choose what provider gets access to your metadata. However, as someone who self-hosts my email, that has never felt particularly relevant, given that every email I send or receive seems to have Gmail on the other end of it anyway. Federated services always seem to coalesce around a provider that the bulk of people use, with a long tail of small scattered self-hosting across the internet. That makes sense, because running a reliable service isn’t easy, but it’s an outcome that is sadly the worst of both worlds.

cannibalizing a federated application-layer protocol into a centralized service is almost a sure recipe for a successful consumer product today. It’s what Slack did with IRC, what Facebook did with email, and what WhatsApp has done with XMPP. In each case, the federated service is stuck in time, while the centralized service is able to iterate into the modern world and beyond.

So while it’s nice that I’m able to host my own email, that’s also the reason why my email isn’t end-to-end encrypted, and probably never will be. By contrast, WhatsApp was able to introduce end-to-end encryption to over a billion users with a single software update. So long as federation means stasis while centralization means movement, federated protocols are going to have trouble existing in a software climate that demands movement as it does today.

Clearly he is against the idea of “federation”
To understand the counter-argument you’ve to read https://gultsch.de/objection.html ( Daniel Gultsch)

If you ask me, I’d say both are true but I’m more inclined towards federation. Why? I can try to explain it…but the more knowledgeable person in this field can always convince you in either direction. So good to have your little opinion & update them as you go.

good on you even if you choose to have a tinfoil hat one.

That’s the issue you don’t have to go extreme points, making your own threat model is necessary.

Maybe @moderators can split off that topic? There’s seems to be a very specific sub-conversation going on for a while now.

3 Likes

I actually wrote 2 angry paragraphs about this and decided not to post.

This thread is not for debating. It’s for finding new stuff you may want to use.

5 Likes

Wasn’t the mullvad browser based on the tor browser and made with assistance of the tor devs? and aren’t the tor devs spooks? Wouldn’t that make the mullvad browser also suspect?

Here’s the problem with this: does it impact someone who is just a regular person, trying to get away from Google or Microsoft or whatever other ultra popular and privacy invasive email service provider? I would say no. I don’t care that Proton doesn’t have end-to-end encryption or gave away info about an activist. I care that Google and Proton themselves aren’t reading my emails, as simple, inoffensive and uninteresting as they are.

And I also want to comment on a reply here saying that Brave is scummy: I agree. I don’t like their BAT rewards program, nor their crypto bullcrap either, but I disabled them and it works just fine. Admittedly, I don’t use Brave enough to say with confidence that it truly disables them, but it does the job plenty for when I need a Chromium browser for whatever reason. Being asinine about this sort of thing simply isn’t helping anybody in my opinion. I feel like most people don’t realize that good is better than nothing. Don’t let perfect be the enemy of the good.

2 Likes

I read it somewhere they are not :

1 Like