Is Firefox really an appropriate default browser for Qubes?

You can also check this discussion:

4 Likes

That’s an interesting read! Seems like Librewolf removed the “radio silence” feature after its fork from Librefox (at least in the standard settings).
Again, Mullvad Browser and ungoogled chromium were mentioned.

1 Like

It’s a matter of control: hard coded parts vs. configurable parts.

Qubes OS already allows great control through firewall restrictions per qube. So, if one really really needs to browse the web using clearnet, it doesn’t matter much which HTTP client one runs.

1 Like

Option #1
purge, autoremove, autoclean = FireFox… GONE

Option #2

Add those domains to your firewall…“BLOCK that pass”: Exception … We “rooted” people have are little droid locked down and us a app called Tracker control. Basically a software firewall with a lot of options. Well we have found out that when you “BLOCK” somethings all of the sudden that Browser just will not work. Which leads us to believe some of these things are there intentionally, and if blocked, well then you can’t use that browser. Which puts us back at “Option #1

1 Like

I wouldn’t recommend librewolf. As nice as a panel where you can turn on/off as many settings that impact your fingerprint might look, it’ll just make you stand out and you’ll be very vulnerable to fingerprinting. I would recommend either tor or the mullvad browser, depending on how paranoid you are.

2 Likes

How is your reply related to what you quoted?

1 Like

Sorry about that, new to the forum. Fixed it

1 Like

I installed brave browser on cloned fedora/debian templates, default browser, working great.
Was wondering as well why is firefox default in templates.

2 Likes

I use the browser isolation technique described by Rob Braxmann on my other computers.
The following study gives a good idea of which browsers to choose

On QubesOS I use Whonix for privacy, then Brave, Librewolf and Mullvad.
Brave is the browser that gives me the most satisfaction, because it lets me access almost all sites without blocking, and videos are smooth on Qubes, which is not the case with Firefox, for example.

1 Like

If you care about fingerprinting, you should read this topic:

2 Likes

This is why privacy is so tricky.

Is “phoning home” to a set of sites that all Firefox users phone to a problem? Maybe, depending on what data is being sent and what you’re concerned about. Is disabling that behavior favorable? It depends. The absence of the phoning home could be used as an identifying factor if somebody is monitoring your network and correlating activity.

TOR Browser’s settings provide increased privacy so long as everybody uses the same settings because it means the pool of TOR users appear identical. Using the TOR network is highly unusual (even though it should be the default), but there’s no way around that if that’s what you need (notwithstanding configurations that hide TOR use from the ISP).

Is using the same settings as TOR browser outside of the TOR network better? Not necessarily. This again puts you into a small pool of users who have that particular configuration, except now you’re ALSO not on TOR. It seems likely that the pool of users who have all of the default settings and no plugins added is a larger pool. But then, of course, other forms of tracking are easier.

The previously mentioned idea of having different “spins” for different kinds of users seems like a good one. Similar to how Tails defines different personas to consider when making design decisions, but each spin could be tailored for a specific persona. Some personas might want firefox with default settings, others TOR Browser, others Mullvad. But there’s no one “correct” browser to be the default on QubesOS for everyone. And without a correct default or comprehensive solution, the decision to minimize overhead by following upstream is perfectly sensible.

2 Likes

The phoning home is not much of a problem if you use a disposable qube for browsing sites you don’t have to log in to. You’re essentially running a fresh browser install with no history every time (and if you use split browser you still have access to bookmarks even on a fresh browser).

On the other hand the phoning home can be a problem for sites you log in to; there you probably want to shut all that stuff off. Fingerprinting isn’t an issue since, if you’re logging onto the site anyway, you’re telling it who you are. If you don’t want that site harvesting information about other places you go…well use that VM only to visit that site.

1 Like

If the browser in my dispvm has a fingerprint A and I use that to login into my mail account and then open another dispvm and do some random stuff with that, this new browser would still have fingerprint A and could therefore be connected, afaik.

1 Like

The absence of the phoning home could be used as an identifying factor if somebody is monitoring your network and correlating activity.

If you don’t phone home to host X, you appear offline to that host, i.e. you practically don’t exist to it (just like millions of others). The only way this can be an identifying factor is:

  • a known and fixed set of network clients
  • all clients except you are connected to host X at a given moment (which assumes all clients use the same software, e.g. Firefox)

Even if the above is feasible at all, the information host X will get is “he is not connected” which is far less than “He is online, at this time of the day, having this set of HTTP headers, etc.”

As for someone else (not host X) monitoring your network, the actual question is who and for what purpose. Your ISP, for example, keeps a record of all clients and their connections anyway.

Is using the same settings as TOR browser outside of the TOR network better?

Better for what?

*BTW, it is spelled Tor, not TOR:

1 Like

The phoning home is not much of a problem if you use a disposable qube for browsing sites you don’t have to log in to. You’re essentially running a fresh browser install with no history every time (and if you use split browser you still have access to bookmarks even on a fresh browser).

A disposable qube does not obfuscate the pattern of activities exercised inside the VM. If you connect to the same hosts at similar times of the day, that itself is a fingerprint (+ the all the other network-stack info you expose when connecting).

On the other hand the phoning home can be a problem for sites you log in to; there you probably want to shut all that stuff off. Fingerprinting isn’t an issue since, if you’re logging onto the site anyway, you’re telling it who you are. If you don’t want that site harvesting information about other places you go…well use that VM only to visit that site.

There is an essential difference between authentication with fingerprinting. The former is intentional and voluntary, using an explicitly defined and known set of tools and methods.

2 Likes

The Debian version of Ungoogled Chromium was unmaintained for the better part of the past few years. There’s been some recent activity, but it was unusable for quite a while. The GPG signature expired and the repo was inactive for quite a while.

1 Like

Just spotted IceCat in the Fedora repos, which sounds like it might suit some people here. I’d never heard of it, just went looking to see what the GNU folks do for browsing.

2 Likes

GNU IceCat does not fit my use case at the moment, but I have considered it in the past. Other members of the Purism community forums do actively use it:

1 Like

Some lightweight browsers like Dillo and netsurf are radio silent, however they are not full featured and usually don’t follow the latest web standards (and are not compatible with favorite addons like uBlock Origin). Considering the development speed, the security of those may be lagging behind the mainstream behemoths. So, you get one thing, but miss another.

In any case, there is no solution to the privacy problem through the browser alone.

Consider also things like:

https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html

1 Like

While Whonix may not be directly privacy focused it’s features still make it probably the best OS for privacy which can be run as a daily driver.

There’s also a significant interplay between privacy and security with security being required for privacy and privacy significantly increasing security.

As a result of that I think it’s reasonable both from a security and from a privacy focused standpoint to expect the default browser (and other software) from qubes to come with a privacy focus.

1 Like