Mullvad Browser - an alternativ to Tor browser.

14 replies [Last post]
GNUbahn
Offline
Joined: 02/18/2016

Since I have seen nobody mention it here, i winder if some of you are not aware of the new Mullvad Browser which has been developed in cooperation between the company Mullvad (which is claimed to deliver one of the most privacy respecting VPN services) and the tor project.

Read more here:

https://mullvad.net/en/browser

https://blog.torproject.org/releasing-mullvad-browser/

I use it on a daily basis for more privacy challenged searches etc. (In combination with a VPN) It works very well.

andyprough
Offline
Joined: 02/12/2015

I wonder what the differences are between Mullvad and Abrowser, both of which have similar project goals. Also I wonder if Mullvad has any non-free licensed parts? I've tried Mullvad and it seems fine. It seems like it focuses more on anti-fingerprinting than Abrowser or most other browsers.

GNUser
Offline
Joined: 07/17/2013

It would be great to have a more in-depth review of the browser on your part Andy, especially given your previous experiences reviewing browsers here in the Forum.
;)

andyprough
Offline
Joined: 02/12/2015

After more research today, I have two concerns:
a) Is it even possible to determine if (or how much) Mullvad is using non-free software? One of the Mullvad browser license files has over 7,000 lines of license data for many of the different pieces that make up the browser, with lots of questionable looking blocks of licensing text.

For example, one of the blocks of licensing text is from the Khronos group: "These materials are protected by copyright laws and contain material proprietary to the Khronos Group, Inc. You may use these materials for implementing Khronos specifications, without altering or removing any trademark, copyright or other notice from the specification." -- What is that all about? Doesn't sound very "libre".

Here's part of a block of text from a Microsoft license in Mullvad browser's license.html file: "(i) You may use, copy, and distribute the Distributable Code only as part of this product; (ii) You may not use the Distributable Code on a platform other than Windows; (iii) You may not alter any copyright, trademark or patent notice in the Distributable Code; (iv) You may not modify or distribute the source code of any Distributable Code so that any part of the source code becomes subject to the MPL or any other copyleft license;" -- That doesn't sound at all "free" or "libre"

b) Is Mullvad really doing anything that is any better than Abrowser? If I use Abrowser with the Chameleon extension, I get super-charged anti-fingerprinting technology. I don't need an entirely different browser just for anti-fingerprinting.

So - maybe that's my review. Don't use it. Use Abrowser instead.

GNUser
Offline
Joined: 07/17/2013

Thank you!
I have to say I would feel inclined to trust this browser since Tor Project worked on it. That being said, things have changed over the last decade (for better or worse) and these days it's harder to trust anyone... So.... Yeah.
I think I don't have much use for it anyway, given Abrowser profiles (another thread of mine).

I don't know about chameleon extension, usually only bother with Ublock Origin and NoScript. For my needs it seems to do the trick.
I never understood the issue with fingerprinting.... As long as you are not using some IP cloaking (VPN, Tor, I2P, whatever), your internet usage is tracked by your ISP and websites can track you by your IP (even doing cross referencing). So what use is that my browser is "less unique" if I am using my own IP? that's why I like using the Tor Browser, it isolates different circuits for each website.
Of course, using an IP cloaking and not resisting fingerprinting is also not good, but you get my point. I feel sometimes we go about this the wrong way. I might be wrong.

andyprough
Offline
Joined: 02/12/2015

You are right, spoofing or changing or cloaking your IP address would seem to be necessary for most anti-fingerprinting to be useful. But, once you do find your preferred way of using a different IP address, the Chameleon extension is very effective at spoofing all the different characteristics that go into fingerprint detection. So much so that I don't personally view browsers with built-in anti-fingerprinting as very valuable. And Chameleon is GPL licensed.

GNUser
Offline
Joined: 07/17/2013

Actually I don't know exactly what makes Abrowser special...
Let's see:

1. It has its own addons repository with only FLOSS;
2. I think it has no telemetry or connections to Mozilla made by default (unlike Firefox);

That's what I know of. I wonder:

3. Does it have any anti-fingerprint measures already built-in?
4. Does it have any prevention against WebRTC leaks? Any prevention against DNS leaks when using a VPN?

As for chameleon, I don't know if it makes all users similar or just creates a new random looking browser everytime you boot the browser. I would trust the former much more. It's what Tor Browser does in fact (I actually like the security slider, it's also present in Mullvad browser, shame we can't get it in Abrowser).

andyprough
Offline
Joined: 02/12/2015

>"As for chameleon, I don't know if it makes all users similar or just creates a new random looking browser everytime you boot the browser. I would trust the former much more. It's what Tor Browser does in fact"

There's two schools of thought in anti-fingerprinting. Tor Browser is at the extreme end of trying to make every browser instance look alike. Chameleon is at the other extreme end of never giving the same fingerprint twice - you can change things up to every 1 minute. Both are nearly impossible to track. Both methods have their fans. I personally fall on the Chameleon side, especially since it's available for Abrowser.

GNUser
Offline
Joined: 07/17/2013

I see. I guess I was so used to Tor Browser's approach that I forgot of that other possibility.
I suppose either method will only work if there are plenty of users (anonymity loves company, otherwise you are easy to track because you are "that one user that tries to hide"). How many users does chameleon have? Btw, I can't find it in Abrowser...

As for my other points about Abrowser, feel free to add in any useful info you might have :)

andyprough
Offline
Joined: 02/12/2015

The chameleon extension is here: https://sereneblue.github.io/chameleon/
Source is here: https://github.com/sereneblue/chameleon

It has a huge number of options, lots to learn about. You should check it out when you have time.

Lugodunos
Offline
Joined: 05/28/2022

Didn't know about Chameleon's method, I find it highly better then the TOR Browser one as with TOR Browser, all website visited with TOR Browser know they are visited by it.

EmiliaES
Offline
Joined: 06/28/2023

I agree, I use either Abrowser + Chameleon + noScript + ublock + privacy badger

or mullvad browser on the highest security settings but make it so noscript can override whenever I'm on a page I need to allow scripts to run on.

With tests like EFF's coveryourtracks as well as other fingerprinting/tracking tests online I can say Mullvad when in most secure mode is literally the same as Tor in most secure mode, only 5.9ish bits of info

Whereas with Abrowser combo its like 15-18 bits of info, but since so much of that info is useless/falsified and changes every minute I've been considering moving back to abrowser as my main browser after using mullvad for a bit

I currently use changes every 60 seconds random desktop excluding the internet explorer profiles cause those sometimes break sites lol

andyprough
Offline
Joined: 02/12/2015

>"excluding the internet explorer profiles cause those sometimes break sites lol"

Yes, Chameleon has some odd choices for random user agents, such as Edge on Android.

GNUser
Offline
Joined: 07/17/2013

One thing I did notice was that Mullvad had DNS-Over-HTTPS activated, using Mullvad own servers. I think DOH should be a good thing but using Mullvad own servers might bring me memories of Microsoft bundling everything in Windows 98 and getting sued for it (I think it was about IE at the time)

Staircase
Offline
Joined: 02/24/2022

One thing I also look at when checking a software, in addition to whether a software is free, is the entity or individual(s) holding the license(s). That is for example whether the holders are sole individuals, a registered private company (i.e. a for-profit that can be acquired), a non-profit or other forms of entities.

I always keep in mind that a private company can be acquired, along with its assets (that is its software) and that the motivations of the acquirer can alter or undermine the ethos; or that the incentives of the acquirer are no longer aligned with those of users. That is not the only risk; just one example.

Mullvad is a private company owned by two individuals, as per the about page. Tor remains a non-profit, a 501(c). I am not saying Mullvad ownership is "bad", but that keeping an eye on ownership and governance has its importance.