Set up a framework to fully man-in-the-middle my own browsers’ networking and see what they’re up to beyond just looking at their DNS queries and encrypted tcp packets. We force the browser to trust our mitmproxy cacert so we can peek inside cleartext traffic and made it conveniently reproducible and extensible.
It has containers for official Firefox, its Debian version, and some other FF derivatives that market a focus on privacy or security. Might add a few more of those or do the chromium family later - if you read the thing and want more then please let us know what you want to see under the lens in a future update!
Tests were run against a basic protocol for each of them and results are aggregated at the end of the post.
Posting with ambition that this can trigger some follow-ups sharing derived or similar things. Maybe someone could make a viral blog post by doing some deeper tests and making their results digestible ;)
So essentially, Mullvad is the only one out of the browsers tested that doesn’t leak notable amounts of data on first launch.
At least in most cases, the data is being leaked back to the developer and not third parties.
I’m curious what makes you single it out. Mullvad is in the top-tier but it is not alone (or clearly #1 - like the post gets into - it gets nuanced and I think any attempt at general “top 5 ranking” will be reductive to the point of being misleading or plain wrong. So I’m not trying that here). Read again? :)
For example of nuance displayed in results:
### Number of requests 119 firefox 81 firefox-esr 0 konform 7 librewolf 30 mullvad-browser 62 zen-browserYou’re right—they’re all doing differently privacy impacting things, but there are no “winners”.
There can still be winners, the good, the bad, and the ugly. It’s just that we have to engage a bit deeper than a quick scroll and a oneliner to figure it out1 than that.
they’re all doing differently privacy impacting things, but there are no “winners”.
The difference matters. Looking into the raw URLs and bodies involved is enlightening. Apart from that, which other queries can we run with
jq(or other tools) can we add to the post to add more useful dimensions?1: The answer might be different for each of us and depend on what we’re doing at the moment. Different situations might call for different browsers.
since others have mentioned others to try I am considering waterfox vs librewolf right now
In case you want to try this for yourself, adding container and running test for Waterfox should be about same as for Floorp that I wrote about here. Then you can really see what’s going on and reason about the difference when you see the URLs and stuff.
BTW the purpose of the report section here isn’t “look at my numbers and take my word for it” but “here’s some examples of things we can look at with this”. Please keep in mind both the Limitations section and that it’s intended as showing one way to easily and independently compare browsers yourself. Just reproducing the examples shown and then scrolling through the
.harfiles JSON is a great start. Of course, me and I assume others would be very happy if you want to share anything that comes out of that so that we can bring people up together. I’m sure there’s a lot more useful insights to derive even with a small and scoped testing protocol like the one in article and wouldn’t mind input of any nuggets other people come up with :)
