Browser Isolation for Best Privacy

Joined
Mar 26, 2021
Messages
81
Reaction score
41
Credits
863
I am currently working on Browser Isolation for best privacy on Linux and i have encountered several issues and complexities and was now wondering what everyones Browser Isolation set-ups & techniques are, here is currently mine of which are also hardened as much as i can =
All Browsers below tested using guest mint OS 20.1 Vitual Machine.
Brave = (Based on Chromium project) - (Randomised Fingerprint working per tab & session & NO DEVICE INFO)
FireFox + Privacy Badger + Fingerprint Randomisor via FF Config. = (Randomised Fingerprint working per tab & session yet Device info still there)
Falcon = JavaScript OFF = NO FINGERPRINT & JavaScript on = SAME FINGERPRINT
Web = Originally called Epiphany, Web is the default browser for GNOME (untested)
Midori = SCRIPTS OFF = NO FINGERPRINT & Scripts on = SAME FINGERPRINT
Iridium = SAME FINGERPRINT per tab & per Session with full Device i.d
Net Surf = NO FINGERPRINT or device info - Weird browser, issues with https://www
Chromium = JavaScript OFF = NO FINGERPRINT & JavaScript on = SAME FINGERPRINT

I am also interested to hear of any other ways to further make existing browsers more private without using any plug-ins or extensions if possible or any other ideas.
I am a newbie so i am unable to use Browsers where i can only download a Tarball as thats too complicated for me currently so i have been going for flatpak and .deb where possible.
 


Randomised Fingerprint working per tab & session yet Device info still there
I've tested Firefox on deviceinfo.me and I still cannot hide my real OS and browser there. I don't know how to hide my device info with Firefox. I even tried with Safe Script, Random User Agent, and Canvas Blocker add-ons but it still didn't work.

The same goes for the TOR browser which is based on Firefox. Below is my result on the TOR browser.
mc-torbrowser.png


All Browsers below tested using guest mint OS 20.1 Vitual Machine.
here is currently mine of which are also hardened as much as i can
Go for Kodachi Linux or Tails Linux. You can test these distros on USB sticks. I'd tested Kodachi and it comes with their own browsers, which are based on Firefox.

They are not really user-friendly for day-to-day use, but if you are looking for the best security + privacy, these are the best because all the security + privacy functions are provided out of the box. Other than that, you can go for Whonix or QubesOS.

Brave = (Based on Chromium project)
If you want more security on Brave, activate secure DNS. Go to settings > search for secure DNS > security > Advanced > Toggle use secure DNS > With > Select NextDNS or Quad9 from the dropdown menu.

FireFox + Privacy Badger + Fingerprint Randomisor via FF Config.
What do you use Privacy Badger for? If you want to block ads and trackers, you can use Ublock Origin. UBO blocks more ads and trackers than Privacy Badger.
 
Last edited:
I've tested Firefox on deviceinfo.me and I still cannot hide my real OS and browser there. I don't know how to hide my device info with Firefox. I even tried with Safe Script, Random User Agent, and Canvas Blocker add-ons but it still didn't work.
About Canvas Blocker read this but I'll just quote it here.
Page X claims my fingerprint is unique.
Having a unique fingerprint is fine as long as it changes. With the default settings of CanvasBlocker the fingerprint should change all the time. But also with other settings (e.g. the stealth preset) that do not change the fingerprint all the time the fingerprint should be unique per domain and therefore prevent tracking. To test this you can check the different fingerprints on canvasblocker.kkapsner.de and canvasblocker2.kkapsner.de.
I also came across this issue yesterday.
 
I am also interested to hear of any other ways to further make existing browsers more private without using any plug-ins or extensions if possible or any other ideas.
Have you looked into the "ghacks user.js" file?

Although many of the articles on ghacks.net are outdated the file and information hosted on github are up to date I believe.



 
Have you looked into the "ghacks user.js" file?
Unfortunately my small delicate brain can not take that on yet, but when i knowledge up more then i will defo be v interested in .js thingy but im so so newbie at moment. Thanks for your input though as i shall now put .js on my todo list to further research.
 
Give LibreWolf a try. It is a privacy fork of Firefox that uses most of those about:config settings.

What I do.
For the sites I visit everyday, like forums, I use Chromium.
For social media sites I use Firefox.
For random websites I use LibreWolf.
Rarely do I use TorBrowser.

I use NextDNS, and ProtonVPN with Secure-Core and Netshield. So most tracking and ads are blocked. Along with Ublock Origin, LocalCDN, Privacy Badger, Cookie Autodelete and NoScript in both Firefox and Chromium.
 
Unfortunately my small delicate brain can not take that on yet, but when i knowledge up more then i will defo be v interested in .js thingy but im so so newbie at moment. Thanks for your input though as i shall now put .js on my todo list to further research.
It has very good instructions. But there is a very real possibility of "breaking" some web sites and/or breaking browser functionality.

But it is a way to access much, much more control over the Firefox browser.
 
I am not quite as paranoid as the ghacks.js. Here is what my user.js looks like for Firefox.
Ignore the trr/nextdns lines.
Code:
user_pref("beacon.enabled", false);
user_pref("browser.discovery.enabled", false);
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_ever_enabled", true);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.forms.autocomplete.formautofill", true);
user_pref("extensions.pocket.enabled", false);
user_pref("geo.enabled", false);
user_pref("media.peerconnection.enabled", false);
user_pref("network.IDN_show_punycode", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.predictor.enabled", false);
user_pref("network.prefetch-next", false);
user_pref("network.security.esni.enabled", true);
user_pref("network.trr.custom_uri", "https://dns.nextdns.io/5fae9f");
user_pref("network.trr.mode", 3);
user_pref("network.trr.uri", "https://dns.nextdns.io/5fae9f");
user_pref("security.enterprise_roots.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("security.ssl.disable_session_identifiers", true);
user_pref("security.ssl.enable_false_start", false);
user_pref("security.ssl.require_safe_negotiation", true);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.tls.enable_0rtt_data", false);
user_pref("webgl.disabled", true);
 
I am not quite as paranoid as the ghacks.js. Here is what my user.js looks like for Firefox.
Ignore the trr/nextdns lines.
Code:
user_pref("beacon.enabled", false);
user_pref("browser.discovery.enabled", false);
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_ever_enabled", true);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.forms.autocomplete.formautofill", true);
user_pref("extensions.pocket.enabled", false);
user_pref("geo.enabled", false);
user_pref("media.peerconnection.enabled", false);
user_pref("network.IDN_show_punycode", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.predictor.enabled", false);
user_pref("network.prefetch-next", false);
user_pref("network.security.esni.enabled", true);
user_pref("network.trr.custom_uri", "https://dns.nextdns.io/5fae9f");
user_pref("network.trr.mode", 3);
user_pref("network.trr.uri", "https://dns.nextdns.io/5fae9f");
user_pref("security.enterprise_roots.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("security.ssl.disable_session_identifiers", true);
user_pref("security.ssl.enable_false_start", false);
user_pref("security.ssl.require_safe_negotiation", true);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.tls.enable_0rtt_data", false);
user_pref("webgl.disabled", true);
...and this is how it all started.... :)
 
Thanks for all including their config settings in FFox, very handy to compare.

I do have 1 thing to say about to many changes is that the more one changes a browser the more likely one is to stand out from the crowd for using such a unique footprint so i am trying to only do just enough to throw out my device info and yet mainly my fingerprint myself but im sure theres loads of you guys fully hardening their browsers but do consider the uniqueness factor into your alterations or it may become counter productive if we are so so unique with a specific browser.
 
Thanks for all including their config settings in FFox, very handy to compare.

I do have 1 thing to say about to many changes is that the more one changes a browser the more likely one is to stand out from the crowd for using such a unique footprint so i am trying to only do just enough to throw out my device info and yet mainly my fingerprint myself but im sure theres loads of you guys fully hardening their browsers but do consider the uniqueness factor into your alterations or it may become counter productive if we are so so unique with a specific browser.
That's a very good point and vert apt.
I employ a few config changes but mostly rely on blocking scripting.
Go to a browser testing site with scripting blocked and you will see that they are not able to glean much information.
 
That's a very good point and vert apt.
I employ a few config changes but mostly rely on blocking scripting.
Go to a browser testing site with scripting blocked and you will see that they are not able to glean much information.
The only browser i turned scripts off on is Midori, how might or would that effect everyday use do you think?
 
The only browser i turned scripts off on is Midori, how might or would that effect everyday use do you think?
Most web sites these days employ moderate to heavy use of scripting. Therefore a great many sites will not work properly or work at all without scripting.
What I do is keep scripting off/blocked until I decide there is a definite want/need of something on that site. The sites I use a lot are "whitelisted". For casual use, following links, 'surfing' I keep scripting blocked. It's an inconvenience at times but worth it to me as I don't 'wander' about too much.

Also, I always block "I Frames".
 
Mozilla Firefox Version 87.0


SSL settings
For Secure Browsing


security.ssl3.ecdhe_ecdsa_aes_128_sha = False


security.ssl3.ecdhe_ecdsa_aes_256_sha = False

security.ssl3.ecdhe_rsa_aes_128_sha = False

security.ssl3.ecdhe_rsa_aes_256_sha = False

security.ssl3.rsa_aes_128_gcm_sha256 = False

security.ssl3.rsa_aes_128_sha = False

security.ssl3.rsa_aes_256_gcm_sha384 = False

security.ssl3.rsa_aes_256_sha = False

security.ssl3.rsa_des_ede3_sha = False

security.ssl3.dhe_rsa_aes_128_cbc_sha = False (Boolean)

security.ssl3.dhe_rsa_aes_256_cbc_sha = False (Boolean)


security.ssl.require_safe_negotiation = true


Online Certificate Status Protocol
security.OCSP.enabled = 2
Description: Query OCSP responder servers to confirm current validity of certificates
0: Disabled
1: Validate only certificates that specify an OCSP service URL (default)
2: Enable and use values in security.OCSP.URL and security.OCSP.signing


Activate Mixed Content Block
security.mixed_content.block_display_content = true
security.mixed_content.block_object_subrequest = true



Delegated Credentials
security.tls.enable_delegated_credentials = true
security.tls.enable_post_handshake_auth= true
security.tls.hello_downgrade_check = false
(can ultimately also be used as downgrade attack)


Privacy improvements


browser.cache.offline.enable = false


browser.cache.disk.enable = false

browser.cache.disk_cache_ssl = false

browser.cache.memory.enable = false

browser.cache.insecure.enable false

browser.urlbar.speculativeConnect.enabled = false

browser.safebrowsing.downloads.remote.enabled = false

browser.fixup.alternate.enabled = false

browser.urlbar.autoFill = false

browser.sessionstore.privacy_level = 2

browser.send_pings.max_per_link = 0

browser.sessionstore.max_tabs_undo = 0


dom.event.contextmenu.enabled = false

dom.event.clipboardevents.enabled = false

dom.battery.enabled = false

dom.vr.enabled = false

dom.gamepad.enabled = false

network.prefetch-next =false

network.predictor.enabled =false

network.ftp.enabled =false

network.captive-portal-service.enabled = false

network.manage-offline-status = false

network.cookie.thirdparty.sessionOnly = true

network.cookie.thirdparty.nonsecureSessionOnly = true

network.IDN_show_punycode = true

network.dns.echconfig.enabled =true

network.dns.use_https_rr_as_altsvc =true

network.dns.disablePrefetch =true

media.navigator.enabled = false

media.peerconnection.video.vp9_enabled = false

media.peerconnection.identity.enabled = false

media.peerconnection.dtmf.enabled = false

media.peerconnection.enabled = false

media.peerconnection.use_document_iceservers = false

media.peerconnection.video.enabled = false

media.peerconnection.turn.disable = true

media.peerconnection.identity.timeout = 1

webgl.disabled = true

webgl.disable-wgl = true

media.eme.enabled = false

media.gmp-widevinecdm.enabled = false

geo.enabled = false

geo.provider.ms-windows-location = false

extensions.pocket.enabled = false

beacon.enabled = false

device.sensors.enabled = false

privacy.cpd. = All True*

privacy.clearOnShutdown = All True*

identity.fxaccounts.enabled = false

toolkit.telemetry = All false

browser.ping-centre.telemetry=false


 

Attachments

  • Screenshot_2.png
    Screenshot_2.png
    37.4 KB · Views: 313
  • Screenshot_3.png
    Screenshot_3.png
    39.5 KB · Views: 316
  • Screenshot_4.png
    Screenshot_4.png
    26.5 KB · Views: 320
  • Screenshot_5.png
    Screenshot_5.png
    41.5 KB · Views: 319
Last edited:
@TheKid0 ....you might like to explain exactly how the above is carried out on Firefox, and perhaps what the impact is on 'normal' browsing.

I am quite sure there are people new to Linux reading this who would see your post as being unintelligible mumbo jumbo :)
 
I am quite sure there are people new to Linux reading this who would see your post as being unintelligible mumbo jumbo
That might be a good thing. If they cannot understand it they probably should not be mucking around that deeply in their Firefox config. Baby steps :)
 
Most if not all of the about:config settings are from:
I posted a while back about Firefox user.js settings that I use.
 
On Arch


Brave browser is good for blocking ads and such; if i want to hide my IP address I use tor service and tor browser.

Tor browser was really easy to install via pacman and then a little editing of /etc/tor/torrc

I used my daughters web "contact us" form , which goes through a CodeIgniter 4 controller and utility class , which when i get emailed gives me the IP address of the sender. it just gives me a little insight to the whereabouts of the sender and is historical code when i was involved in Ghana and was contacted by people claiming they were in ghana ,but they were in nigeria and other places.


Using tor browser i got 185.220.102.251 which is one of their proxy sites
 
Mozilla Firefox Version 87.0


SSL settings
For Secure Browsing


security.ssl3.ecdhe_ecdsa_aes_128_sha = False


security.ssl3.ecdhe_ecdsa_aes_256_sha = False

security.ssl3.ecdhe_rsa_aes_128_sha = False

security.ssl3.ecdhe_rsa_aes_256_sha = False

security.ssl3.rsa_aes_128_gcm_sha256 = False

security.ssl3.rsa_aes_128_sha = False

security.ssl3.rsa_aes_256_gcm_sha384 = False

security.ssl3.rsa_aes_256_sha = False

security.ssl3.rsa_des_ede3_sha = False

security.ssl3.dhe_rsa_aes_128_cbc_sha = False (Boolean)

security.ssl3.dhe_rsa_aes_256_cbc_sha = False (Boolean)


security.ssl.require_safe_negotiation = true


Online Certificate Status Protocol
security.OCSP.enabled = 2
Description: Query OCSP responder servers to confirm current validity of certificates
0: Disabled
1: Validate only certificates that specify an OCSP service URL (default)
2: Enable and use values in security.OCSP.URL and security.OCSP.signing


Activate Mixed Content Block
security.mixed_content.block_display_content = true
security.mixed_content.block_object_subrequest = true



Delegated Credentials
security.tls.enable_delegated_credentials = true
security.tls.enable_post_handshake_auth= true
security.tls.hello_downgrade_check = false
(can ultimately also be used as downgrade attack)


Privacy improvements


browser.cache.offline.enable = false


browser.cache.disk.enable = false

browser.cache.disk_cache_ssl = false

browser.cache.memory.enable = false

browser.cache.insecure.enable false

browser.urlbar.speculativeConnect.enabled = false

browser.safebrowsing.downloads.remote.enabled = false

browser.fixup.alternate.enabled = false

browser.urlbar.autoFill = false

browser.sessionstore.privacy_level = 2

browser.send_pings.max_per_link = 0

browser.sessionstore.max_tabs_undo = 0


dom.event.contextmenu.enabled = false

dom.event.clipboardevents.enabled = false

dom.battery.enabled = false

dom.vr.enabled = false

dom.gamepad.enabled = false

network.prefetch-next =false

network.predictor.enabled =false

network.ftp.enabled =false

network.captive-portal-service.enabled = false

network.manage-offline-status = false

network.cookie.thirdparty.sessionOnly = true

network.cookie.thirdparty.nonsecureSessionOnly = true

network.IDN_show_punycode = true

network.dns.echconfig.enabled =true

network.dns.use_https_rr_as_altsvc =true

network.dns.disablePrefetch =true

media.navigator.enabled = false

media.peerconnection.video.vp9_enabled = false

media.peerconnection.identity.enabled = false

media.peerconnection.dtmf.enabled = false

media.peerconnection.enabled = false

media.peerconnection.use_document_iceservers = false

media.peerconnection.video.enabled = false

media.peerconnection.turn.disable = true

media.peerconnection.identity.timeout = 1

webgl.disabled = true

webgl.disable-wgl = true

media.eme.enabled = false

media.gmp-widevinecdm.enabled = false

geo.enabled = false

geo.provider.ms-windows-location = false

extensions.pocket.enabled = false

beacon.enabled = false

device.sensors.enabled = false

privacy.cpd. = All True*

privacy.clearOnShutdown = All True*

identity.fxaccounts.enabled = false

toolkit.telemetry = All false


browser.ping-centre.telemetry=false



@TheKid0 ....you might like to explain exactly how the above is carried out on Firefox, and perhaps what the impact is on 'normal' browsing.

I am quite sure there are people new to Linux reading this who would see your post as being unintelligible mumbo jumbo :)

This is something that is easy to do if you're willing to spend a little time learning from the links posted below.

Firefox first party isolation


It works so well that it will prevent a user from being able to use their own online accounts.

I speak from my own personal experience.

Live and learn cause if you never try you never know or learn.

And boy did I learn a lot and now I know.
 
Last edited by a moderator:

Members online


Top