Browser Isolation for Best Privacy

Credits
450
I am currently working on Browser Isolation for best privacy on Linux and i have encountered several issues and complexities and was now wondering what everyones Browser Isolation set-ups & techniques are, here is currently mine of which are also hardened as much as i can =
All Browsers below tested using guest mint OS 20.1 Vitual Machine.
Brave = (Based on Chromium project) - (Randomised Fingerprint working per tab & session & NO DEVICE INFO)
FireFox + Privacy Badger + Fingerprint Randomisor via FF Config. = (Randomised Fingerprint working per tab & session yet Device info still there)
Falcon = JavaScript OFF = NO FINGERPRINT & JavaScript on = SAME FINGERPRINT
Web = Originally called Epiphany, Web is the default browser for GNOME (untested)
Midori = SCRIPTS OFF = NO FINGERPRINT & Scripts on = SAME FINGERPRINT
Iridium = SAME FINGERPRINT per tab & per Session with full Device i.d
Net Surf = NO FINGERPRINT or device info - Weird browser, issues with https://www
Chromium = JavaScript OFF = NO FINGERPRINT & JavaScript on = SAME FINGERPRINT

I am also interested to hear of any other ways to further make existing browsers more private without using any plug-ins or extensions if possible or any other ideas.
I am a newbie so i am unable to use Browsers where i can only download a Tarball as thats too complicated for me currently so i have been going for flatpak and .deb where possible.
 


MatsuShimizu

Member
Credits
683
Randomised Fingerprint working per tab & session yet Device info still there
I've tested Firefox on deviceinfo.me and I still cannot hide my real OS and browser there. I don't know how to hide my device info with Firefox. I even tried with Safe Script, Random User Agent, and Canvas Blocker add-ons but it still didn't work.

The same goes for the TOR browser which is based on Firefox. Below is my result on the TOR browser.
mc-torbrowser.png


All Browsers below tested using guest mint OS 20.1 Vitual Machine.
here is currently mine of which are also hardened as much as i can
Go for Kodachi Linux or Tails Linux. You can test these distros on USB sticks. I'd tested Kodachi and it comes with their own browsers, which are based on Firefox.

They are not really user-friendly for day-to-day use, but if you are looking for the best security + privacy, these are the best because all the security + privacy functions are provided out of the box. Other than that, you can go for Whonix or QubesOS.

Brave = (Based on Chromium project)
If you want more security on Brave, activate secure DNS. Go to settings > search for secure DNS > security > Advanced > Toggle use secure DNS > With > Select NextDNS or Quad9 from the dropdown menu.

FireFox + Privacy Badger + Fingerprint Randomisor via FF Config.
What do you use Privacy Badger for? If you want to block ads and trackers, you can use Ublock Origin. UBO blocks more ads and trackers than Privacy Badger.
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Credits
16,014
I've tested Firefox on deviceinfo.me and I still cannot hide my real OS and browser there. I don't know how to hide my device info with Firefox. I even tried with Safe Script, Random User Agent, and Canvas Blocker add-ons but it still didn't work.
About Canvas Blocker read this but I'll just quote it here.
Page X claims my fingerprint is unique.
Having a unique fingerprint is fine as long as it changes. With the default settings of CanvasBlocker the fingerprint should change all the time. But also with other settings (e.g. the stealth preset) that do not change the fingerprint all the time the fingerprint should be unique per domain and therefore prevent tracking. To test this you can check the different fingerprints on canvasblocker.kkapsner.de and canvasblocker2.kkapsner.de.
I also came across this issue yesterday.
 

Vrai

Well-Known Member
Credits
3,790
I am also interested to hear of any other ways to further make existing browsers more private without using any plug-ins or extensions if possible or any other ideas.
Have you looked into the "ghacks user.js" file?

Although many of the articles on ghacks.net are outdated the file and information hosted on github are up to date I believe.



 
Credits
450
Have you looked into the "ghacks user.js" file?
Unfortunately my small delicate brain can not take that on yet, but when i knowledge up more then i will defo be v interested in .js thingy but im so so newbie at moment. Thanks for your input though as i shall now put .js on my todo list to further research.
 

craigevil

Member
Credits
674
Give LibreWolf a try. It is a privacy fork of Firefox that uses most of those about:config settings.

What I do.
For the sites I visit everyday, like forums, I use Chromium.
For social media sites I use Firefox.
For random websites I use LibreWolf.
Rarely do I use TorBrowser.

I use NextDNS, and ProtonVPN with Secure-Core and Netshield. So most tracking and ads are blocked. Along with Ublock Origin, LocalCDN, Privacy Badger, Cookie Autodelete and NoScript in both Firefox and Chromium.
 

Vrai

Well-Known Member
Credits
3,790
Unfortunately my small delicate brain can not take that on yet, but when i knowledge up more then i will defo be v interested in .js thingy but im so so newbie at moment. Thanks for your input though as i shall now put .js on my todo list to further research.
It has very good instructions. But there is a very real possibility of "breaking" some web sites and/or breaking browser functionality.

But it is a way to access much, much more control over the Firefox browser.
 

craigevil

Member
Credits
674
I am not quite as paranoid as the ghacks.js. Here is what my user.js looks like for Firefox.
Ignore the trr/nextdns lines.
Code:
user_pref("beacon.enabled", false);
user_pref("browser.discovery.enabled", false);
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_ever_enabled", true);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.forms.autocomplete.formautofill", true);
user_pref("extensions.pocket.enabled", false);
user_pref("geo.enabled", false);
user_pref("media.peerconnection.enabled", false);
user_pref("network.IDN_show_punycode", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.predictor.enabled", false);
user_pref("network.prefetch-next", false);
user_pref("network.security.esni.enabled", true);
user_pref("network.trr.custom_uri", "https://dns.nextdns.io/5fae9f");
user_pref("network.trr.mode", 3);
user_pref("network.trr.uri", "https://dns.nextdns.io/5fae9f");
user_pref("security.enterprise_roots.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("security.ssl.disable_session_identifiers", true);
user_pref("security.ssl.enable_false_start", false);
user_pref("security.ssl.require_safe_negotiation", true);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.tls.enable_0rtt_data", false);
user_pref("webgl.disabled", true);
 

Vrai

Well-Known Member
Credits
3,790
I am not quite as paranoid as the ghacks.js. Here is what my user.js looks like for Firefox.
Ignore the trr/nextdns lines.
Code:
user_pref("beacon.enabled", false);
user_pref("browser.discovery.enabled", false);
user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_ever_enabled", true);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.forms.autocomplete.formautofill", true);
user_pref("extensions.pocket.enabled", false);
user_pref("geo.enabled", false);
user_pref("media.peerconnection.enabled", false);
user_pref("network.IDN_show_punycode", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.predictor.enabled", false);
user_pref("network.prefetch-next", false);
user_pref("network.security.esni.enabled", true);
user_pref("network.trr.custom_uri", "https://dns.nextdns.io/5fae9f");
user_pref("network.trr.mode", 3);
user_pref("network.trr.uri", "https://dns.nextdns.io/5fae9f");
user_pref("security.enterprise_roots.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("security.ssl.disable_session_identifiers", true);
user_pref("security.ssl.enable_false_start", false);
user_pref("security.ssl.require_safe_negotiation", true);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.tls.enable_0rtt_data", false);
user_pref("webgl.disabled", true);
...and this is how it all started.... :)
 
Credits
450
Thanks for all including their config settings in FFox, very handy to compare.

I do have 1 thing to say about to many changes is that the more one changes a browser the more likely one is to stand out from the crowd for using such a unique footprint so i am trying to only do just enough to throw out my device info and yet mainly my fingerprint myself but im sure theres loads of you guys fully hardening their browsers but do consider the uniqueness factor into your alterations or it may become counter productive if we are so so unique with a specific browser.
 

Vrai

Well-Known Member
Credits
3,790
Thanks for all including their config settings in FFox, very handy to compare.

I do have 1 thing to say about to many changes is that the more one changes a browser the more likely one is to stand out from the crowd for using such a unique footprint so i am trying to only do just enough to throw out my device info and yet mainly my fingerprint myself but im sure theres loads of you guys fully hardening their browsers but do consider the uniqueness factor into your alterations or it may become counter productive if we are so so unique with a specific browser.
That's a very good point and vert apt.
I employ a few config changes but mostly rely on blocking scripting.
Go to a browser testing site with scripting blocked and you will see that they are not able to glean much information.
 
Credits
450
That's a very good point and vert apt.
I employ a few config changes but mostly rely on blocking scripting.
Go to a browser testing site with scripting blocked and you will see that they are not able to glean much information.
The only browser i turned scripts off on is Midori, how might or would that effect everyday use do you think?
 

Vrai

Well-Known Member
Credits
3,790
The only browser i turned scripts off on is Midori, how might or would that effect everyday use do you think?
Most web sites these days employ moderate to heavy use of scripting. Therefore a great many sites will not work properly or work at all without scripting.
What I do is keep scripting off/blocked until I decide there is a definite want/need of something on that site. The sites I use a lot are "whitelisted". For casual use, following links, 'surfing' I keep scripting blocked. It's an inconvenience at times but worth it to me as I don't 'wander' about too much.

Also, I always block "I Frames".
 

TheKid0

New Member
Credits
51
Mozilla Firefox Version 87.0


SSL settings
For Secure Browsing


security.ssl3.ecdhe_ecdsa_aes_128_sha = False


security.ssl3.ecdhe_ecdsa_aes_256_sha = False

security.ssl3.ecdhe_rsa_aes_128_sha = False

security.ssl3.ecdhe_rsa_aes_256_sha = False

security.ssl3.rsa_aes_128_gcm_sha256 = False

security.ssl3.rsa_aes_128_sha = False

security.ssl3.rsa_aes_256_gcm_sha384 = False

security.ssl3.rsa_aes_256_sha = False

security.ssl3.rsa_des_ede3_sha = False

security.ssl3.dhe_rsa_aes_128_cbc_sha = False (Boolean)

security.ssl3.dhe_rsa_aes_256_cbc_sha = False (Boolean)


security.ssl.require_safe_negotiation = true


Online Certificate Status Protocol
security.OCSP.enabled = 2
Description: Query OCSP responder servers to confirm current validity of certificates
0: Disabled
1: Validate only certificates that specify an OCSP service URL (default)
2: Enable and use values in security.OCSP.URL and security.OCSP.signing


Activate Mixed Content Block
security.mixed_content.block_display_content = true
security.mixed_content.block_object_subrequest = true



Delegated Credentials
security.tls.enable_delegated_credentials = true
security.tls.enable_post_handshake_auth= true
security.tls.hello_downgrade_check = false
(can ultimately also be used as downgrade attack)


Privacy improvements


browser.cache.offline.enable = false


browser.cache.disk.enable = false

browser.cache.disk_cache_ssl = false

browser.cache.memory.enable = false

browser.cache.insecure.enable false

browser.urlbar.speculativeConnect.enabled = false

browser.safebrowsing.downloads.remote.enabled = false

browser.fixup.alternate.enabled = false

browser.urlbar.autoFill = false

browser.sessionstore.privacy_level = 2

browser.send_pings.max_per_link = 0

browser.sessionstore.max_tabs_undo = 0


dom.event.contextmenu.enabled = false

dom.event.clipboardevents.enabled = false

dom.battery.enabled = false

dom.vr.enabled = false

dom.gamepad.enabled = false

network.prefetch-next =false

network.predictor.enabled =false

network.ftp.enabled =false

network.captive-portal-service.enabled = false

network.manage-offline-status = false

network.cookie.thirdparty.sessionOnly = true

network.cookie.thirdparty.nonsecureSessionOnly = true

network.IDN_show_punycode = true

network.dns.echconfig.enabled =true

network.dns.use_https_rr_as_altsvc =true

network.dns.disablePrefetch =true

media.navigator.enabled = false

media.peerconnection.video.vp9_enabled = false

media.peerconnection.identity.enabled = false

media.peerconnection.dtmf.enabled = false

media.peerconnection.enabled = false

media.peerconnection.use_document_iceservers = false

media.peerconnection.video.enabled = false

media.peerconnection.turn.disable = true

media.peerconnection.identity.timeout = 1

webgl.disabled = true

webgl.disable-wgl = true

media.eme.enabled = false

media.gmp-widevinecdm.enabled = false

geo.enabled = false

geo.provider.ms-windows-location = false

extensions.pocket.enabled = false

beacon.enabled = false

device.sensors.enabled = false

privacy.cpd. = All True*

privacy.clearOnShutdown = All True*

identity.fxaccounts.enabled = false

toolkit.telemetry = All false

browser.ping-centre.telemetry=false


 

Attachments

Last edited:

Condobloke

Well-Known Member
Credits
9,714
@TheKid0 ....you might like to explain exactly how the above is carried out on Firefox, and perhaps what the impact is on 'normal' browsing.

I am quite sure there are people new to Linux reading this who would see your post as being unintelligible mumbo jumbo :)
 

craigevil

Member
Credits
674
Most if not all of the about:config settings are from:
I posted a while back about Firefox user.js settings that I use.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top