N.E.P.T.R

Vivaldi is also proprietary. Not a good privacy browser.

Having JS disabled is very rare for non-bot traffic, so you stand out far more. It isn’t about uniqueness, you are already unique if you aren’t using Tor/Mullvad browser(s). While disabling JS protects against certain kinds of fingerprinting, there is pure CSS and TCP fingerprinting. Firefox RFP (eg. Librewolf) and whatever Cromite or Brave have help to protect against much of JS fingerprinting. You are only ever going to fool naive scripts which these browsers already do a good job of that.

As for security, having JS disabled is a benefit. Just know since you will very likely have to enable to again quite often for random websites, you’ll become used to doing that to the point that it may as well be useless. If a random website doesn’t load just leave it, unless it is worthy of some actual trust. Even more useful would be setting up uBlock Origin with a blocking mode, such as medium or hard.

It still gives metrics. And yes, Creepjs is not very useful against randomized values, though I noted it still because Brave fails (resulting in a persistent fingerprint) whereas Cromite succeeded to fool Creepjs. Both have many methods of fingerprinting protection.

Checking the fingerprinting protections of Mullvad and Tor is better done with TorZillaPrint test page by Arkenfox. It is optimized to tell you whether you blend in correctly with RFP normalized values.

Vivaldi is proprietary. I would def avoid that. For Chromium forked browser use Cromite instead.

They is the right result, non-unique fingerprint is what you want with Tor Browser.

TL;DR The only way to avoid a near unique fingerprint is Tor Browser

Longer explanation: There are too many styles of fingerprinting protections: randomized and normalized.

Librewolf inherits its fingerprint protections from Firefox (which intern was upstreamed from the Tor uplift project. It works by taking as many fingerprintable characteristics (refresh rate, canvas, resolution, theme, timezone, etc) and normalizes them to a static value to be shared by all browsers using the feature (privacy.resistFingerprinting in about:config). The benefit of normalizing is you appear more generic, though there are many limitations (biggest of which is OS because you cant hide that). The purpose design of these protections stems from the anonymization strategy of Tor which is to blend in with all other users so no individual can be differentiated based on identifiers. Since Librewolf has different a default settings profile to Tor (or Mullvad) and even vanilla Firefox with RFP enabled, the best you can hope is to blend in with other Librewolf users (which you really cant, especially if you install extensions or change [some] specific settings). Instead, the goal is just to fool naive fingerprinting scripts, nation states or any skilled adversary is out of the scope.

Brave (or Cromite) uses the strategy of randomizing fingerprintable characteristics. This is only meant to fool naive FP scripts but in my opinion (when done right) is better at fooling naive scripts. The biggest problem is that these attempts by other browsers and not as comprehensive as Firefox. I think Cromite does a better job than Brave: it is the only browser which fools Creepjs that I have tried by creating a new FP on refresh. Cromite required some configuring to get to place I wanted it, but so does every browser.

The advantage with Firefox forks is that vanilla Firefox has RFP and therefore so do the forks (though most dont enable), but you dont blend i with a crowd (making it far less effective than MB or Tor). The advantage of Brave or Cromite is a randomized FP, bit since it isnt upstreamed (and Google will never do that) you stand out like a sore thumb. Either way is fine though for basically everyone.

The only browsers I know that work against Creepjs are as follows:

• Mullvad (persistent FP)
• Tor (persistent FP)
• Cromite (randomized FP)

Same problem pretty sure.

It is a denial of service attack. He discloses all vulnerabilities ahead of time. The only reason he released the previous one so quickly is because the Matrix team said it “wasnt a real vulnerability”.

Understood.

It seems that forward secrecy is still in development from the blog you showed.

I still wouldnt use session for the reasons stated in this Soatok’s (a cryptographer) blogs. Even if they fix(ed) these problems, I have no trust for their security implementations. Why use session instead of something like Briar?

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ https://soatok.blog/2025/01/20/session-round-2/

People keep finding significant vulnerabilities in its cryptography and the Matrix team tries to deflect or create strawmans for why it isnt actually a vuln. Soatok found a vulnerability in 2024 by just browsing the source code for tiny bit of time, and again just two weeks ago after looking for a couple hours. In both cases, Matrix then responded to his vuln report with hostility, saying it wasnt actually a vulnerability. He is sitting on another vulnerability.

Having a cleartext mode is a security downgrade and no secure messenger should support cleartext. It only barely got functional forward secrecy recently. VoIP in most Matrix clients (and servers) still use Jitsi backend which isn’t E2EE, even with the release of the newer (secure) Element call protocol. Matrix leaks tons of metadata, such as usernames, room names, emoji reactions, generate URL embedded previews. Rooms arent encrypted by default. It is also a UX nightmare and often times you cant decrypt your messages.

Matrix is not secure. You’d be better off with XMPP and OMEMO which has its own problems and isn’t secure either. Sill better than Matrix.

Session is a security downgrade. It doesnt support forward secrecy which is hella important.

deleted by creator

Zen is basically Firefox with different UI. It is a security/privacy downgrade from Librewolf. You can configure Zen to have the same security/privacy settings by putting about:config in the URL bar change some of the toggles.

Use either the Arkenfox (also available in the interactive live viewer online) or Phoenix user.js as a template. Basically: disable WebGL, set WebRTC to disable nonproxied udp, disable JavaScript JIT, enable privacy.resistFingerprinting (optionally enable privacy.resistFingerprinting.letterboxing for screen fingerprint protection) and some other things.

Phoenix has some configs for Zen iirc which you can just patch. It is less strict than Librewolf when it comes to fingerprint protections (softening some of RFP’s protections).

If you want to test that the fingerprint protections are working, use this test site by Arkenfox called TorZillaPrint.

It is also proprietary.

Maybe the got their shit together since I last checked, but hqving that history and being at the very least 1 month (usually more) behind for years is a very bad look for a ROM that bills itself as private and secure.

According to this well known comparison table they still havent changed: https://eylenburg.github.io/android_comparison.htm

They also leave plenty of proprietary binary blobs in the ROM.

/e/OS does not take security seriously. They are often 1-2+ months behind on Android security patches, leaving you vulnerable to literal dozens of high severity vulnerabilities. You would probably be better off with LineageOS.

https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/

OpenPGP for encryption through autocrypt is a BIG NO for me. OpenPGP is inherently flawed, read any reasonable cryptographer’s opinions on it. DeltaChat is a significant security downgrade from Signal. I would much rather use SimpleX or Briar.

You could use a VOIP provider so you can do calls and SMS from your computer without needing a SIM. An example provider is JMP.chat, which could then be used with any fully featured desktop XMPP app, like Dino or Gajim.