- Secure, Non-Extensible Browsers
- CLI-Based Browsers
- Chromium Based Browsers
- Firefox Based Browsers
- Browser Extensions: Security
- Browser Extensions: Convenience
- Best Practices
- Online Privacy
A good web browser should be secure, lightweight and standards compatible. Extensibility is relevant only as far as it provides missing security. Accessibility support is not considered relevant here.
The popular modern web browsers (Chrome, Edge, Firefox, Internet Explorer, Opera & Safari) are highly insecure, performing unsolicited requests
back to their database (
phoning home), tracking user data, containing
backdoors in the code for government spying and generally
being in extreme violation of their users' privacy. This is true too of most browsers that
market themselves as privacy or security focused, such as Brave Browser* and Vivaldi*. Any
browser that is not Free & Open Source such that the code can be audited by independent third-parties, or one that phones home or performs automatic security update is not secure.
Rather than contribute to the dismal experience of modern web surfing, a good web browser should be clean, simple and optimized. Basic expected functionality beyond standards compliance is browsing history, bookmarking and tabs.
HTML5 is a Living Standard and expansions to the codebase are rolled out regularly. As a new standard reaches support by the six major browsers (Chrome, Edge, Firefox, Internet Explorer, Opera & Safari) it begins to be adopted across the web, and a browser that does not keep up will find some websites not rendered as intended. Even if one relies primarily on a simple browser with basic feature functionality as their daily driver, keeping a browser that emphasizes standards compliance on hand is necessary to browse much of the modern web.
A Note on Operating Systems
This article assumes the reader is using a GNU/Linux or *BSD Operating System. Many of these applications will not be runnable on Windows.
- Otter Browser
- Otter Browser is a recreation of Opera 12.x's user interface with relative standards-compliance. It makes no unsolicited requests*.
- Midori is a lightweight browser built on WebKit GTK+ framework with an emphasis on speed and supporting modern web technology.
- File Manage and Web Browser for the KDE (Kool Desktop Environment). Standards-compliant. Low resource footprint in KDE due to most of the needed resources already being loaded by the DE.
- Vimb is a lightweight, minimalist vim-like browser built on WebKit GTK+ framework.
- Surf is a very lightweight, tab-less browser built on WebKit GTK+ framework following the suckless philosophy.
- Support for tables, frames and color. SSL support. Partial CSS and cookies support. Includes browsing history. Lightweight relative to other CLI browsers and highly configurable.
- Support for inline images, tables, frames and color.
The following Chromium-based browsers perform unsolicited requests home, track user data, perform automatic updates, track location and/or record voice. They are not recommended for use.
The following Chromium-based browsers are FOSS and do not perform unsolicited requests or track users.
- Iridium is a modified and stripped-down Chromium made to be secure. It makes no unsolicited requests*. To be fully secure, disable Google Safe Browsing after install. Extensions can be downloaded directly from the Chrome Webstore.
- Ungoogled-chromium extends Iridium slightly further, fully secure by default and does not draw attention to itself by setting its user agent to Chromium (Iridium advertises itself as Iridium). Extensions need to be installed by manually downloading and installing the CRX file from the webstore.
The following Firefox-based browsers perform unsolicited requests home, track user data, perform automatic updates, track location and/or record voice. They are not recommended for use.
The following Firefox-based browsers are FOSS and do not perform unsolicited requests or track users.
- Hardened Firefox
- Mozilla Firefox with full hardening in the user settings can be theoretically made to remove its embedded spyware, and go further by securing against known security vulnerabilities. Pre-configured user settings files can be imported, e.g. full and relaxed.
- GNU IceCat
These extensions are only available for Chromium & Firefox based Browsers. They should all be installed and setup for secure web browsing.
- Allows control over first party requests (divided into: cookies, scripts, XHR, frames, CSS, image, media, other). Blocks third party requests which is what is most often used for spying. Blocks ads and pop-ups. More powerful, effective, configurable and lightweight than any combination of ad-blocker and privacy control. Add
* * script blockto the rules list to block scripts by default. Review setup guide.
- Smart HTTPS
- Assumes all websites support SSL and attempts connection through it. Falls back to HTTP if SSL is not supported. Disable automatic whitelisting to prevent false negatives caused by network error being saved to user database.
- Stores a local copy of vulnerable scripts (jQuery, Google scripts, etc.) that are commonly required by websites to work and have those be accessed instead to prevent sending out information.
- Note: To prevent conflicts, Decentraleyes must be installed after Smart HTTPS and the following rules should be added to the uMatrix config:
- Multi-Account Containers
- Allows you to compartmentalize session browsing history, cookies and saved passwords to employ profiles. However, due to the ease of browser fingerprinting, it's not nearly as effective as multi-browser compartmentalization.
Note: Despite being commonly recommended as a secure scriptblocking extension, NoScript is malicious and harmful. Any site that recommends it should not be trusted.
Note: More effective than the commonly recommended HTTPS Everywhere, which reads from a global whitelist rather than testing every site for SSL.
* ajax.aspnetcdn.com script allow
* ajax.googleapis.com script allow
* ajax.microsoft.com script allow
* ajax.proxy.ustclug.org script allow
* cdn.jsdelivr.net script allow
* cdnjs.cloudflare.com script allow
* code.jquery.com script allow
* libs.baidu.com script allow
These extensions are only available for Chromium & Firefox based web browsers. They are not necessary but make browsing more efficient or comfortable.
- Powerful vim-like extensions that allow for true mouseless browsing via hint mode (every link on the page is given a hotkey), keyboard page navigation and console control panel. Resource intensive.
- Saka Key
- Simplified, lightweight extension as an alternative to the above. Allows keyboard shorcut modification and provides hint mode for mouseless link navigation.
- Sync Tab Groups
- Allows tab groups to be saved as background sessions so they can be closed and reopened to prevent background tabs from taking up memory.
- Makes any non-clickable hyperlink clickable (for example, links without http:// typed, or emails).
- Quickly archive currently selected page on archive.is, web.archive.org, perma.cc or webcitation.org with toolbar icon or keyboard shortcut (default: Alt+Shift+Y).
- Allows for custom per-domain CSS. A fork of an older Stylish version before it became spyware*.
Use two browsers, one for secure, private browsing as your main browser, and a secondary browser for when you need to access insecure sites that require scripts or cookies to work, or are connected to identifying information (e.g. logging into a social network).
Disable third-party cookies. Only accept first-party cookies from whitelisted sites. Clear cookies on browser close. To make logging back into sites less troublesome, use a password manager.
Disable scripts by default, e.g. using uMatrix. Only turn them on when a site is broken without it, and only allow first-party scripts.
Hide your IP by routing web traffic through a VPN. Use a TOR proxy for extra security.
Maintain a Hosts list file in your system to blacklist unwanted connections.
See: Adding a Hosts List
Privacy Respecting Search Engine
The only way to achieve true privacy is to not use a computer. The next best thing you can do is compartimentalization—one browser for Facebook, one browser for Google, etc.—as it is impossible to avoid brower fingerprinting. However, if you are diligent about keeping your online identities and habits separated, then the threat involved in being compromised is mitigated.
To achieve online privacy, it is recommended you install multiple different secure browsers on this page, with any necessary web security extensions, and use each one for a separate task or identity.
The following extensions falsely advertise themselves as privacy focused. They are not recommended for us and any site that recommends them should not be trusted.
- Ghostery was built and run by an advertising company that changed its name to capitalize on the privacy movement, before being sold to Cliqz in 2017, a Mozilla-backed company behind the controversial**, false privacy, data-collecting browser of the same name.
- Ghostery packages and sells user collected data to its advertising clients.
- Ghostery works directly with the Digital Advertising Alliance, to help power AdChoices.
- As of version 8.2, Ghostery has integrated its own web-embedded advertisements into its extension.
- Ghostery remained closed-source until the 2017 Cliqz purchase, however it is now open-source under the MPL v2
AdBlock, Adguard, AdBlock Plus
- Participates in the Acceptable Ads Program, in which deals are made with advertisers to be whitelisted in return for a share of the revenue.
- In 2009, the NoScript developer manipulated users' adblocking whitelist to allow Google AdSense advertisements on the author's own website. The author responded with an apology.
- In 2016, NoScript was caught linking malware in the advertisement-filled changelog page, which is opened by default any time an update is pushed.
The secure script-blocking alternative is ScriptSafe. However, it's unnecesarily to install a dedicated extension when you can accomplish scriptblocking with the correct settings in uBlock Origin or uMatrix.
To be written.
To be written.
To be written.
- Browser Privacy Test — Runs a series of test including IP Leak, WebRTC leak, blacklist, DNS tests and more..
- Am I Unique — Tests whether the browser is unique by checking the following information: User-agent, Accept, Content Encoding, Content Language, List of Plugins, Platform, Cookies, Do Not Track, Timezone, Screen Resolution, Use of local storage, Use of session storage, Canvas, WebGL, Fonts, Screen resolution, Language, Platform, Use of Adblock.
- Panopticlick — Tests Supercookies, Canvas Fingerprinting, Screen size and color depth, browser plugins, time zone, DNT header, HTTP Accept headers, WebGL fingerprinting, language, system fonts, platform, user agent, touch support and cookies.
- Cross Browser Fingerprinting Test — Tests locality, operating system, screen resolution, time zone, User Agent string, HTTP Accept, Plugins, Fonts.
- SSL Server Test — Performs test scan of the configuration of any public SSL web server.
- Bad SSL — Tests how the browser handles certain SSL certificates and other SSL-types.
- IP Leak — Test IP & DNS leak.
- Have I Been Pwned? — Check if an email account has been compromised in a data breach..
- Canvas Fingerprinting — Checks whether Canvas can be used to fingerprint the browser.
- HTML5 Geolocation Test — Tries to look up your location in the world.
- WebRTC Leak Test — Tests whether local or public IP addresses are leaked.
- Hard Drive Fill Test — Tests whether sites can fill your hard drive with data.