Secure Web Browsers


A good web browser should be secure, lightweight and standards compatible. Extensibility is relevant only as far as it provides missing security. Accessibility support is not considered relevant here.


The popular modern web browsers (Chrome, Edge, Firefox, Internet Explorer, Opera & Safari) are highly insecure, performing unsolicited requests back to their database (phoning home), tracking user data, containing backdoors in the code for government spying and generally being in extreme violation of their users' privacy. This is true too of most browsers that market themselves as privacy or security focused, such as Brave Browser* and Vivaldi*. Any browser that is not Free & Open Source such that the code can be audited by independent third-parties, or one that phones home or performs automatic security update is not secure.

Beyond the browser itself, there are many exploits present on the web used commonly online to track users, primarily through loaded scripts and plug-ins - e.g. Javascript, Adobe Flash, Microsoft Silverlight - and loading third-party cookies. Any browser that features support for these modern technologies without functionality to toggle or control them is not secure.


The popular modern web browsers are heavily bloated and poorly optimized, suffering from insecure feature creep* and obligation to support the poorly written, non-standard HTML/CSS hackjobs prevalent on the web, resulting in extreme resource usage. Poorly written browser source code also makes exploits more likely and backdoors to be hidden "in plain sight" more easily. Contributing to the resource usage are the bloated (and insecure) Javascript frameworks that the bad practice modern web developers rely on heavily.

Rather than contribute to the dismal experience of modern web surfing, a good web browser should be clean, simple and optimized. Basic expected functionality beyond standards compliance is browsing history, bookmarking and tabs.

Standard Compatibility

HTML5 is a Living Standard and expansions to the codebase are rolled out regularly. As a new standard reaches support by the six major browsers (Chrome, Edge, Firefox, Internet Explorer, Opera & Safari) it begins to be adopted across the web, and a browser that does not keep up will find some websites not rendered as intended. Even if one relies primarily on a simple browser with basic feature functionality as their daily driver, keeping a browser that emphasizes standards compliance on hand is necessary to browse much of the modern web.

A Note on Operating Systems

This article assumes the reader is using a GNU/Linux or *BSD Operating System. Many of these applications will not be runnable on Windows.

Non-Extensible, Secure Browsers

These browsers are simple and effective, FOSS and do not carry any embedded spyware. However, they do not have support for secure extensions that can block malicious cookies, Javascript and user agent tracking from the websites you visit. These are recommended for casual use only.

Otter Browser
Otter Browser is a recreation of Opera 12.x's user interface with relative standards-compliance. It makes no unsolicited requests*.
Midori is a lightweight browser built on WebKit GTK+ framework with an emphasis on speed and supporting modern web technology.
File Manage and Web Browser for the KDE (Kool Desktop Environment). Standards-compliant. Low resource footprint in KDE due to most of the needed resources already being loaded by the DE.
Qutebrowser is a lightweight, minimalist vim-like browser built on Python and the Qt framework. It does not make unsolicited requests* and Javascript can be disabled on a per-domain basis in the config files.
Vimb is a lightweight, minimalist vim-like browser built on WebKit GTK+ framework.
Surf is a very lightweight, tab-less browser built on WebKit GTK+ framework following the suckless philosophy.

CLI-Based Browsers

These text-based browsers load directly in the terminal. They are FOSS and do not any perform unsolicited requests. They are extremely light-weight and can be used effectively to browse the web. However, they do not have support for Javascript and Adobe Flash, breaking many modern websites, and besides w3m, do not have inline image support. Their lack of support for scripts, plug-ins, graphic images and cookies — all of which are common tracking vectors — make these highly secure by default.

Support for tables, frames and color. SSL support. Partial CSS and cookies support. Includes browsing history. Lightweight relative to other CLI browsers and highly configurable.
Support for inline images, tables, frames and color.
Support for tables, frames and color. CSS and partial Javascript support. Includes hinted links, tabbed browsing, on-board download manager, bookmarks and history. Slow relative to other CLI-based browsers. However, it is no longer maintained and does not verify SSL authentication, so it was removed from the OpenBSD ports tree in 2017.

Note: These browsers are still vulnerable to the same vulnerabilities as wget and curl

Chromium Based Browsers


The following Chromium-based browsers perform unsolicited requests home, track user data, perform automatic updates, track location and/or record voice. They are not recommended for use.

  • Google Chrome*
  • Opera*
  • Vivaldi*
  • Brave Browser*


The following Chromium-based browsers are FOSS and do not perform unsolicited requests or track users.

Iridium is a modified and stripped-down Chromium made to be secure. It makes no unsolicited requests*. To be fully secure, disable Google Safe Browsing after install. Extensions can be downloaded directly from the Chrome Webstore.
Ungoogled-chromium extends Iridium slightly further, fully secure by default and does not draw attention to itself by setting its user agent to Chromium (Iridium advertises itself as Iridium). Extensions need to be installed by manually downloading and installing the CRX file from the webstore.

Firefox Based Browsers


The following Firefox-based browsers perform unsolicited requests home, track user data, perform automatic updates, track location and/or record voice. They are not recommended for use.

  • Mozilla Firefox*
  • Waterfox*
  • Pale Moon*
  • Cliqz*


The following Firefox-based browsers are FOSS and do not perform unsolicited requests or track users.

Hardened Firefox
Mozilla Firefox with full hardening in the user settings can be theoretically made to remove its embedded spyware, and go further by securing against known security vulnerabilities. Pre-configured user settings files can be imported, e.g. full and relaxed.
GNU IceCat
GNU IceCat is a Firefox fork from the Free Software Foundation. The older versions retain some of the spyware found in Firefox, but this appears to have been removed in Update 60.2. Javascript support is limited to secure scripts licensed under GPLv3 via LibreJS by default, but can be turned off.

Browser Extensions: Security

These extensions are only available for Chromium & Firefox based Browsers. They should all be installed and setup for secure web browsing.

Allows control over first party requests (divided into: cookies, scripts, XHR, frames, CSS, image, media, other). Blocks third party requests which is what is most often used for spying. Blocks ads and pop-ups. More powerful, effective, configurable and lightweight than any combination of ad-blocker and privacy control. Add * * script block to the rules list to block scripts by default. Review setup guide.

Note: Despite being commonly recommended as a secure scriptblocking extension, NoScript is malicious and harmful. Any site that recommends it should not be trusted.


Assumes all websites support SSL and attempts connection through it. Falls back to HTTP if SSL is not supported. Disable automatic whitelisting to prevent false negatives caused by network error being saved to user database.

Note: More effective than the commonly recommended HTTPS Everywhere, which reads from a global whitelist rather than testing every site for SSL.


Stores a local copy of vulnerable scripts (jQuery, Google scripts, etc.) that are commonly required by websites to work and have those be accessed instead to prevent sending out information.
Note: To prevent conflicts, Decentraleyes must be installed after Smart HTTPS and the following rules should be added to the uMatrix config:

* ajax.aspnetcdn.com script allow
* ajax.googleapis.com script allow
* ajax.microsoft.com script allow
* ajax.proxy.ustclug.org script allow
* cdn.jsdelivr.net script allow
* cdnjs.cloudflare.com script allow
* code.jquery.com script allow
* libs.baidu.com script allow


Multi-Account Containers
Allows you to compartmentalize session browsing history, cookies and saved passwords to employ profiles. However, due to the ease of browser fingerprinting, it's not nearly as effective as multi-browser compartmentalization.


Browser Extensions: Convenience

These extensions are only available for Chromium & Firefox based web browsers. They are not necessary but make browsing more efficient or comfortable.

Powerful vim-like extensions that allow for true mouseless browsing via hint mode (every link on the page is given a hotkey), keyboard page navigation and console control panel. Resource intensive.


Saka Key
Simplified, lightweight extension as an alternative to the above. Allows keyboard shorcut modification and provides hint mode for mouseless link navigation.


Sync Tab Groups
Allows tab groups to be saved as background sessions so they can be closed and reopened to prevent background tabs from taking up memory.


Makes any non-clickable hyperlink clickable (for example, links without http:// typed, or emails).


Quickly archive currently selected page on archive.is, web.archive.org, perma.cc or webcitation.org with toolbar icon or keyboard shortcut (default: Alt+Shift+Y).


Allows for custom per-domain CSS. A fork of an older Stylish version before it became spyware*.


Best Practices


Use two browsers, one for secure, private browsing as your main browser, and a secondary browser for when you need to access insecure sites that require scripts or cookies to work, or are connected to identifying information (e.g. logging into a social network).


Disable third-party cookies. Only accept first-party cookies from whitelisted sites. Clear cookies on browser close. To make logging back into sites less troublesome, use a password manager.


Disable scripts by default, e.g. using uMatrix. Only turn them on when a site is broken without it, and only allow first-party scripts.

Note: Any site this happens on is directly contradicting W3C standards: Javascript should only be progressive enhancement


Hide your IP by routing web traffic through a VPN. Use a TOR proxy for extra security.

Hosts List

Maintain a Hosts list file in your system to blacklist unwanted connections.

See: Adding a Hosts List

Privacy Respecting Search Engine

Replace your default browser search engine with one that respects privacy*: Searx.me, Startpage or Ixquick.

Note: Despite masquerading as a secure alternative, DuckDuckGo is compromised*** and any site that recommends it should not be trusted.

Online Privacy

The only way to achieve true privacy is to not use a computer. The next best thing you can do is compartimentalization—one browser for Facebook, one browser for Google, etc.—as it is impossible to avoid brower fingerprinting. However, if you are diligent about keeping your online identities and habits separated, then the threat involved in being compromised is mitigated.

To achieve online privacy, it is recommended you install multiple different secure browsers on this page, with any necessary web security extensions, and use each one for a separate task or identity.

False Privacy Extensions: Ghostery, AdBlock, NoScript

The following extensions falsely advertise themselves as privacy focused. They are not recommended for us and any site that recommends them should not be trusted.


The secure tracker blocking alternative is Privacy Badger, developed by the venerable non-profit Electronic Frontier Foundation.

AdBlock, Adguard, AdBlock Plus

The ethical (and more optimized) ad-blocking alternative is uBlock Origin, managed by the same developer as the more powerful, more light-weight and more comprehensive uMatrix.


Javascript Insecurity

Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web Lauinger et al., NDSS 2017

In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133K websites, we show that 37% of them include at least one library with a known vulnerability; the time lag behind the newest release of a library is measured in the order of years.
Unfortunately, security does not appear to be a priority in the JavaScript library ecosystem. Popular vulnerability databases contain nearly no entries regarding JavaScript libraries. During this entire work, we did not encounter a single popular library that had a dedicated mailing list for security announcements (in fact, most libraries we investigated did not have a mailing list for announcements at all). Furthermore, only a few JavaScript library developers provide a dedicated email address where users can submit vulnerability reports…
Although jQuery is an immensely popular library, the fact that searching for “security” or “vulnerability” in the official learning centre returns “Apologies, but nothing matched your search criteria” is an excellent summary of the state of JavaScript library security on the Internet, circa August 2016.

Summary & Analysis

Further Reading

Cloudfare DNS Insecurity

To be written.


  • Browser Privacy Test — Runs a series of test including IP Leak, WebRTC leak, blacklist, DNS tests and more..
  • Am I Unique — Tests whether the browser is unique by checking the following information: User-agent, Accept, Content Encoding, Content Language, List of Plugins, Platform, Cookies, Do Not Track, Timezone, Screen Resolution, Use of local storage, Use of session storage, Canvas, WebGL, Fonts, Screen resolution, Language, Platform, Use of Adblock.
  • Panopticlick — Tests Supercookies, Canvas Fingerprinting, Screen size and color depth, browser plugins, time zone, DNT header, HTTP Accept headers, WebGL fingerprinting, language, system fonts, platform, user agent, touch support and cookies.
  • Cross Browser Fingerprinting Test — Tests locality, operating system, screen resolution, time zone, User Agent string, HTTP Accept, Plugins, Fonts.
  • Whoer — Comprehensive test suite that tests for IP address, location, ISP, OS, Browser, Anonymity settings such as DNS, Proxy, Tor, Anonymizer or Blacklist, Browser headers, whether JavaScript, Flash, Java, ActiveX or WebRTC are enabled, time zone, language settings, screen information, plugins, navigator information and HTTP headers.
  • SSL Server Test — Performs test scan of the configuration of any public SSL web server.
  • Bad SSL — Tests how the browser handles certain SSL certificates and other SSL-types.
  • JavaScript Browser Information — Lots of information about the browser's JavaScript capabilities.
  • IP Leak — Test IP & DNS leak.
  • Have I Been Pwned? — Check if an email account has been compromised in a data breach..
  • Canvas Fingerprinting — Checks whether Canvas can be used to fingerprint the browser.
  • HTML5 Geolocation Test — Tries to look up your location in the world.
  • WebRTC Leak Test — Tests whether local or public IP addresses are leaked.
  • Hard Drive Fill Test — Tests whether sites can fill your hard drive with data.

Further Reading

Related Articles:

  • TOR
  • VPN
  • Hostlists
  • Javascript Considered Harmful
  • Mouse Considered Harmful: Mouseless Browsing

External References:

↑ Return ↑