Secure Web Browsers

Table of Contents

1. Principles
2. Secure, Non-Extensible Browsers
3. CLI-Based Browsers
4. Chromium Based Browsers
5. Firefox Based Browsers
6. Browser Extensions: Security
7. Browser Extensions: Convenience
8. Best Practices
9. Online Privacy
10. Appendix
    1. False Privacy Extensions: Ghostery, AdBlock, NoScript
    2. Embedded System Player
    3. Javascript Insecurity
    4. Cloudfare DNS Insecurity
    5. Plugin Insecurity: Adoble Flash, Microsoft Silverlight
    6. Tools
    7. Further Reading

Principles

A good web browser should be secure, lightweight and standards compatible. Extensibility is relevant only as far as it provides missing security. Accessibility support is not considered relevant here.

Secure

The popular modern web browsers (Chrome, Edge, Firefox, Internet Explorer, Opera & Safari) are highly insecure, performing unsolicited requests back to their database (phoning home), tracking user data, containing backdoors in the code for government spying and generally being in extreme violation of their users' privacy. This is true too of most browsers that market themselves as privacy or security focused, such as Brave Browser* and Vivaldi*. Any browser that is not Free & Open Source such that the code can be audited by independent third-parties, or one that phones home or performs automatic security update is not secure.

Beyond the browser itself, there are many exploits present on the web used commonly online to track users, primarily through loaded scripts and plug-ins - e.g. Javascript, Adobe Flash, Microsoft Silverlight - and loading third-party cookies. Any browser that features support for these modern technologies without functionality to toggle or control them is not secure.

Lightweight

The popular modern web browsers are heavily bloated and poorly optimized, suffering from insecure feature creep* and obligation to support the poorly written, non-standard HTML/CSS hackjobs prevalent on the web, resulting in extreme resource usage. Poorly written browser source code also makes exploits more likely and backdoors to be hidden "in plain sight" more easily. Contributing to the resource usage are the bloated (and insecure) Javascript frameworks that the bad practice modern web developers rely on heavily.

Rather than contribute to the dismal experience of modern web surfing, a good web browser should be clean, simple and optimized. Basic expected functionality beyond standards compliance is browsing history, bookmarking and tabs.

Standard Compatibility

HTML5 is a Living Standard and expansions to the codebase are rolled out regularly. As a new standard reaches support by the six major browsers (Chrome, Edge, Firefox, Internet Explorer, Opera & Safari) it begins to be adopted across the web, and a browser that does not keep up will find some websites not rendered as intended. Even if one relies primarily on a simple browser with basic feature functionality as their daily driver, keeping a browser that emphasizes standards compliance on hand is necessary to browse much of the modern web.

A Note on Operating Systems

This article assumes the reader is using a GNU/Linux or *BSD Operating System. Many of these applications will not be runnable on Windows.

Non-Extensible, Secure Browsers

These browsers are simple and effective, FOSS and do not carry any embedded spyware. However, they do not have support for secure extensions that can block malicious cookies, Javascript and user agent tracking from the websites you visit. These are recommended for casual use only.

Otter Browser

Otter Browser is a recreation of Opera 12.x's user interface with relative standards-compliance. It makes no unsolicited requests*.

Midori

Midori is a lightweight browser built on WebKit GTK+ framework with an emphasis on speed and supporting modern web technology.

Konqueror

File Manage and Web Browser for the KDE (Kool Desktop Environment). Standards-compliant. Low resource footprint in KDE due to most of the needed resources already being loaded by the DE.

Qutebrowser

Qutebrowser is a lightweight, minimalist vim-like browser built on Python and the Qt framework. It does not make unsolicited requests* and Javascript can be disabled on a per-domain basis in the config files.

Vimb

Vimb is a lightweight, minimalist vim-like browser built on WebKit GTK+ framework.

Surf

Surf is a very lightweight, tab-less browser built on WebKit GTK+ framework following the suckless philosophy.

CLI-Based Browsers

These text-based browsers load directly in the terminal. They are FOSS and do not any perform unsolicited requests. They are extremely light-weight and can be used effectively to browse the web. However, they do not have support for Javascript and Adobe Flash, breaking many modern websites, and besides w3m, do not have inline image support. Their lack of support for scripts, plug-ins, graphic images and cookies — all of which are common tracking vectors — make these highly secure by default.

Lynx

Support for tables, frames and color. SSL support. Partial CSS and cookies support. Includes browsing history. Lightweight relative to other CLI browsers and highly configurable.

w3m

Support for inline images, tables, frames and color.

elinks

Support for tables, frames and color. CSS and partial Javascript support. Includes hinted links, tabbed browsing, on-board download manager, bookmarks and history. Slow relative to other CLI-based browsers. However, it is no longer maintained and does not verify SSL authentication, so it was removed from the OpenBSD ports tree in 2017.

Note: These browsers are still vulnerable to the same vulnerabilities as wget and curl

Chromium Based Browsers

Spyware:

The following Chromium-based browsers perform unsolicited requests home, track user data, perform automatic updates, track location and/or record voice. They are not recommended for use.

• Google Chrome*
• Opera*
• Vivaldi*
• Brave Browser*

Secure:

The following Chromium-based browsers are FOSS and do not perform unsolicited requests or track users.

Iridium

Iridium is a modified and stripped-down Chromium made to be secure. It makes no unsolicited requests*. To be fully secure, disable Google Safe Browsing after install. Extensions can be downloaded directly from the Chrome Webstore.

Ungoogled-Chromium

Ungoogled-chromium extends Iridium slightly further, fully secure by default and does not draw attention to itself by setting its user agent to Chromium (Iridium advertises itself as Iridium). Extensions need to be installed by manually downloading and installing the CRX file from the webstore.

Firefox Based Browsers

Spyware:

The following Firefox-based browsers perform unsolicited requests home, track user data, perform automatic updates, track location and/or record voice. They are not recommended for use.

• Mozilla Firefox*
• Waterfox*
• Pale Moon*
• Cliqz*

Secure:

The following Firefox-based browsers are FOSS and do not perform unsolicited requests or track users.

Hardened Firefox

Mozilla Firefox with full hardening in the user settings can be theoretically made to remove its embedded spyware, and go further by securing against known security vulnerabilities. Pre-configured user settings files can be imported, e.g. full and relaxed.

GNU IceCat

GNU IceCat is a Firefox fork from the Free Software Foundation. The older versions retain some of the spyware found in Firefox, but this appears to have been removed in Update 60.2. Javascript support is limited to secure scripts licensed under GPLv3 via LibreJS by default, but can be turned off.

Browser Extensions: Security

These extensions are only available for Chromium & Firefox based Browsers. They should all be installed and setup for secure web browsing.

uMatrix

Allows control over first party requests (divided into: cookies, scripts, XHR, frames, CSS, image, media, other). Blocks third party requests which is what is most often used for spying. Blocks ads and pop-ups. More powerful, effective, configurable and lightweight than any combination of ad-blocker and privacy control. Add * * script block to the rules list to block scripts by default. Review setup guide.

Note: Despite being commonly recommended as a secure scriptblocking extension, NoScript is malicious and harmful. Any site that recommends it should not be trusted.

DL: CHR; CRX; FF.

Smart HTTPS

Assumes all websites support SSL and attempts connection through it. Falls back to HTTP if SSL is not supported. Disable automatic whitelisting to prevent false negatives caused by network error being saved to user database.

Note: More effective than the commonly recommended HTTPS Everywhere, which reads from a global whitelist rather than testing every site for SSL.

DL: CHR; CRX; FF.

Decentraleyes

Stores a local copy of vulnerable scripts (jQuery, Google scripts, etc.) that are commonly required by websites to work and have those be accessed instead to prevent sending out information.

Note: To prevent conflicts, Decentraleyes must be installed after Smart HTTPS and the following rules should be added to the uMatrix config:

* ajax.aspnetcdn.com script allow
* ajax.googleapis.com script allow
* ajax.microsoft.com script allow
* ajax.proxy.ustclug.org script allow
* cdn.jsdelivr.net script allow
* cdnjs.cloudflare.com script allow
* code.jquery.com script allow
* libs.baidu.com script allow

DL: CHR; CRX; FF.

Multi-Account Containers

Allows you to compartmentalize session browsing history, cookies and saved passwords to employ profiles. However, due to the ease of browser fingerprinting, it's not nearly as effective as multi-browser compartmentalization.

DL: CHR; CRX; .

Browser Extensions: Convenience

These extensions are only available for Chromium & Firefox based web browsers. They are not necessary but make browsing more efficient or comfortable.

Vimium/Tridactyl

Powerful vim-like extensions that allow for true mouseless browsing via hint mode (every link on the page is given a hotkey), keyboard page navigation and console control panel. Resource intensive.

DL: CHR; CRX; FF.

Saka Key

Simplified, lightweight extension as an alternative to the above. Allows keyboard shorcut modification and provides hint mode for mouseless link navigation.

DL: CHR; CRX; FF.

Sync Tab Groups

Allows tab groups to be saved as background sessions so they can be closed and reopened to prevent background tabs from taking up memory.

DL: CHR; CRX; FF.

LinkBot

Makes any non-clickable hyperlink clickable (for example, links without http:// typed, or emails).

DL: CHR; CRX; FF.

Archiveror

Quickly archive currently selected page on archive.is, web.archive.org, perma.cc or webcitation.org with toolbar icon or keyboard shortcut (default: Alt+Shift+Y).

DL: CHR; CRX; FF.

Stylus

Allows for custom per-domain CSS. A fork of an older Stylish version before it became spyware*.

DL: CHR; CRX; FF.

Best Practices

Compartmentalization

Use two browsers, one for secure, private browsing as your main browser, and a secondary browser for when you need to access insecure sites that require scripts or cookies to work, or are connected to identifying information (e.g. logging into a social network).

Cookies

Disable third-party cookies. Only accept first-party cookies from whitelisted sites. Clear cookies on browser close. To make logging back into sites less troublesome, use a password manager.

Scripts

Disable scripts by default, e.g. using uMatrix. Only turn them on when a site is broken without it, and only allow first-party scripts.

Note: Any site this happens on is directly contradicting W3C standards: Javascript should only be progressive enhancement

Proxy

Hide your IP by routing web traffic through a VPN. Use a TOR proxy for extra security.

Hosts List

Maintain a Hosts list file in your system to blacklist unwanted connections.

See: Adding a Hosts List

Privacy Respecting Search Engine

Replace your default browser search engine with one that respects privacy*: Searx.me, Startpage or Ixquick.

Note: Despite masquerading as a secure alternative, DuckDuckGo is compromised*** and any site that recommends it should not be trusted.

Online Privacy

The only way to achieve true privacy is to not use a computer. The next best thing you can do is compartimentalization—one browser for Facebook, one browser for Google, etc.—as it is impossible to avoid brower fingerprinting. However, if you are diligent about keeping your online identities and habits separated, then the threat involved in being compromised is mitigated.

To achieve online privacy, it is recommended you install multiple different secure browsers on this page, with any necessary web security extensions, and use each one for a separate task or identity.

Appendix

1. False Privacy Extensions: Ghostery, AdBlock, NoScript
2. Embedded System Player
3. Javascript Insecurity
4. Cloudfare DNS Insecurity
5. Plugin Insecurity: Adoble Flash, Microsoft Silverlight
6. Tools
7. Further Reading

False Privacy Extensions: Ghostery, AdBlock, NoScript

The following extensions falsely advertise themselves as privacy focused. They are not recommended for us and any site that recommends them should not be trusted.

Ghostery

• Ghostery was built and run by an advertising company that changed its name to capitalize on the privacy movement, before being sold to Cliqz in 2017, a Mozilla-backed company behind the controversial**, false privacy, data-collecting browser of the same name.
• Ghostery packages and sells user collected data to its advertising clients.
• Ghostery works directly with the Digital Advertising Alliance, to help power AdChoices.
• As of version 8.2, Ghostery has integrated its own web-embedded advertisements into its extension.
• Ghostery remained closed-source until the 2017 Cliqz purchase, however it is now open-source under the MPL v2

The secure tracker blocking alternative is Privacy Badger, developed by the venerable non-profit Electronic Frontier Foundation.

AdBlock, Adguard, AdBlock Plus

• Participates in the Acceptable Ads Program, in which deals are made with advertisers to be whitelisted in return for a share of the revenue.

The ethical (and more optimized) ad-blocking alternative is uBlock Origin, managed by the same developer as the more powerful, more light-weight and more comprehensive uMatrix.

NoScript

• In 2009, the NoScript developer manipulated users' adblocking whitelist to allow Google AdSense advertisements on the author's own website. The author responded with an apology.
• In 2016, NoScript was caught linking malware in the advertisement-filled changelog page, which is opened by default any time an update is pushed.

The secure script-blocking alternative is ScriptSafe. However, it's unnecesarily to install a dedicated extension when you can accomplish scriptblocking with the correct settings in uBlock Origin or uMatrix.

Embedded System Media Player

To be written.

Javascript Insecurity

Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web Lauinger et al., NDSS 2017

In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133K websites, we show that 37% of them include at least one library with a known vulnerability; the time lag behind the newest release of a library is measured in the order of years.

Unfortunately, security does not appear to be a priority in the JavaScript library ecosystem. Popular vulnerability databases contain nearly no entries regarding JavaScript libraries. During this entire work, we did not encounter a single popular library that had a dedicated mailing list for security announcements (in fact, most libraries we investigated did not have a mailing list for announcements at all). Furthermore, only a few JavaScript library developers provide a dedicated email address where users can submit vulnerability reports…

Although jQuery is an immensely popular library, the fact that searching for “security” or “vulnerability” in the official learning centre returns “Apologies, but nothing matched your search criteria” is an excellent summary of the state of JavaScript library security on the Internet, circa August 2016.

Summary & Analysis

Further Reading

• The Frequency of Known Vulnerabilities in JavaScript Libraries
• Vulnerability Database: npm
• A Measurement Study of Insecure JavaScript Practices on the Web
• Veracode: Javascript Insecurity
• Richard Stallman: The Javascript Trap

Cloudfare DNS Insecurity

To be written.

Plugin Insecurity: Adobe Flash, Microsoft Silverlight

To be written.

Tools

• Browser Privacy Test — Runs a series of test including IP Leak, WebRTC leak, blacklist, DNS tests and more..
• Am I Unique — Tests whether the browser is unique by checking the following information: User-agent, Accept, Content Encoding, Content Language, List of Plugins, Platform, Cookies, Do Not Track, Timezone, Screen Resolution, Use of local storage, Use of session storage, Canvas, WebGL, Fonts, Screen resolution, Language, Platform, Use of Adblock.
• Panopticlick — Tests Supercookies, Canvas Fingerprinting, Screen size and color depth, browser plugins, time zone, DNT header, HTTP Accept headers, WebGL fingerprinting, language, system fonts, platform, user agent, touch support and cookies.
• Cross Browser Fingerprinting Test — Tests locality, operating system, screen resolution, time zone, User Agent string, HTTP Accept, Plugins, Fonts.
• Whoer — Comprehensive test suite that tests for IP address, location, ISP, OS, Browser, Anonymity settings such as DNS, Proxy, Tor, Anonymizer or Blacklist, Browser headers, whether JavaScript, Flash, Java, ActiveX or WebRTC are enabled, time zone, language settings, screen information, plugins, navigator information and HTTP headers.
• SSL Server Test — Performs test scan of the configuration of any public SSL web server.
• Bad SSL — Tests how the browser handles certain SSL certificates and other SSL-types.
• JavaScript Browser Information — Lots of information about the browser's JavaScript capabilities.
• IP Leak — Test IP & DNS leak.
• Have I Been Pwned? — Check if an email account has been compromised in a data breach..
• Canvas Fingerprinting — Checks whether Canvas can be used to fingerprint the browser.
• HTML5 Geolocation Test — Tries to look up your location in the world.
• WebRTC Leak Test — Tests whether local or public IP addresses are leaked.
• Hard Drive Fill Test — Tests whether sites can fill your hard drive with data.

Further Reading

Related Articles:

• TOR
• VPN
• Hostlists
• Javascript Considered Harmful
• Mouse Considered Harmful: Mouseless Browsing

External References:

• IANIX Browser Privacy Handbook
• Online Privacy Test Resource List