N.E.P.T.R

It’s a panel of tests for browsers. It isn’t the clearest what each mean (without doing a little research) and not all categories and subcategories have equal importance. I still like this website though just for the listed information.

I recommend Fedora or openSUSE Tumbleweed.

Lol, understandable.

It seems like an interesting setup. I don’t really have too much to say other than nitpicks.

Why not use Mullvad browser for both scenarios. Mullvad with security level safest should block all JS. You could create a 2nd profile for safest only mode.

Using Linux .desktop launcher scripts, you could:

• Create a .desktop launcher (in ~/.local/share/applications/) for each profile
• Edit default desktop launcher to always prompt to choice profile on start (using the launch option -P)
• Edit the default launcher to offer a menu option for each profile.

Related to your choice of host OS, I personally avoid Debian for desktop because it is slow to adapt (cus its Debian). I know it isnt directly applicable to situation since your main concern seems to be anti-fingerprinting, but a secure base is important. I’d like to know your reason for picking it. I don’t dislike Debian and I still use it for different things (mostly VMs and some dev work).

Thanks for the rant, I liked your write-up.

I think it may also help some people to create simple decision flowcharts to help with acting consistent and avoid making simple mistakes with a complex threat model. Basically a scenario and the decision tree. Say for example someone is using QubesOS and needs to keep consistent what each qube is for and why.

Of course creating charts that show your strategy and make your decision predictable is itself just even more privileged information you now need to protect.

Also, any effective threat model also requires consistent reevaluation to assess the effectiveness of your methods and adjust with the evolution of threats.

Understandable, thank you for your (and contributor’s) work on this project. I am happy that i dont need to compile Fennec with hardening from source for each update.

Ok, might want to make that more clear under the section about issues inherited from Mull which still mentions RFP.

Your explaination seems sound.

Idk why, it doesnt say anything on their gitlab about changing that. Maybe it is a problem with the build process? I remember on Mull a couple months ago i did a clean install and RFP was disabled. You can just enable it if you want.

It is important if you care. They sign releases with the same Tor Browser key. Instructions are found on this page: https://mullvad.net/en/help/verifying-mullvad-browser-signature

You need 2 files (both are on the download page):

• Browser file
• Signature file

The basic process is as follows:

1. Obtain signing key.
2. Verify browser using signature file.

Note: Ignore warning about the key not being signed with a trusted key (we skip an unnecessary step for a begineer walkthrough)

You can double check everything I said by looking at their instructions.

Technically, the best way to blend in is to avoid changing the behaviour much from the default. I would still advise the below settings because they do improve your security, and anti-fingerprinting against naive first-party fingerprinting scripts (all 3rd party scripts/iframes should be blocked, see below: uBlock Medium/Hard). If you need protection against advanced fingerprinting use Tor/Mullvad browser.

uBlock:

• Change uBlock blocking mode to Medium or Hard using the instructions on their Github wiki. Can cause site breakage on shitty websites (eg sites that import large JS libraries from remote sources). It is a substantial improvement over default, see the wiki for medium mode: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode

• Enable filterlist Privacy>Block Outside Intrusion to LAN (Access to LAN is used to fingerprint or by threat actors during reconnaissance phase of hacking)

• Consider enabling other filterlists included in uBlock. Try to minimize enabling extra lists from the default to avoid further fingerprinting.

Librewolf:

• Enable limiting of referrers under LibreWolf Preferences>Privacy>Limit cross-origin referers

• Enable letterboxing under LibreWolf Preferences>Fingerprinting>Enable letterboxing

For me, no matter how good their browser is, I ain’t going to use it. If someone forks it to remove the BAT crypto nonesense id consider using it. I’ve been tempted to compile chromium from source and just add brave-core content/fingerprint blocking. Ideally, any fork would maintain the same general fingerprint with brave.

For now, Cromite is the way to go in-terms of hardened Chromium with built-in adblocking and without Google nonesense. The only downside is their choice to use Adblock Plus engine, but this is for the technical reason that engine is inferior to uBlock Origin and Brave Shields. The inclusion of ABP doesn’t effect privacy (ik people will understandably mention the ABP scandal) because they forked ABP and use custom filter lists, which is still a very good benefit above vanilla Chromium.

I do agree that smartphone have gotten too large to be reasonably comfortable.

You could rebase to Secureblue, but that would replace Bazzite.

I have no idea about any smaller phones.

Is the phone size a problem because it is hard to hold? If so, maybe try one of those things that you stick on the back of your phone as a handle (pop-socket?)

Hypatia, and all other Divested apps, are dead. The Dev (Tavi) is done with their Android projects.

Since all your searches could be correlated to your account (subscription service) by Kagi, I consider that a major deal-breaker when discussing its privacy.

See if RTranslator meets your needs for a gtranslate alternative.

Also, Heliboard has swipe/glide typing and can use other STT/voice type apps. I recommend Heliboard + FUTO Voice Input.

/e/os is often behind on Android monthly security patches (sometimes up to a month!) and the apps they fork I have heard also often lag behind upstream. It also doesnt do much to deblob the ROM if proprietary binary blobs.

Comparison table of Android ROMs: https://eylenburg.github.io/android_comparison.htm

IIRC, they block 3rd Android ROMs (eg GrapheneOS) using Google’s Safety net service verification.

Using a VPN should defeat the attack by having a different data center cache the media file.