N.E.P.T.R

e/OS/ is often behind on Android monthly security patches by a month or more. Insecure and not very deblobbed of proprietary blobs, especially when compared to GrapheneOS.

DuckDuckGo Browser is a webview browser which has weaker tab isolation and uses the system’s default webview implementation, most often chrome webview.

Do you use libsodium for encryption? They is the gold standard.

Instead of canvas blocker, check out JShelter.

Canvas blocker is redundant with Librewolf’s protections (privacy.resistFingerprinting), same with JS blocker redundant with uBlock Origin. You make yourself more fingerprintable. It is better that you first understand what protections you have and why before adding new addons that increase attack surface. The features you are looking for are included already.

I honestly dont know, I never use twitch. I use the add-on Libredirect to auto use alternative frontends.

https://ttv.vern.cc/

It might have been your DNS that was identified? It depends on whether you enabled proxy DNS for SOCKS5.

For best fingerprinting protection, use either:

• Mullvad Browser with a VPN (prefer Mullvad VPN)
• Tor Browser

Avoid using Tor with a normal browser because you will stick out like a sore thumb.

It’s a panel of tests for browsers. It isn’t the clearest what each mean (without doing a little research) and not all categories and subcategories have equal importance. I still like this website though just for the listed information.

I recommend Fedora or openSUSE Tumbleweed.

Lol, understandable.

It seems like an interesting setup. I don’t really have too much to say other than nitpicks.

Why not use Mullvad browser for both scenarios. Mullvad with security level safest should block all JS. You could create a 2nd profile for safest only mode.

Using Linux .desktop launcher scripts, you could:

• Create a .desktop launcher (in ~/.local/share/applications/) for each profile
• Edit default desktop launcher to always prompt to choice profile on start (using the launch option -P)
• Edit the default launcher to offer a menu option for each profile.

Related to your choice of host OS, I personally avoid Debian for desktop because it is slow to adapt (cus its Debian). I know it isnt directly applicable to situation since your main concern seems to be anti-fingerprinting, but a secure base is important. I’d like to know your reason for picking it. I don’t dislike Debian and I still use it for different things (mostly VMs and some dev work).

Thanks for the rant, I liked your write-up.

I think it may also help some people to create simple decision flowcharts to help with acting consistent and avoid making simple mistakes with a complex threat model. Basically a scenario and the decision tree. Say for example someone is using QubesOS and needs to keep consistent what each qube is for and why.

Of course creating charts that show your strategy and make your decision predictable is itself just even more privileged information you now need to protect.

Also, any effective threat model also requires consistent reevaluation to assess the effectiveness of your methods and adjust with the evolution of threats.

Understandable, thank you for your (and contributor’s) work on this project. I am happy that i dont need to compile Fennec with hardening from source for each update.

Ok, might want to make that more clear under the section about issues inherited from Mull which still mentions RFP.

Your explaination seems sound.

Idk why, it doesnt say anything on their gitlab about changing that. Maybe it is a problem with the build process? I remember on Mull a couple months ago i did a clean install and RFP was disabled. You can just enable it if you want.

It is important if you care. They sign releases with the same Tor Browser key. Instructions are found on this page: https://mullvad.net/en/help/verifying-mullvad-browser-signature

You need 2 files (both are on the download page):

• Browser file
• Signature file

The basic process is as follows:

1. Obtain signing key.
2. Verify browser using signature file.

Note: Ignore warning about the key not being signed with a trusted key (we skip an unnecessary step for a begineer walkthrough)

You can double check everything I said by looking at their instructions.

Technically, the best way to blend in is to avoid changing the behaviour much from the default. I would still advise the below settings because they do improve your security, and anti-fingerprinting against naive first-party fingerprinting scripts (all 3rd party scripts/iframes should be blocked, see below: uBlock Medium/Hard). If you need protection against advanced fingerprinting use Tor/Mullvad browser.

uBlock:

• Change uBlock blocking mode to Medium or Hard using the instructions on their Github wiki. Can cause site breakage on shitty websites (eg sites that import large JS libraries from remote sources). It is a substantial improvement over default, see the wiki for medium mode: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode

• Enable filterlist Privacy>Block Outside Intrusion to LAN (Access to LAN is used to fingerprint or by threat actors during reconnaissance phase of hacking)

• Consider enabling other filterlists included in uBlock. Try to minimize enabling extra lists from the default to avoid further fingerprinting.

Librewolf:

• Enable limiting of referrers under LibreWolf Preferences>Privacy>Limit cross-origin referers

• Enable letterboxing under LibreWolf Preferences>Fingerprinting>Enable letterboxing

For me, no matter how good their browser is, I ain’t going to use it. If someone forks it to remove the BAT crypto nonesense id consider using it. I’ve been tempted to compile chromium from source and just add brave-core content/fingerprint blocking. Ideally, any fork would maintain the same general fingerprint with brave.

For now, Cromite is the way to go in-terms of hardened Chromium with built-in adblocking and without Google nonesense. The only downside is their choice to use Adblock Plus engine, but this is for the technical reason that engine is inferior to uBlock Origin and Brave Shields. The inclusion of ABP doesn’t effect privacy (ik people will understandably mention the ABP scandal) because they forked ABP and use custom filter lists, which is still a very good benefit above vanilla Chromium.

I do agree that smartphone have gotten too large to be reasonably comfortable.