Mullvad vpn and the tor project team up to release the mullvad browser

xrz

Mullvad VPN and the Tor Project today present the release of the Mullvad Browser, a privacy-focused web browser designed to be used with a trustworthy VPN instead of the Tor Network.

“We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project’s but with a VPN instead of the Tor Network," says Jan Jonsson, CEO at Mullvad VPN.

next browser?

https://mullvad.net/en/blog/2023/4/3/mullvad-vpn-and-the-tor-project-team-up-to-release-the-mullvad-browser/

treesmokah

DWC.
Can't find the source code, and they appear to release something while their core servers are sleeping.

MrLime

What would be a good use case for this. Perhaps for downloading Linux ISO's? Nothing stops me from just paying for a VPN or setting up dynamic ssh tunnel to get the ISO's though.

kait

@treesmokah said: Can't find the source code

https://github.com/mullvad/mullvad-browser/tree/mullvad-browser-102.9.0esr-12.0-2

treesmokah

@kait said:

@treesmokah said: Can't find the source code

https://github.com/mullvad/mullvad-browser/tree/mullvad-browser-102.9.0esr-12.0-2

My bad, was looking at main branch.

treesmokah

@MrLime said:
What would be a good use case for this. Perhaps for downloading Linux ISO's? Nothing stops me from just paying for a VPN or setting up dynamic ssh tunnel to get the ISO's though.

It does not include a VPN. Its basically Tor Browser without Tor.
It may be useful for other networks though, like I2P.
People "hacked" Tor Browser in order to use I2P in it, now they don't have to.

kait

@treesmokah said: My bad, was looking at main branch.

Same, it was mention there.

emgh

About privacy focused services

I had somewhat of a quick thought about creating a Proton Mail like service but that actually don’t log IPs at all.

But after studying that area of law, ”interpersonal communication services” have to store user data and VPNs don’t.

Laws are really written by people who have never signed up for a newsletter without watching a tutorial on it first, but I guess that’s also why there’s loopholes everywhere so maybe I shouldn’t complain.

That idea obiously won’t see any light of day though.

xrz

from mullvad:

The Mullvad Browser hard facts: list of settings and modifications.

Want to know exactly how the Mullvad Browser combat fingerprinting and other tracking? This is the place.
Private browsing mode by default

Private browsing does not save your browsing information, such as history and cookies, and leaves no trace after you end the session.

Private browsing does not save your browsing information, such as history and cookies, and leaves no trace after you end the session.
What won't be saved in private browsing mode?

Visited pages: Pages will not be added to the list of sites in the history menu, the library window's history list, nor in the address bar drop-down list.
Form and search bar entries: Nothing you enter into text boxes on web pages nor the search bar will be saved for form autocomplete.
Download list entries: Files you download will not be listed in the downloads library.
Cookies: Cookies set in private windows are held temporarily in memory, and will be discarded at the end of your private session (after the last private window is closed).
Cached web content and offline web content and user data: Temporary internet files (cached files) and files that websites save for offline use will not be saved.

What will be saved in private browsing mode?

Bookmarks you create
Extensions settings
Browser's cache for internal (mostly UI) components

Fingerprinting resistance

To mitigate browser fingerprinting, privacy.resistFingerprinting is enabled.

Here is a list of the main modifications:

Your timezone is reported to be UTC
Not all fonts installed on your computer are available to webpages
The browser window prefers to be set to a specific size (see letterboxing section)
Your browser reports a specific, common version number and operating system
Your keyboard layout and language is disguised
Your webcam and microphone capabilities are disguised
The media statistics web API reports misleading information
Any site-specific zoom settings are not applied
The WebSpeech, gamepad, sensors, and performance web APIs are disabled

Here are the preferences:

privacy.resistFingerprinting set to true
privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts set to true
privacy.resistFingerprinting.block_mozAddonManager set to true
privacy.resistFingerprinting.exemptedDomains set to *.example.invalid
privacy.resistFingerprinting.jsmloglevel set to Warn
privacy.resistFingerprinting.letterboxing set to true
privacy.resistFingerprinting.randomDataOnCanvasExtract set to true
privacy.resistFingerprinting.reduceTimerPrecision.jitter set to true
privacy.resistFingerprinting.reduceTimerPrecision.microseconds set to 1000
privacy.resistFingerprinting.target_video_res set to 480
privacy.resistFingerprinting.testGranularityMask set to 0
services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter set to true
services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds set to true

Here are a list of other changes:

WebGL readPixel function is disabled
Disable NTLM authentication
Disable OS CA certificates and make sure that after disabling them any OS CA certificate is removed
Disable speculative connections
CSS system fonts are normalized, to hide any customization at the OS level, or the defaults that different locales might have
Disable privilege elevation in the updater code
Disable some mechanisms of code injection for 3rd party applications (including antiviruses)
Disable the mechanisms to synchronize settings with Mozilla
Updates are verified using the open source NSS library, instead of relying on OS crypto
Remove some of Firefox's default extensions, such as screenshots, etc...
Disable special privileges of Mozilla sites (including, addons.mozilla.org)

And here's a listing of the compile options:

--disable-crashreporter (minimize telemetry)
--disable-parental-controls (to disable local/OS MTIM)
--disable-eme (Encrypted Media Extensions, for other DRMs)
--enable-proxy-bypass-protection
--disable-system-policies (make sure Mullvad Browser does not obey policies system administrators set for Firefox, or, in other words, give users complete control of their browser)
--enable-bundled-fonts
--disable-backgroundtasks
--disable-update-agent
--disable-default-browser-agent (Windows only, another telemetry thing)

Letterboxing

Mullvad Browser in its default mode is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That works so far until users start to resize their windows (e.g. by maximizing them or going into fullscreen mode).

Mullvad Browser ships with a fingerprinting defense for those scenarios as well, which is called letterboxing, a technique developed by Mozilla and presented in 2019. It works by adding margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that minimize the likelihood of singling them out with the help of window dimensions.

In simple words, this technique makes groups of users of certain window sizes and this makes it harder to single out users on basis of window size, as many users will have same screen size.
Security levels

Increasing the security level in the Mullvad Browser security settings will disable or partially disable certain browser features to protect against possible attacks. You can enable these settings again at any time by adjusting your security level.
Standard

At this level, all Mullvad Browser and website features are enabled.
Safer

This level disables website features that are often dangerous. This may cause some sites to lose functionality. JavaScript is disabled on all non-HTTPS sites; some fonts and math symbols are disabled; audio and video (HTML5 media) are click-to-play.
Safest

This level only allows website features required for static sites and basic services. These changes affect images, media, and scripts. Javascript is disabled by default on all sites; some fonts, icons, math symbols, and images are disabled; audio and video (HTML5 media) are click-to-play.
New identity button

This option is useful if you want to prevent your subsequent browser activity from being linkable to what you were doing before. Selecting it will close all your open tabs and windows, clear all private information such as cookies and browsing history. Mullvad Browser will warn you that all activity and downloads will be stopped, so take this into account before clicking “New identity”.

Warning! Clicking this button will not change you IP address. You'll need to use a VPN and manually switch server as well.
Search

DuckDuckgo is the default search engine.
No search suggestions when you start typing. Enabling this leaks what you type to the search engine before you press Enter.

Telemetry

Telemetry and crash reporting are entirely disabled in the browser at compile time. The pingsender executable, which would send the telemetry to Mozilla is removed as well.

Here are a list of the only connections automatically made by the browser:

Browser update (Mullvad)
Mullvad Browser Extension update (Mullvad)
Mullvad DoH (Mullvad)
NoScript/uBlock Origin update (Mozilla)
Certificates (via OCSP; CAs, including but not limited to, Mozilla, Google, Letsencrypt, Digicert, Globalsign, etc. triggered either by browsing, or by other background requests that are over HTTPS)
Domains update
uBlock Origin filter lists update (various lists)

Browser Settings (Interface)

No extension recommendations
No search engine recommendations
No addition/recommendation of third-party services
No password manager (it's better to keep password manager as a separate tool)
No phishing and malware protection ( we want to prevent this feature from phoning home and reaching out to Mozilla when double-checking URL hits, and to Google when checking downloaded files. Moreover, the databases locally cached for performance and privacy by these features are periodically updated through remote settings, which we currently disable on the same "reduce phoning home" theme)
Do Not Track is disabled
HTTPS-Only Mode enabled in all windows

Extensions
uBlock Origin

To the default uBlock Origin configuration, these two lists have been added:

Adguard URL Tracking Protection (query string tracking parameter stripping)
EasyList Cookie (cookie banners removal)

NoScript

NoScript is used as the back-end of the Security Level feature nd provides additional protections like Cross-Site Scripting (XSS) filtering. NoScript's icon is hidden by default like in the Tor Browser, but can be added along other extensions from the Customize Toolbar menu.
Mullvad Browser Extension

Mullvad Browser Extension improves your browsing experience while using Mullvad VPN:

Easily check connection details
Verify you have no IP/webRTC/DNS leaks
Recommend the use of HTTPS-Only & uBlock Origin
While using Mullvad VPN, connect to any of our proxy (socks5) servers with one click. This will make your browser traffic go through the location of your choice.

Dns Over HTTPS (DoH)

Mullvad Browser is configured to use Mullvad DoH for all DNS requests, without fallback. In the settings, you can also configure it to use Mullvad Adblocking DoH.

See our recommendation for DoH usage.
Nearly identical fingerprint

Mullvad Browser is specifically engineered to have a nearly identical (we're not perfect!) fingerprint across its users per operating system. This means each Mullvad Browser user looks like many other Mullvad Browser users, making it difficult to track any individual user.

Want to learn more about browser fingerprinting? Here's our article about it.
No un-audited features

Mullvad Browser, like Tor Browser, is based on Firefox. When new features are added in Firefox, they will be first audited and reviewed in order to minimize the risk for security and privacy. Only then will they be considered for addition in Mullvad Browser.
Differences with Tor Browser

No Tor Network patches
No multilanguage support
No onboarding patches
Different branding/installer metadata
WebRTC is enabled
Web Audio API is enabled (needed for WebRTC)
uBlock Origin / Mullvad Browser Extension
NoScript Cross-tab Identity Leak Protection is disabled by default
Mullvad DoH
A Tor Browser specific cryptocurrency targeted protection is removed
No drag and drop protections (it's a specific proxy-bypass measure)
No download warning popup (the one that says that you should use Tails to open downloads)

Advin

@MrLime said:
What would be a good use case for this. Perhaps for downloading Linux ISO's? Nothing stops me from just paying for a VPN or setting up dynamic ssh tunnel to get the ISO's though.

I guess it's just a more convenient way to have an anonymous browser/incognito mode that's routed through a VPN. Less anonymous, but way faster than Tor and could be used for folks who want privacy when accessing websites, while not having to fiddle around with split tunneling, downloading other anonymous browsers, etc.

emgh

@Advin said:

@MrLime said:
What would be a good use case for this. Perhaps for downloading Linux ISO's? Nothing stops me from just paying for a VPN or setting up dynamic ssh tunnel to get the ISO's though.

I guess it's just a more convenient way to have an anonymous browser/incognito mode that's routed through a VPN. Less anonymous, but way faster than Tor and could be used for folks who want privacy when accessing websites, while not having to fiddle around with split tunneling, downloading other anonymous browsers, etc.

In one way I agree but in another less anonymous is a strong claim.

According to swedish law, a VPN provider don’t have to save any browing history or anything like that.

So the only way I imagine something you do being exposed because of the VPN and it somehow leaking your data; it must be because someone managed to breach the services somehow.

And I guess then Mullvad would be an easier target because it’s centralized but honestly Tor is centralized too, the difference is anyone can operate a node; and I guess that has some in theory potential downsides to it as well.

MannDude

Why would Tor agree to have their name on a 3rd party and unrelated privacy product?

So, hardened FireFox (which you can do yourself) with Tor's name recognition and Mullvad's commercial VPN?

The Tor browser by itself would likely be much better for privacy than this setup, so it's strange that Tor would be cool with this (imo).

xrz

@MannDude said: Why would Tor agree to have their name on a 3rd party and unrelated privacy product?

money funny thing is, that the blog post dates to 03 march, so 1 month to day and they announce mullvad browser?

https://mullvad.net/en/blog/2023/3/3/mullvad-becomes-highest-level-of-tor-member-shallot/
https://www.torproject.org/about/membership/

Shallot Onion Member

≥ $100,000 per year

Your organization’s logo, linking back to your website, along with a quote from your organization about your motivation for joining the Membership Program, is featured on our Membership Program page. We will also engage in social media, events, and other promotional mechanisms.

TheGreatOakley

@MannDude said:
Why would Tor agree to have their name on a 3rd party and unrelated privacy product?

So, hardened FireFox (which you can do yourself) with Tor's name recognition and Mullvad's commercial VPN?

The Tor browser by itself would likely be much better for privacy than this setup, so it's strange that Tor would be cool with this (imo).

Mullvad donated quite a lot of money to Tor, I guess that could be one of the reason winkwink

SirFoxy

@MannDude said:
Why would Tor agree to have their name on a 3rd party and unrelated privacy product?

So, hardened FireFox (which you can do yourself) with Tor's name recognition and Mullvad's commercial VPN?

The Tor browser by itself would likely be much better for privacy than this setup, so it's strange that Tor would be cool with this (imo).

It's advertising. No less, no more.

There's no difference between using the VPN app or the browser VPN app. It's just a VPN app with Mullvad and Tor branding.

babuum

@MannDude said:
Why would Tor agree to have their name on a 3rd party and unrelated privacy product?

So, hardened FireFox (which you can do yourself) with Tor's name recognition and Mullvad's commercial VPN?

The Tor browser by itself would likely be much better for privacy than this setup, so it's strange that Tor would be cool with this (imo).

https://blog.torproject.org/releasing-mullvad-browser/

LTniger

Noscript alone brakes so many websites. All modern websites use javascript.

treesmokah

@LTniger said:
Noscript alone brakes so many websites. All modern websites use javascript.

/rant

(((WARNING: NOT POLITICALLY CORRECT, everyone offended should send an email [email protected] - they are the ones responsible for my word, they made me do that, they control me)))

All gay websites use javascript. 99% websites that use it - don't need it, CSS is powerful as fuck and if the devs weren't lazy and didn't use flavour of the week frameworks, we've been living in a better world.

I do not want to shill for a literal drugs marketplace, but just go to https://incogbot.io/ and generate a tor mirror then open it with tor browser with JS disabled. You will see what a wonderful job Incognito Market devs did with all the animations and other shit, everything without a single line of JS. Libre forum - https://forum.incogbot.io/, it also has neat animations and other shit - completely without JS.

I just fucking hate it when "drug lords" have to show wagecuck frontend devs how to do their work. If there is no reason to use JS - don't fucking use it, learn CSS you mindless fuck. "Darknet" sites are the only ones doing the web in a sane way, all - including Dread and now gone Alphabay(fuck desnake, greedy jew).

You can do 99% of "modern web dev" including responsive designs, live fetched data - all with clean HTML and CSS. @MannDude did excellent work with his website, sadly whmcs requires some JS but its not his fault really.

I'm personally kickstarting a VPS and billing panel for my own use - all without JS and other retarded shit. I want the web to be pure. I do not know if I will ever release it publicly, but It will be used by my current clients in near future.

JavaScript and WASM is what destroyed the web, together with soy latte drinking, dick takers and woke mac users doing "frontend work" because they can't fucking handle standard HTML and CSS.

I will die sooner than we have proper JS and WASM sandboxing implemented in to the browsers. FUCK THIS SHIT.

rant/

qquccs

I don't know if it is easy to use, is it free or paid?

treesmokah

@qquccs said:
I don't know if it is easy to use, is it free or paid?

its free, it does not include a vpn.
its basically a Tor Browser without Tor integration, instead of Tor there are a lot of perks for mullvad vpn users - however its still usable without a mullvad vpn(paid).

qquccs

@treesmokah said:

@qquccs said:
I don't know if it is easy to use, is it free or paid?

its free, it does not include a vpn.
its basically a Tor Browser without Tor integration, instead of Tor there are a lot of perks for mullvad vpn users - however its still usable without a mullvad vpn(paid).

I tried, but the browser cannot access the Internet,
It seems that their browsers can only be used after they are connected to their vpn.
So their browser is useless!

Harambe

@qquccs said:

@treesmokah said:

@qquccs said:
I don't know if it is easy to use, is it free or paid?

its free, it does not include a vpn.
its basically a Tor Browser without Tor integration, instead of Tor there are a lot of perks for mullvad vpn users - however its still usable without a mullvad vpn(paid).

I tried, but the browser cannot access the Internet,
It seems that their browsers can only be used after they are connected to their vpn.
So their browser is useless!

You tried checking your internet? It doesn't require using their VPN.

It's just "hardened" firefox that has the mullvad, ublock origin, and noscript extensions pre-installed. I'm using it with my own custom SOCKS proxy and it works fine.

The mullvad extension doesn't do anything unless you're already connected to one of their servers from your machine.

qquccs

@Harambe said:

@qquccs said:

@treesmokah said:

@qquccs said:
I don't know if it is easy to use, is it free or paid?

its free, it does not include a vpn.
its basically a Tor Browser without Tor integration, instead of Tor there are a lot of perks for mullvad vpn users - however its still usable without a mullvad vpn(paid).

I tried, but the browser cannot access the Internet,
It seems that their browsers can only be used after they are connected to their vpn.
So their browser is useless!

You tried checking your internet? It doesn't require using their VPN.

It's just "hardened" firefox that has the mullvad, ublock origin, and noscript extensions pre-installed. I'm using it with my own custom SOCKS proxy and it works fine.

The mullvad extension doesn't do anything unless you're already connected to one of their servers from your machine.

Then their browser doesn't do much, either.
In contrast, I prefer tor browser,
This can be directly connected and used!

emg

Because of their anti-fingerprinting and anti-tracking capabilities, both the Mullvad browser and the Tor browser make it appear that you are a fresh new user each time you open a session to a website using those browsers. That's how they work and what makes them different than the more familiar browsers.

The Mullvad browser shares the same anti-fingerprinting and anti-tracking capabilities as the Tor browser, but the Mullvad browser does not use the Tor onion network. This gives Mullvad browser a huge performance boost over the Tor browser. The tradeoff is that the Mullvad browser gives up much of the security and privacy offered by Tor browser's encrypted onion routing. (I am concerned that people may be misinformed and rely on Mullvad when they should use Tor for their own safety.)

The Mullvad browser works fine over the ordinary internet. It works with a VPN or without a VPN, just like any other browser. I tried it.

(In addition, the Mullvad browser offers a plug-in to connect to the Mullvad VPN. That feature seems designed to help Mullvad sell VPN subscriptions. In my opinion, Mullvad is not special compared with other VPNs.)

titus

Probably another Firefox browser with some extra plugin/extension, what's call "unique browser" (X Browser), while it's just another FireFox with some extension. :$

jmaxwell

It is a Firefox fork that offers a variety of privacy-focused defaults and modifications designed to prevent browser fingerprinting. Firefox lacks adequate default privacy settings and has notable vulnerabilities when it comes to preventing fingerprinting. Tor browser has many anti fingerprinting options by default but it isn’t built with clearnet access in mind. Mullvad's browser bridges this gap as users don’t have to tweak Firefox themselves as they get a hardended browser out of the box.