As if responding to my previous blog article on web fingerprinting, Mullvad (a very respectably VPN company) has just released a new web browser specifically designed to hide your identity – partly by attempting to defeat fingerprinting. As you might expect, there are pros and cons. Here’s my first-blush review.
What is the Mullvad Browser?
So, what is the Mullvad Browser? And why do we need yet another browser? The point of the Mullvad Browser is to try to give you all the anonymity and privacy features of the more well known Tor Browser, but with out the Tor network part. The Tor network uses onion routing and encryption to effectively prevent the websites you visit from being able to see your true IP address. Your IP address, which is assigned to you by your internet service provider (ISP) and is attached to every web request your browser makes, doesn’t change very often and therefore can be used to recognize your browser (and therefore you) across websites. Unfortunately, inserting three individually encrypted server hops between your browser and your browsing destination tends to seriously slow down your effective connection speed.
The other tool that people more commonly use to disguise their IP address is a Virtual Private Network (VPN). When you use a VPN, you trade your trust for your ISP for the provider of the VPN service (which is not always a good trade). But VPN connections tend to be much, much faster than Tor – almost as fast as your direct internet connection. So Tor and Mullvad have created a new version of the Tor Browser which removes the automatic Tor network connection and replaces it with a VPN connection. It keeps most of the other privacy features of the Tor Browser (which itself is based on Firefox). Note that you don’t have to use the Mullvad VPN – you can use any VPN – but the browser has built-in capabilities to interwork with Mullvad VPN.
The Good
So what are those features? The Mullvad Browser has my favorite anti-tracking and ad-blocking plugin, uBlock Origin, built in. It has ‘private browsing mode’ on by default, which prevents any local traces of your browsing activity from being saved: your browsing and search history, cookies and cached data. The browser collects zero telemetry or user data. The Mullvad Browser uses DuckDuckGo for searches (though you can change it), has a restricted list of Certificate Authorities, and uses DNS over HTTPS (DoH). It also comes with a Mullvad VPN extension pre-installed, which I would remove. Ironically, this alone would make you appear more unique.
And for those of you wondering, there is no profit motive, either. Mullvad makes money on their VPN service. This browser is meant to enhance their users’ privacy, and with help from the Tor Project and Mozilla (maker of Firefox), they can provide this browser with minimal effort. It’s really just the Tor Browser without the Tor network. And note that some websites actually block connections from the Tor network, so the Mullvad Browser lets you work around that, too.
But for me, the most interesting part of this browser is its anti-fingerprinting technology. I discussed fingerprinting at length in my last post and lamented that it’s very hard to prevent. The Mullvad Browser incorporates several mechanisms to try to make your browser instance appear to be very common – that is, to not be unique. The idea is to be another face in the crowd, to blend in. So Mullvad restricts the information normally given away by your browser via HTTP headers and JavaScript queries. For example, it lies about your timezone (it’s always UTC), what fonts you have installed (minimal, generic), what browser and operating system version you’re running, and even hides your keyboard language. (Click here for more details.) All of this is done in an effort to standardize these responses as much as possible, to minimize differences between browsers.
The Bad
There are always tradeoffs when it comes to security and privacy – most often with convenience. These privacy measures will cause some websites to malfunction or act funny – and others to not work at all. For example, if the website tries to give you relevant content based on your perceived location, the UTC time zone (London) might throw it off. If you’re looking to download a software installer, it might not offer you the correct version for your operating system (Intel Mac instead of Apple Silicon, for example). And of course, any website that doesn’t like ad blockers will complain.
There are a few other oddities. In order to try to group users into common groups, you can’t set a precise browser window size. As you scale your window, you’ll see letterboxes because Mullvad Browser is limiting the choices for window size to a reduced set of fixed dimensional options. Because your history is scrubbed constantly, you’ll never stay logged in to any website… though the whole point of this browser is to be anonymous, so you shouldn’t be logging in anywhere in the first place. One of the more impactful limitations is that you can only use Mullvad Browser on computers – there is (currently) no mobile option. Also, the browser is only available for English language, though we can hope that more options will be available with time.
The Ugly
So far, I would say these are all good trade-offs. If you want to browse anonymously, these are precisely the sorts of protections you should adopt and limitations you should expect (sadly). You may not want to always browse this way, but for times when anonymity is paramount and you would rather not deal with the pokey speeds of the Tor network, the Mullvad Browser over a VPN connection is a great alternative option to have available.
But there’s one major problem: according to three different fingerprinting testers (Am I Unique, Cover Your Tracks, and Fingerprint.com), I was still considered to be unique. That is, I was still fingerprintable – enough to be recognized as the same user, anyway. It’s possible I was doing something wrong, but the whole point of this sort of tool is that you’re not supposed to be able to screw it up. There are three privacy levels with Mullvad: Standard, Safer and Safest. I was using Safer because Safest would break many websites (for example, it blocks all JavaScript). And if I blocked all JavaScript, that would also ironically make me abnormal and stick out.
The Bottom Line
Despite the above, I still think Mullvad Browser has a place in your arsenal of privacy tools. Defeating fingerprinting is hard. This browser does many of the things that you should do to reduce your uniqueness – to smudge your fingerprint. But it’s obviously not perfect. My hope is that it will get better. I’ll be watching it and rooting for the Mozilla, Tor and Mullvad teams to improve it over time. And while not perfect (nothing is), I think it’s probably still the best you’re going to find right now, as far as turn-key solutions go. Just be sure to use it with a good VPN service, since it doesn’t use the Tor network. Your IP address is still the most unique part of your fingerprint, so you need to hide your real address. To try it out, download it here.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!
