Set up a framework to fully man-in-the-middle my own browsers’ networking and see what they’re up to beyond just looking at their DNS queries and encrypted tcp packets. We force the browser to trust our mitmproxy cacert so we can peek inside cleartext traffic and made it conveniently reproducible and extensible.
It has containers for official Firefox, its Debian version, and some other FF derivatives that market a focus on privacy or security. Might add a few more of those or do the chromium family later - if you read the thing and want more then please let us know what you want to see under the lens in a future update!
Tests were run against a basic protocol for each of them and results are aggregated at the end of the post.
Posting with ambition that this can trigger some follow-ups sharing derived or similar things. Maybe someone could make a viral blog post by doing some deeper tests and making their results digestible ;)
So essentially, Mullvad is the only one out of the browsers tested that doesn’t leak notable amounts of data on first launch.
At least in most cases, the data is being leaked back to the developer and not third parties.
I don’t think the data supports that. I’m curious what makes you single it out. Mullvad is in the top-tier but it is not alone (or clearly #1 - like the post gets into - it gets nuanced and I think any attempt at general objective “top 5 ranking” will be reductive to the point of being misleading or plain wrong. So I’m not trying that here). Read again? :)
For example of nuance displayed in results:
### Number of requests 119 firefox 81 firefox-esr 0 konform 7 librewolf 30 mullvad-browser 62 zen-browserYou’re right—they’re all doing differently privacy impacting things, but there are no “winners”.
There can still be winners, the good, the bad, and the ugly. It’s just that we have to engage a bit deeper than a quick scroll and a oneliner to figure it out1 than that.
The difference matters. Looking into the raw URLs and bodies involved is enlightening. Apart from that, which other queries can we run with
jq(or other tools) can we add to the post to add more useful dimensions?1: The answer might be different for each of us and depend on what we’re doing at the moment. Different situations might call for different browsers.
What is this based on? Why not see if that assumption is true1? There’s quite a big difference in nature and quality here between them. This doesn’t really come through in the data aggregation put on display in the post but I hope more people will try to run this on their own. Zen and Mozilla are the only ones with significant (and it is significant) telemetry of their own at all between these while LibreWolf and Konform have 0 data going to the devs, for one.
The whole idea here is to be able to achieve more nuanced and accurate understanding so more educated decisions can be made and enlightening conversation be had. Not just keep rehashing the same memes we based on vibes and hearsay.
Was hoping more for answering questions or getting new input than shooting down uninformed takes 😅
1: Well, staying inside the system we can’t prove that no sharing with third-parties is going on if we only see one domain involved. But that is not the case everywhere here. We can easily see when separate servers operated by multiple parties are involved by looking at the URLs and looking up the domain names. And then we can go look at what’s being sent to where.