Competition in Privacy. Testing the browsers

The content of the article

• Trust but check!
• Comfortable Dragon
• Waterfox
• Iron
• Brave
• Epic
• Dooble Web Browser
• Conclusions

Installing a dedicated secure browser is one way to increase your privacy quickly and easily. Only these browsers have grown lately like fleas on a barbosque. With which of them is it not scary and into fire, and into water, and on sites for adults, and with which it is better not to go further than Yandex at all? Today we will try to find an answer to this burning question.

For tracking users, not only cookies and the notorious IP tracking are used, but also the so-called browser fingerprint, which includes information about the program version, OS bit depth, language settings, User Agent, screen resolution and other technical parameters of the system. There is also the Evercookie technology, implemented using a special application in JavaScript, and behavioral analysis, when special scripts collect information about user actions – time spent on web pages, scrolling speed, clicks on links, and more. Tracking, let alone blocking, all these functions is not so easy.

In the settings of any modern browser, you can find the “Security” section, which contains the parameters related to privacy and confidentiality. So, in Chrome there is a mode of “safe browsing” of web pages with built-in protection against “potentially dangerous” sites, the ability to enable your own DNS service, as well as configure electronic keys and certificates. Opera has its own VPN, more like a banal proxy, and the ability to prevent web sites from monitoring outgoing traffic. Plus the same standard “protection against malicious sites”. Firefox has built-in protection against tracking, allows you to configure settings for storing passwords, cookies and browser history.

However, all these technical tricks are leveled by the ability to install plugins that can do almost anything their developers want. Some plugins are capable of sending personal data to a remote server, tracking user actions, and embedding advertisements in the viewed web pages. In general, if basic protection against surveillance is built into almost all modern browsers, then there is no user protection at all.

It is believed that safe, or, as they are also called, protected, browsers are a “clean” program without any bells and whistles and add-ons, sharpened for maximum privacy. They allow you to work on the Internet, leaving a minimum of digital traces, block the transmission of telemetry and data collection. They are careful about cookies, browsing history and are more careful about storing form data that the user fills out, or not at all. But the main thing is that most of them do not support the installation of third-party unverified extensions, among which something bad can “stick” to the browser.

When it comes to secure web browsing, the first thing you think of is Tor Browser, well known to everyone. That is why we will not consider it in this article. Moreover, Tor Browser is more often used as a tool for surfing the darknet. Instead, we’ll take a closer look at six alternative programs that their developers are positioning as safe and secure browsers for Windows.

Trust but check!

To find out whether it is worth trusting such programs, I decided not to invent complex stands and not to build a special laboratory. To compare protected browsers, a virtual machine with a freshly installed Windows and several online tests specially created to check the security level of such programs are quite enough. Here they are.

• Qualys Browser Check – checks for vulnerabilities in the browser and tests the settings for working with cookies. By default, for passing the test, it is proposed to install a special plugin, but you can do without it by using the link on the site.
• Cloudflare Browsing Experience Security Check is a test from a well-known company Cloudflare that checks the DNS, certificates, cookie settings used by the browser and the presence of known vulnerabilities.
• Privacy Analyzer is a comprehensive browser check for data leakage. Tracking by IP, browser fingerprint is checked, privacy settings are tested.
• Panopticlick – test for third-party tracking cookies and browser fingerprint tracking.
• Webkay is a service that demonstrates all the information that your browser transmits to websites on the Internet.

So, we figured out the evaluation criteria. Now let’s move on to our test browsers – what results will they show us with the default settings? We’ll find out now!

Comfortable Dragon

• Developer: Comodo Group
• Website: comodo.com/home/browsers-toolbars/browser.php

Comodo Dragon is perhaps the most popular solution for safe surfing on the net after Tor Browser. Dragon claims to be a one-stop solution for those who don’t want to wait half an hour for Tor to launch.

INFO

Comodo’s reputation took a hit once when the company was caught in 2016 for putting its products on a VNC server without demand.

In fact, the dudes at Comodo made two whole security browsers with the same set of functions, but on different engines: Comodo Dragon based on Chromium platform and Ice Dragon based on Firefox. Among the announced features are built-in malware protection, the use of secure DNS, cookie blocking and domain validation to combat phishing.

I downloaded both versions of “Lizard” at once and launched them on the virtual machine in turn. Outwardly, Dragon looks like a familiar Chrome and starts at about the same speed – on my virtual machine it took an average of 4.5 seconds to load. The browser also inherited its love of RAM from Chrome – with one window and one open tab, Comodo Dragon immediately launched five processes in the system and ate 90 MB.

Well, let’s see what the tests say.

• Qualys Browser Check recognized the outdated Chrome browser in Comodo Dragon, after which it offered to download a newer version from the Google website.
• Cloudflare Browsing Experience Security Check has determined that Dragon does not authenticate DNS server responses with DNSSEC and does not support SNI server name encryption when establishing a TLS connection, which could theoretically compromise privacy.
• The Privacy Analyzer test showed that Dragon successfully transmitted my IP address, location, browser version, OS bit and screen resolution to the remote host.
• Panopticlick demonstrated that the browser has a unique “fingerprint” and does not send the DNT (do not track) HTTP flag to the server, which allows tracking the user. All other security tests on this site have passed Comodo Dragon successfully.
• Finally, judging by the Webkay page , in addition to the version and bitness of Windows, IP address and screen resolution, Dragon allows you to correctly recognize the battery level of my device and the type of processor. The browser did not allow scanning the local network in search of available devices.

Comodo Ice Dragon outwardly differs little from its “non-icy” brother. Firefox and Firefox, nothing special. It loads and works quite quickly: it took three seconds from clicking on the icon to launching the application.

• Qualys Browser Check did not find any flaws, the test was passed with 100% success.
• Cloudflare Browsing Experience Security Check showed exactly the same result as in the previous case.
• According to Privacy Analyzer , the browser sends out all the same data as its sibling, including the IP address and OS version.
• Panopticlick reported that the program does not block ad tracking attempts, does not send DNT, and has a unique fingerprint.
• But Webkay presented a surprise: it turned out that the browser has a unique User Agent IceDracon 65.0.2and does not send any data about the hardware to the side at all, except for the processor capacity. But, in addition to the external IP address, Webkay happily showed me the IP of the network interface of my LAN. Using a special button on the site, I tried to scan the devices available on the local network, but the search did not bring any results.

Waterfox

• Developer: Alex Kontos
• Website: waterfox.net

This is another Firefox clone with an emphasis on security, with versions not only for Windows, but also for macOS and Linux, with only a 64-bit version available. The section “About the program” of the official website says that the browser was made in 2011 by a sixteen-year-old schoolboy Alex Kontos, who is updating and supporting his brainchild to this day. The author claims that his application does not collect telemetry and only sends out data about the browser version and OS in order to receive updates on time. All the rest are confidential, the developer assures, in complete safety. Outwardly, the program is the most ordinary Firefox – so ordinary that it is even boring. It works and loads at the same speed, I did not notice any significant differences with the usual “Fox”.

Let’s see how the tests will be evaluated by the student.

• Qualys Browser Check – the test passed successfully, no problems were identified.
• Cloudflare Browsing Experience Security Check revealed that Waterfox has issues with DDNSEC verification and Encrypted SNI implementation. In addition, the browser does not support TLS 1.3.
• Finally, Waterfox successfully failed all the Privacy Analyzer tests , and according to Panopticlick and Webkay , it leaked out my IP address, processor type and bit, as well as screen resolution settings, but prudently hid all other data.

It is noteworthy that Waterfox is recognized as Firefox 56.0, while the current version of Fox is 79.0. That is, the clone lags behind the original by about an eternity, and this may mean problems not with privacy, but with security.

Iron

• Developer: SRWare
• Website: srware.net/iron

Iron is built on the basis of Chromium, uses the latest versions of WebKit and V8, and also includes its own ad blocking component. According to the creators, Iron does not send telemetry to Google, does not send automatic bug reports, and does not update in the background, which saves traffic. It also has an “elegant design”.

SRWare Iron is similar to Chrome a little less than completely. The program starts up in about 3.5 seconds and works with several open tabs quite quickly: I did not notice significant brakes behind it. It even seemed to me that this browser is faster than Chromium in the Comodo assembly.

• Qualys Browser Check complained to me about an outdated version of Google Chrome (83.0.4250) and said it was insecure.
• The Cloudflare benchmark showed performance similar to Comodo’s browsers – including TLS 1.3 support, but claims against DNSSEC and Encrypted SNI.
• Panopticlick swore at the standard set of privacy problems (all tests failed) and in between times noticed that if SRWare Iron has some kind of ad blocker, it doesn’t work.
• Privacy Analyzer and Webkay reported that the ” piece of hardware ” sends out data about the browser version, version and bitness of the OS, IP address, all information about the hardware (including the video card model, screen resolution and battery status), but the data on the local network remained for Webkay secret.

Brave

• Developer: Brave Software
• Website: brave.com

The creators of the Brave browser claim that their Chromium-based product, like no other, prevents tracking and possible data leaks. One of Brave’s tricks is the ability to send cryptocurrency payments to websites and content creators in the form of Basic Attention Tokens , a cryptocurrency platform developed by Brave Software based on Etherium.

In 2017, when the platform was first launched, Brave Software sold more than $ 35 million tokens, and distributed to new users of the platform in order to raise a total of 300 thousand tokens. Brave browser users can earn tokens for viewing ads or pay content creators – either by sending microtransactions or using the built-in Brave function, when a predetermined amount of reward is automatically distributed among the owners of sites registered in the system, depending on how much time the user spent watching the content.

There are versions of the browser for Windows, macOS, Linux, as well as Android and iOS. We will only consider the first of them, the interface of which, as you would expect, is cosplayed by Chrome.

• Qualys Browser Check showed that the current version of Chrome is up to date, no update required.
• The Cloudflare benchmark did not show anything new – the same result was found in both Comodo and Iron browsers.
• But Panopticlick gave an unexpected result: as it turned out, Brave successfully blocks ads, automatic tracking, but does not send DNT and has a characteristic “fingerprint” by which it can be calculated.
• Privacy Analyzer and Webkay surprised me even more: both sites did not show my IP address and location, although services like WhatIsMyIP detected it without any problems. The browser transmitted information about the version and bitness of the OS, hardware (including the processor, graphics adapter, screen resolution and battery status). The program uses as User Agent Chrome 84.0.4147.125.

On the whole, a good result. Given the fact that the application is fast enough (although it feels slower than Iron), it is clearly worth looking at it.

Epic

• Developer: Hidden Reflex
• Website: epicbrowser.com

This browser is developed by a company based in Bangalore, India with a presence in Washington DC. Here I really wanted to joke about the Hindu code, but Epic, like its competitors, is based on Chromium, so the code is Google. The developer of the program, Alok Bhardwaj, claims that Epic successfully blocks tracking, fingerprinting, annoying ads, cryptomining and voodoo magic . In addition to the version for Windows, you can download the release for macOS on the site, there are also links to Google Play and the App Store for downloading mobile versions.

Immediately after launching the application, the user sees a formidable warning that some browser functions, such as built-in VPN, proxy and ad blocker, need to be installed separately in the form of plugins available on a special page of the Epic Extension Store. How, in this case, Epic differs from the usual “Chrome”, in which you can also configure proxy and VPN using plugins, remained a mystery to me. Well, let’s see what this browser can do out of the box with default settings.

• Qualys Browser Check – no problems or comments.
• Cloudflare is a similar result to Comodo and Iron.
• Panopticlick – the browser successfully blocks ads and tracking attempts, but does not send DNT and has a characteristic “fingerprint”
• Privacy Analyzer – the test “hangs” on determining the IP-address and geolocation, I never got the result.
• Webkay – the service successfully determined my IP and OS version, but did not show absolutely any data about the hardware, except for the processor bit. The browser is defined as Chrome 84.0.4147.105.

Looking at the name of the product, I was anticipating that it would be possible to write about “epic fail”, but surprisingly the browser has proven itself quite well. Blocking ads, tracking, as well as a minimum of data transmitted to the outside, and all this without additional plugins, is a pretty serious claim for success.

Dooble Web Browser

• Developer: Dooble Project Team
• Website: textbrowser.github.io/dooble/

The development of this open source browser began twelve years ago. The Dooble interface is based on Qt, and the application itself is cross-platform: there are versions for FreeBSD, Linux, macOS, OS / 2 and Windows, and as a portable version for all platforms. The distribution kit can be downloaded from GitHub as a ZIP archive containing the executable file and all the necessary libraries.

With default settings, Dooble automatically deletes cookies, and data stored in the program is encrypted (except for information about user settings). The browser uses a session model using temporary keys, and the passphrase can be changed without losing data. You need to create a master password in the settings when you start Dooble for the first time, otherwise all the data saved in the browser will be erased upon shutdown. These features allow Dooble to be conditionally classified as safe browsers.

On my virtual machine with Windows 10, Dooble flatly refused to start, cursing about the lack of some library, but on the host machine with Windows 7, it suddenly started working. The external design of the program can be characterized by the phrase “hello from the nineties” – he even squeezed out a nostalgic tear from me.

Comparative tests gave the following results.

• Qualys Browser Check – called Dooble an insecure version of Google Chrome – apparently due to the User Agent used by the browser.
• Cloudflare is a result similar to Comodo, Iron, Epic and Brave.
• Panopticlick – a complete failure of the test on all counts.
• Privacy Analyzer and Webkay – the browser transmitted the IP address, OS and hardware data, geolocation, screen resolution. The program is presented to external services as Chrome 84.0.4147.163.

Dooble is arguably the fastest browser I’ve tested in this experiment. Considering that it is presented as a portable version, the application can be very useful for systems in which installation of programs is difficult. It is also likely to appeal to BSD and Linux users. The performance of the application in Windows 10 raises certain doubts.

Conclusions

The results of the experiment turned out to be ambiguous. Contrary to expectations, the best results were shown not by the products of the famous company Comodo, but by quite modest Brave and Epic. However, Comodo Ice Dragon is also not bad – it sends out less data about the device than its counterpart. Comodo Dragon I would put in fourth place. Owners of devices with weak hardware and old versions of the OS may like Dooble, which has good performance. But Waterfox and Iron dived to the very bottom of our modest rating with an iron – they are worse than competitors in coping with advertising and tracking blocking.

Obviously, none of the programs listed in today’s article can provide complete anonymity and security on the Internet. For real privacy, you need to use a VPN, disable script processing in the browser settings, use encrypted containers to store form data and passwords. In addition, there is a wide assortment of plugins designed to improve network security. But we will talk about them in detail another time.