A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |


Topics below
Which Browser, Using A Browser, Extensions, Desktop Firefox, Don't Use Chrome

Never rely on a single web browser, regardless of the device you use. I would argue that even two are not enough. To me, the Defensive Computing stance is to have three browsers installed on all your devices. Not that you can't use one browser 99% of the time, just have the others at the ready, just in case.

NOTE: May 2024. See the Search Engine topic for instructions on configuring assorted web browsers to disable the Google Search feature know as "AI Overview" that just started rolling out to the public.


Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer even though it was, for many years, a poor choice. Now, the crowd has voted for Google's Chrome browser, which is not a good Defensive Computing choice. The bottom half of this page has many articles that make the case against Chrome. I would also avoid the Edge browser for two reasons. First, it is popular and thus a high value target. Second, I don't trust Microsoft.

On a desktop Operating System (Windows, macOS, Linux) I suggest using Firefox, the Brave browser or the Mullvad browser.

Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions. It also runs on Android and iOS.

The Mullvad browser is based on Firefox and the Tor browser (which is also based on Firefox). It was first released in April 2023 and I have been using it since the initial release. It seems to be locked down, security-wise, even more than Brave. For example, it gets an excellent rating at the Cover York Tracks tester from the EFF. It is locked down so tight that some websites do not work, or some functions on a website may not work. Still, it is my first choice. Mullvad is a very trustworthy software provider and, despite being a VPN company, the browser does not require the use of any VPN. On Windows, the software is portable and it self-updates automatically. It also runs on macOS and Linux. It has been actively maintained in the 6 months that I have been using it.

On Android and iOS, my preferred browser is DuckDuckGo.

At Privacy Guides, their mobile browser recommendation for Android is Brave. For iOS, they prefer Safari. On desktop systems they recommend Mullvad, Firefox and Brave. For every recommended browser, they offer configuration suggestions.

Test the security of a web browser at browseraudit.com. It checks that your web browser correctly implements a wide variety of security standards and features. It runs about 430 tests and takes about 3 minutes to complete. The results are really for techies. Who created this site? It does not say.


May 2023: I have been very impressed with the DuckDuckGo Privacy browser. As a browser it does a great job of telling what trackers it has blocked on each web page. In addition, it can do tracker blocking system-wide. Like many such apps, it does this by installing a fake VPN. The downside is that the blocking feature can not be enabled while there is an active VPN connection. The tracker blocking feature is currently in BETA but it seemed to work very well when I tried it. It even tells you the type of data that each app was trying to collect. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).




Web browser extensions are a double-edged sword. On the one hand, they can block ads and trackers. But, if you let them, they can read and modify the contents of every displayed page. Nothing could be more dangerous, yet it is necessary with something like an ad blocker. Your browser sees all your passwords. The security around browser extensions is miserably disgraceful. There are user ratings of extensions, but they are useless in terms of Defensive Computing. Perhaps the worst aspect is that an extension with full access to all your data generates next to no warning at all. There should be Big Bold Red Letters warning of the danger, but no.

I suggest a default posture of installing as few extensions as possible. A very reasonable stance is to only install uBlock Origin and nothing else.



MY THOUGHTS (Last updated: September 2022 with Firefox 104 on Windows)

The first thing I do with a newly installed copy of Firefox is to make the Menu Bar visible. One way is to right click on the tab/toolbar and turn on the check for Menu Bar in the window that pops up. Or, you can press the Alt key, then View, then Toolbars and finally, turn on the Menu Bar.

Review the Enhanced Tracking Protection (about:preferences#privacy) settings which offers defense against trackers and more. As of version 104, the choices are Standard, Strict and Custom. See the documentation on this.

Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.

In the Forms and Autofill section (Settings -> Privacy & Security), I suggest disabling the auto-filling of addresses and credit cards.

In the Address Bar - Firefox Suggest section (Settings -> Privacy & Security), I would turn off "Suggestions from web", "Suggestions from sponsors" and "Improve the Firefox Suggest experience".

In the Firefox Data Collection and Use section (Settings -> Privacy & Security), I would turn off all four options: "Allow Firefox to send technical and interaction data to Mozilla", "Allow Firefox to make personalized extension recommendations", "Allow Firefox to install and run studies" and "Allow Firefox to send backlogged crash reports on your behalf".

In the Files and Applications section (Settings -> General) I suggest turning on "Always ask you where to save files"

Secure encrypted DNS is configured at Settings -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS. The options are Cloudflare, NextDNS and Custom. My first choice would be NextDNS for its ad/tracker blocking, but Cloudflare is fine too. By default, Cloudflare does not block ads/trackers. If you have a NextDNS account, then use the Custom option. To use one of the Cloudflare blocking options also requires choosing Custom here.

The Disable HTML5 Autoplay extension by Afnan Khan can stop many self-starting videos.

You can customize the look of the toolbar by right clicking anywhere on it and then selecting "Customize toolbar".

Take a look at about:telemetry which "shows the information about performance, hardware, usage and customizations collected by Telemetry. This information is submitted to Mozilla to help improve Mozilla Firefox". It can be intimidating, but look to see that "upload is disabled".

Another useful "about:" URL is about:performance which invokes the Firefox Task Manager. Somewhat akin to the Windows Task Manager, this shows CPU and storage usage for each tab. It can also be invoked with: Hamburger menu -> More Tools -> Task Manager. Read about it here: Task Manager - see what tabs or extensions are slowing down Firefox.

Root Certificate Authorities: These are companies that vouch for the identity of websites. The browser lock icon exists because some company, called a Certificate Authority, issued a file (called a certificate) that says the website is legit. The problem with this scheme is that there are bad Certificate Authorities (CAs). This can result your browser displaying (for ex) citi.com with a lock icon and, still, you are not at the real Citibank website. There are different lists of trusted Certificate Authorities. Firefox has its own list, many other browsers rely on the list created by the operating system. When you hear about a bad Certificate Authority, Firefox users can delete the company from the trusted list. This November 2022 article in the Washington Post, Mysterious company with government ties plays key internet role, basically says the TrustCor should not be trusted. When I checked Firefox 106 on Windows, there were three entries in the trusted list for TrustCor. To remove them: Settings -> Privacy and Security -> View Certificates button -> Authorities tab -> Pick an entry -> Delete or Distrust button. See a screen shot. In my experience, the button only does Delete, there was no option to Distrust. While you are at it, consider deleting the Chinese Certificate Authorities.


From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks.

Privacy Guides has a Recommended Configuration for Firefox.

Github user ran-sama has roughly 300 tweaks here: Firefox preferences that aim to optimize your settings so that privacy comes first. It is available as a user.js file that offers better default parameters for built-in anti-fingerprinting features, re-enabling the old UI and UX features that advanced users like and disconnecting from services such as "safebrowsing", which are unecessary if you use Block Origin. Some of the topics with tweaks: Nuke high-entropy fingerprinting IDs on every launch, Remove Google implants in Firefox that rat out your browsing under the pretense of security, Remove Newtab advertiser botnet that tries to monetize Firefox, Disable Firefox telemetry implants from spying on your browser usage, Stop data leaks from search suggestions, webRTC and link prefetching, disable both crash and error reporting, disable Spying and advertising, fully clean your history, Enable the built-in cookie banner auto-reject and more.



The Contra Chrome website was developed by comic artist Leah Elliott in September 2022. In a comic book format, it devotes 33 pages to reasons why you should not use the Chrome browser. She distributes this as a PDF file available in 7 languages. See the English version.

Opinion: it is time to switch from Chrome to another browser by Martin Brinkmann for GHacks (Sept 2022). His reasons: Chrome is a powerful data gathering tool, Chrome's dominance gives Google a lot of weight when it comes to establishing new web standards, the move to Manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome.

8 reasons to quit Chrome and switch to Firefox by Alaina Yee for PCWorld (May 2022)

It's time to dump Chrome as your default browser on Android by Jack Wallen for TechRepublic (Nov 2021).

Individual cookie controls are removed from Privacy and Security in Chrome 97 by Martin Brinkmann (Nov 2021)

Ditching Google Chrome was the best thing I did this year (and you should too) by Adrian Kingsley-Hughes for ZDNet (Nov 2021).

Why You Should Delete Google Chrome On Your Phone by Zak Doffman in Forbes (Nov 2021).

Jan 7, 2021: Today I stumbled across another reason not to use the Chrome browser. I was using Chrome version 87 on Windows 10. In Settings -> Autofill a particular website (x.com for the sake of example) was set to never save the password. It had been configured this way for a while. I opened an Incognito window and went to the x.com website. When I went to login and clicked in the UserID box, what showed up? My userid for x.com. There is no way to tell Chrome not to save the userid. And what is the use of incognito mode anyway, if it has access to the userid of what I consider a sensitive website?

A Long List of Ways Brave Goes Beyond Other Browsers to Protect Your Privacy. Written by Brave. No date.

We're suing Google for harvesting our personal info even though we opted out of Chrome sync - netizens by Thomas Claburn of The Register (July 2020). The lawsuit claims that although Google promises that Chrome users can opt out of surveillance by not providing personal information and by not synching their data, people get spied on anyway.

Google sued for at least $5 billion over claimed Incognito mode grab of potentially embarrassing browsing data by Ethan Baron (June 2020). A new incognito page does not warn that Google knows what you do. It does warn that websites you visit and your ISP know what you do, even with private browsing mode.

Incognito mode detection still works in Chrome despite promise to fix by Catalin Cimpanu for ZDNet (June 2020). Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.

Both Firefox and Brave have defenses against browser fingerprinting that Chrome does not have.

Still another reason not to use Chrome: Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that by Thomas Claburn of The Register (March 2020)

From ProtonMail: Most secure browser for your privacy in 2020 (Dec 2019). In brief: Chrome is bad. Firefox, Brave, Tor and DuckDuckGo (mobile only) are good.

Chrome fails miserably at indicating when insecure data is being sent from a secure page. See my blog (Feb 2020).

uBlock Origin works best on Firefox where it can undo CNAME Cloaking. See If you run uBlock Origin, use the Firefox version as it offers better protection by Martin Brinkmann (Feb 2020).

These hidden cache files are bloating your Google Chrome by Adrian Kingsley-Hughes (April 2020). Chrome caches JavaScript files and there is no simple way to clear the cache, you have to find the folder and delete the files on your own. After reading this, I found data in the cache that was over 4 months old.

There is a whole website (NoToChrome.org) devoted to the bad stuff about the Chrome browser.

Study finds Brave to be the most private browser by Martin Brinkmann (Feb 2020). Only default browser configurations were tested.

October 2019: Germany's cyber-security agency recommends Firefox as most secure browser by Catalin Cimpanu. Firefox was tested against Chrome, Internet Explorer and Edge. Not tested were Safari, Brave, Opera, or Vivaldi. The big finding, to me, was that Chrome, IE and Edge have no option to block telemetry.

July 2019: It's time you ditched Chrome for a privacy-first web browser by Matt Burgess in Wired. Discusses Brave, Ghostery, Tor, DuckDuckGo and two Mozilla browsers.

June 2019: It's Time to Switch to a Privacy Browser by David Nield in Wired. Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more.

June 19, 2019: Google Chrome has become surveillance software. It’s time to switch. by Geoffrey Fowler in the Washington Post. This article has a great quote: "having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop." Alternate link

In June 2019, Firefox added "enhanced tracking protection" by default, but my opinion was formed beforehand. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container, Firefox Monitor and Lockwise by Mozilla (June 2019)

Private and Secure Browsers to Keep Your Data Safe by Sven Taylor of Restore Privacy. Created Sept. 2018, Last updated June 2019.

I protected my privacy by ditching Chrome for Brave–and so should you by Michael Grothaus in Fast Company (March 2019)

How I'm locking down my cyber-life by Larry Sanger Jan. 2019

Why I'm done with Chrome by Matthew Green (Sept 2018). Paraphrasing: I've loved Chrome in the past, but, due to Chrome's new user-unfriendly forced login policy, I won't be using it going forward.

Bye, Chrome: Why I'm switching to Firefox and you should too by Katharine Schwab (May 2018). Quoting: "I can't even remember why I decided to use Chrome in the first place. The browser has become such a default for American internet users that I never even questioned it."

Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling.

 This page: 8 views per day (over 667 days)   Total views: 5,657   Created: September 18, 2022
This Page
Last Updated

June 24, 2024
Site Page

Site Page

Website by
Michael Horowitz
Copyright 2019 - 2024