A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

WEB BROWSERS

TOPICS BELOW
A Web Browser Strategy, Which Browser, Browser Testers, Using A Browser, Extensions, Desktop Firefox Tweaks, Don't Use Chrome

NOTE: May 2024. See the Search Engine topic for instructions on configuring assorted web browsers to disable the Google Search feature know as "AI Overview" that just started rolling out to the public.

A BROWSER STRATEGY  top

Step 1 is to not rely on a single web browser, all the time, regardless of the device you use. I would argue that even two are not enough. To me, the Defensive Computing stance is to have three browsers installed on all your devices. Not that you can't use one browser 99% of the time, but at least have others at the ready, just in case.

An excellent use for a secondary browser is to install whatever extensions you need in it. For example, if you use an extension to find coupons, only install it in a browser that you rarely use and use that browser only as needed. Extensions are very dangerous and their use should be minimized.

Another use for a secondary browser is to save passwords in the browser. Not for every website where you have an account, but for a few that are not all that important. Many article recommend against saving passwords in the browser, but the ease of use is hard to argue with. So, don't do it ALL the time, but sometimes. I have done this for years and it has been a useful approach.

Still another use for a secondary browser is as sacrificial lamb. When a website is problematical, the best way to see if the site is broken or if the problem is with your browser, is to have a web browser with all the possible defenses disabled. Track me, show me ads, spy on my location, enable everything. I have done this for years and it has proved to be a good strategy.

WHICH BROWSER  top

Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer even though it was, for many years, a poor choice. Now, the crowd has voted for Google's Chrome browser, which is not a good Defensive Computing choice. The bottom half of this page has many articles that make the case against Chrome. I would also avoid the Edge browser for two reasons. First, it is popular and thus a high value target. Second, I don't trust Microsoft.

On a desktop Operating System (Windows, macOS, Linux) I suggest using Brave, the Mullvad browser or LibreWolf.

The Brave browser has ad blocking and tracker blocking built in. It is based on Chrome and supports all Chrome extensions. It runs everywhere: Windows, macOS, Linux, Android and iOS. See their Advanced Privacy write-up.

The Mullvad browser is based on Firefox and the Tor browser (which is also based on Firefox). It was first released in April 2023 and I have been using it since then. It seems to be locked down, security-wise, even more than Brave. For example, it gets an excellent rating at the Cover York Tracks tester from the EFF. It is locked down so tight that some websites do not work, or some functions on a website may not work. Still, I recommend it. Increased security always means increased hassle. Mullvad is a very trustworthy software provider and, despite being a VPN company, the browser does not require the use of any VPN. On Windows, the software is portable and it self-updates automatically, checking for new vesions every time the browser starts up. It also runs on macOS and Linux. It has been actively maintained in the time that I have been using it.

In February 2025, Joan Westenberg recommended LibreWolf. She said: "For my browser (at the moment), I'm using LibreWolf, a privacy-hardened, independent fork of Firefox designed to strip out Big Tech's surveillance while maintaining full user control over security and customization. Developed by a community-driven, open-source project, it operates outside corporate influence, free from Mozilla's telemetry, sponsored content, and other data-collection mechanisms. As a European-aligned browser with no ties to U.S. intelligence agencies or government oversight, LibreWolf gives me a secure, fast, and tracker-free web experience without reliance on centralized control. With built-in uBlock Origin, enhanced fingerprinting resistance, and no forced updates or background connections, it's one of the most robust choices for privacy-conscious users who refuse to compromise." On Windows, LibreWolf is available both normally installed and as a portable app. I always prefer portable Windows software. Based on her recommendation, I have been using the portable version on Windows for about 4 months (as of June 2025) and recommend it. The Windows version automatically checks for new versions of itself when the browser is first started. It also runs on macOS and many flavors of Linux.

The Firefox situation is complicated. To me, it needs a number of configuration changes out-of-the-box (there is a section of this page, devoted to that) and it does have built-in telemetry (which I block using DNS to not resolve telemetry.mozilla.org). In June 2025, Steven J. Vaughan-Nichols wrote: Firefox is dead to me - and I'm not the only one who is fed up where he griped about both the browser and Mozilla, the company behind it. As for the browser, he notes a growing number of technical problems, it being slow and poor tab management. As for Mozilla, 90 percent of their revenue comes from Google. They also changed the Firefox Terms of Use and Privacy Notice for the worse, killed off Pocket and Fakespot, are wasting their time chasing AI and are laying off more and more employees.

At AvoidTheHack.com, a techie who goes only by Ashley, has a page devoted to Privacy-oriented Browsers. The page starts with reasons to avoid Edge and Chrome and also has a few articles such as How to Configure Safari for Privacy on iOS Devices, How to Set Up Firefox for Privacy and Is Brave a Google Chrome Replacement?. There are also privacy oriented browser recommendations for Windows, Linux and MacOS, Android and iOS.

At Privacy Guides, their desktop systems recommendations are Mullvad, Firefox and Brave. For every recommended browser, they offer configuration suggestions.

IOS

In June 2025 security firm Mysk introduced a new iOS browser called Psylo: Introducing Psylo - A New Kind of Private Web Browser by Talal Haj Bakry and Tommy Mysk. The app costs $8/month or $70/year as of August 6, 2025. I have not used it but after reading about it, it sounds more secure than a VPN, for websites visited in the browser. A VPN typically runs at the Operating System level however, so quite different. Also different is that Mysk does not know who you are. You buy the Psylo through the Apple app store and Apple does not tell developers anything about who purchased the software. Mysk generates a random userid for their tracking purposes. There are no Psylo userids or passwords. In this way, they function much like Mullvad and IVPN. The random userid is all they know about you and the only tracking they do is of bandwidth (to prevent abuse of the system). Psylo is usable on multiple iOS devices, but they must all be associated with the same Apple account. A big selling point is browser tab isolation. Each tab is given a different public IP address on the Mysk Proxy Network. Like a VPN, data transmitted between the iOS device and their Proxy is encrypted. Unlike a VPN, it does not seem like you get to chose a proxy location. Also unlike a VPN, Mysk claims that they could not spy on you if they wanted to. Browser tab isolation includes the expected separation of storage and cookies, and also includes defenses against browser fingerprinting. Mysk claims these defenses offer more privacy than a VPN even though both hide your public IP address. Psylo adjusts the browser's time zone and language to match the physical location of the proxy the tab is using. To see this protection in action, you need to use a VPN to connect to another country. They have a tester page at psylo.app/location that will show both the country of your VPN server and your actual country. I tested it on Windows 10 and it worked as advertised with Firefox, Chrome, Brave and Edge (see a screen shot). However, the Mullvad browser has its own defenses and the tester page was fooled into thinking I was in Iceland. But, there is no Mullvad browser for iOS. Mysk has been on the front lines of security, so I would consider them a trusted source. More: Psylo browser tries to obscure digital fingerprints by giving every tab its own IP address by Thomas Claburn for The Register (June 24, 2025).

Brave on iOS: App version 1.78.1 on iOS 18.5 in June 2025.
DEFENSIVE: It blocks Fingerprinting default. It has a shred site data feature that closes all tabs on a site and deletes all site data. This can run manually or it can shred data automatically when a tab is closed or when the app is closed. There are many controls over Content Filtering. Maybe turn off: Show Last Visited Bookmarks and show Search suggestions. It can run in Private Browsing Mode all the time. You can chose the level of tracker/ad blocking: standard or aggressive or off. On the menu bar, click the Brave icon to see how many ads/trackers were blocked on the current page. Turn on Privacy Hub for the New Tab page, if its not on. This shows a grand total of the trackers/ads blocked. Click on it to see the most frequently blocked ads/trackers and the sites you have visited that have the most ads/trackers.
CONVENIENCE: It has a Reader Mode. It is easy to change the default Search Engine, there are 7 choices. It is easy to customize the page zoom level, both for the browser as a whole and for just one page. It keeps track of your preferred Page Zoom level for each website. It blocks Cookie Consent Notices by default. You can turn off the pretty background images on the New Tab page to save data on 4G/5G. You might want to configure it to Hide the Brave Rewards icon.
GOTCHA: Good luck getting back to regular tabs if you open a Private Mode tab.

My preferred iOS browsers are Brave and DuckDuckGo.

At Privacy Guides, their mobile browser recommendation for iOS, is Safari.

FYI: As of August 2025, Safari on iOS is supported by uBlock Origin.

ANDROID

At Privacy Guides, their mobile browser recommendation for Android is Brave.

May 2023: I have been impressed with the DuckDuckGo Privacy browser. As a browser it does a great job of telling what trackers it has blocked on each web page. In addition, it can do tracker blocking system-wide. Like many such apps, it does this by installing a fake VPN. The downside is that the blocking feature can not be enabled while there is an active VPN connection. The tracker blocking feature is currently in BETA but it seemed to work very well when I tried it. It even tells you the type of data that each app was trying to collect. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).

BROWSER TESTERS  top

Test the security of a web browser at browseraudit.com. It checks that your web browser correctly implements a wide variety of security standards and features. It runs about 430 tests and takes about 3 minutes to complete. The results are really for techies. Who created this site? It does not say.

Another browser testing site is PrivacyTests.org. They run an open-source privacy audit of popular web browsers and report on their results. There are test results for 12 Desktop browsers, 13 Desktop private modes, 10 iOS browsers, 12 Android browsers and more. The last round of testing was done August 12, 2025 (the previous round of testing was done in Feb. 2025). The amount of data collected is HUGE, it may be a bit much to digest. They test browsers on multiple operating systems. One small piece of data: on desktop systems, their State Partitioning tests show that Brave, Mullvad, LibreWolf and Firefox were the best. But again, a lot of data to absorb.

Global Privacy Control: Test your browser at globalprivacycontrol.org. The good result is "GPC signal detected". The bad result is: "GPC signal not detected". As of May 12, 2022 this was supported by default in the Brave and DuckDuckGo browsers. It was available, but not enabled by default in Firefox. It was not available in Chrome, Edge or Safari. Google, Microsoft and Apple want to spy on us. For a detailed verification, go to global-privacy-control.glitch.me where a blue thumbs up is a good test result. More: Global Privacy Control emerges as latest attempt to let netizens choose whether they want to be tracked online by Thomas Claburn for The Register (October 2020).

These are only for techies. deviceinfo.me, SSL Client Test from Qualys SSL Labs and How's My SSL?

USING A BROWSER  top

EXTENSIONS  top

This topic has been moved to a new page devoted to Web Browser Extensions.

 

DESKTOP FIREFOX TWEAKS  top

MY THOUGHTS (Last updated: September 2022 with Firefox 104 on Windows)

The first thing I do with a newly installed copy of Firefox is to make the Menu Bar visible. One way is to right click on the tab/toolbar and turn on the check for Menu Bar in the window that pops up. Or, you can press the Alt key, then View, then Toolbars and finally, turn on the Menu Bar.

Review the Enhanced Tracking Protection (about:preferences#privacy) settings which offers defense against trackers and more. As of version 104, the choices are Standard, Strict and Custom. See the documentation on this.

Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.

In the Forms and Autofill section (Settings -> Privacy & Security), I suggest disabling the auto-filling of addresses and credit cards.

In the Address Bar - Firefox Suggest section (Settings -> Privacy & Security), I would turn off "Suggestions from web", "Suggestions from sponsors" and "Improve the Firefox Suggest experience".

In the Firefox Data Collection and Use section (Settings -> Privacy & Security), I would turn off all four options: "Allow Firefox to send technical and interaction data to Mozilla", "Allow Firefox to make personalized extension recommendations", "Allow Firefox to install and run studies" and "Allow Firefox to send backlogged crash reports on your behalf".

In the Files and Applications section (Settings -> General) I suggest turning on "Always ask you where to save files"

Secure encrypted DNS is configured at Settings -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS. The options are Cloudflare, NextDNS and Custom. My first choice would be NextDNS for its ad/tracker blocking, but Cloudflare is fine too. By default, Cloudflare does not block ads/trackers. If you have a NextDNS account, then use the Custom option. To use one of the Cloudflare blocking options also requires choosing Custom here.

The Disable HTML5 Autoplay extension by Afnan Khan can stop many self-starting videos.

You can customize the look of the toolbar by right clicking anywhere on it and then selecting "Customize toolbar".

Take a look at about:telemetry which "shows the information about performance, hardware, usage and customizations collected by Telemetry. This information is submitted to Mozilla to help improve Mozilla Firefox". It can be intimidating, but look to see that "upload is disabled".

Another useful "about:" URL is about:performance which invokes the Firefox Task Manager. Somewhat akin to the Windows Task Manager, this shows CPU and storage usage for each tab. It can also be invoked with: Hamburger menu -> More Tools -> Task Manager. Read about it here: Task Manager - see what tabs or extensions are slowing down Firefox.

Root Certificate Authorities: These are companies that vouch for the identity of websites. The browser lock icon exists because some company, called a Certificate Authority, issued a file (called a certificate) that says the website is legit. The problem with this scheme is that there are bad Certificate Authorities (CAs). This can result your browser displaying (for ex) citi.com with a lock icon and, still, you are not at the real Citibank website. There are different lists of trusted Certificate Authorities. Firefox has its own list, many other browsers rely on the list created by the operating system. When you hear about a bad Certificate Authority, Firefox users can delete the company from the trusted list. This November 2022 article in the Washington Post, Mysterious company with government ties plays key internet role, basically says the TrustCor should not be trusted. When I checked Firefox 106 on Windows, there were three entries in the trusted list for TrustCor. To remove them: Settings -> Privacy and Security -> View Certificates button -> Authorities tab -> Pick an entry -> Delete or Distrust button. See a screen shot. In my experience, the button only does Delete, there was no option to Distrust. While you are at it, consider deleting the Chinese Certificate Authorities.

OTHER FIREFOX ADVICE

From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks.

Privacy Guides has a Recommended Configuration for Firefox.

Github user ran-sama has roughly 300 tweaks here: Firefox preferences that aim to optimize your settings so that privacy comes first. It is available as a user.js file that offers better default parameters for built-in anti-fingerprinting features, re-enabling the old UI and UX features that advanced users like and disconnecting from services such as "safebrowsing", which are unecessary if you use Block Origin. Some of the topics with tweaks: Nuke high-entropy fingerprinting IDs on every launch, Remove Google implants in Firefox that rat out your browsing under the pretense of security, Remove Newtab advertiser botnet that tries to monetize Firefox, Disable Firefox telemetry implants from spying on your browser usage, Stop data leaks from search suggestions, webRTC and link prefetching, disable both crash and error reporting, disable Spying and advertising, fully clean your history, Enable the built-in cookie banner auto-reject and more.

 

ARTICLES SUGGESTING NOT TO USE CHROME  top

August 4, 2024: uBlocked: As Chrome Transitions to Manifest V3, Ad Blockers Get Less Effective by Paul Thurrott. Chrome extensions used to use an interface that Google is removing. The old interface let uBlock Origin do a lot of stuff. The new interface restricts what it can do so there is a new "lite" version of it. The full version still works in Firefox.

The Contra Chrome website was developed by comic artist Leah Elliott in September 2022. In a comic book format, it devotes 33 pages to reasons why you should not use the Chrome browser. She distributes this as a PDF file available in 7 languages. See the English version.

Opinion: it is time to switch from Chrome to another browser by Martin Brinkmann for GHacks (Sept 2022). His reasons: Chrome is a powerful data gathering tool, Chrome's dominance gives Google a lot of weight when it comes to establishing new web standards, the move to Manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome.

8 reasons to quit Chrome and switch to Firefox by Alaina Yee for PCWorld (May 2022)

It's time to dump Chrome as your default browser on Android by Jack Wallen for TechRepublic (Nov 2021).

Individual cookie controls are removed from Privacy and Security in Chrome 97 by Martin Brinkmann (Nov 2021)

Ditching Google Chrome was the best thing I did this year (and you should too) by Adrian Kingsley-Hughes for ZDNet (Nov 2021).

Why You Should Delete Google Chrome On Your Phone by Zak Doffman in Forbes (Nov 2021).

Jan 7, 2021: Today I stumbled across another reason not to use the Chrome browser. I was using Chrome version 87 on Windows 10. In Settings -> Autofill a particular website (x.com for the sake of example) was set to never save the password. It had been configured this way for a while. I opened an Incognito window and went to the x.com website. When I went to login and clicked in the UserID box, what showed up? My userid for x.com. There is no way to tell Chrome not to save the userid. And what is the use of incognito mode anyway, if it has access to the userid of what I consider a sensitive website?

A Long List of Ways Brave Goes Beyond Other Browsers to Protect Your Privacy. Written by Brave. No date.

We're suing Google for harvesting our personal info even though we opted out of Chrome sync - netizens by Thomas Claburn of The Register (July 2020). The lawsuit claims that although Google promises that Chrome users can opt out of surveillance by not providing personal information and by not synching their data, people get spied on anyway.

Google sued for at least $5 billion over claimed Incognito mode grab of potentially embarrassing browsing data by Ethan Baron (June 2020). A new incognito page does not warn that Google knows what you do. It does warn that websites you visit and your ISP know what you do, even with private browsing mode.

Incognito mode detection still works in Chrome despite promise to fix by Catalin Cimpanu for ZDNet (June 2020). Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.

Both Firefox and Brave have defenses against browser fingerprinting that Chrome does not have.

Still another reason not to use Chrome: Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that by Thomas Claburn of The Register (March 2020)

From ProtonMail: Most secure browser for your privacy in 2020 (Dec 2019). In brief: Chrome is bad. Firefox, Brave, Tor and DuckDuckGo (mobile only) are good.

Chrome fails miserably at indicating when insecure data is being sent from a secure page. See my blog (Feb 2020).

uBlock Origin works best on Firefox where it can undo CNAME Cloaking. See If you run uBlock Origin, use the Firefox version as it offers better protection by Martin Brinkmann (Feb 2020).

These hidden cache files are bloating your Google Chrome by Adrian Kingsley-Hughes (April 2020). Chrome caches JavaScript files and there is no simple way to clear the cache, you have to find the folder and delete the files on your own. After reading this, I found data in the cache that was over 4 months old.

There is a whole website (NoToChrome.org) devoted to the bad stuff about the Chrome browser.

Study finds Brave to be the most private browser by Martin Brinkmann (Feb 2020). Only default browser configurations were tested.

October 2019: Germany's cyber-security agency recommends Firefox as most secure browser by Catalin Cimpanu. Firefox was tested against Chrome, Internet Explorer and Edge. Not tested were Safari, Brave, Opera, or Vivaldi. The big finding, to me, was that Chrome, IE and Edge have no option to block telemetry.

July 2019: It's time you ditched Chrome for a privacy-first web browser by Matt Burgess in Wired. Discusses Brave, Ghostery, Tor, DuckDuckGo and two Mozilla browsers.

June 2019: It's Time to Switch to a Privacy Browser by David Nield in Wired. Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more.

June 19, 2019: Google Chrome has become surveillance software. It’s time to switch. by Geoffrey Fowler in the Washington Post. This article has a great quote: "having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop." Alternate link

In June 2019, Firefox added "enhanced tracking protection" by default, but my opinion was formed beforehand. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container, Firefox Monitor and Lockwise by Mozilla (June 2019)

Private and Secure Browsers to Keep Your Data Safe by Sven Taylor of Restore Privacy. Created Sept. 2018, Last updated June 2019.

I protected my privacy by ditching Chrome for Brave–and so should you by Michael Grothaus in Fast Company (March 2019)

How I'm locking down my cyber-life by Larry Sanger Jan. 2019

Why I'm done with Chrome by Matthew Green (Sept 2018). Paraphrasing: I've loved Chrome in the past, but, due to Chrome's new user-unfriendly forced login policy, I won't be using it going forward.

Bye, Chrome: Why I'm switching to Firefox and you should too by Katharine Schwab (May 2018). Quoting: "I can't even remember why I decided to use Chrome in the first place. The browser has become such a default for American internet users that I never even questioned it."

Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling.

 This page: 10 views per day (over 1,115 days)   Total views: 10,817   Created: September 18, 2022
This Page
Last Updated

October 6, 2025
Site Page
Views TOTAL

 1,326,651
Site Page
Views TODAY

  1,090
Website by
Michael Horowitz
top
Copyright 2019 - 2025