Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer even though it was, for many years, a poor choice. Now, the crowd has voted for Google's Chrome browser, which is not a good Defensive Computing choice. The bottom half of this page has many articles that make the case against Chrome. I would also avoid the Edge browser for two reasons. First, it is popular and thus a high value target. Second, I don't trust Microsoft.

On a desktop Operating System (Windows, macOS, Linux) I suggest using Firefox, the Brave browser or the Mullvad browser.

Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions. It also runs on Android and iOS.

The Mullvad browser is based on Firefox and the Tor browser (which is also based on Firefox). It was first released in April 2023 and I have been using it since the initial release. It seems to be locked down, security-wise, even more than Brave. For example, it gets an excellent rating at the Cover York Tracks tester from the EFF. It is locked down so tight that some websites do not work, or some functions on a website may not work. Still, it is my first choice. Mullvad is a very trustworthy software provider and, despite being a VPN company, the browser does not require the use of any VPN. On Windows, the software is portable and it self-updates automatically. It also runs on macOS and Linux. It has been actively maintained in the 6 months that I have been using it.

On Android and iOS, my preferred browser is DuckDuckGo.

At Privacy Guides, their mobile browser recommendation for Android is Brave. For iOS, they prefer Safari. On desktop systems they recommend Mullvad, Firefox and Brave. For every recommended browser, they offer configuration suggestions.

Test the security of a web browser at browseraudit.com. It checks that your web browser correctly implements a wide variety of security standards and features. It runs about 430 tests and takes about 3 minutes to complete. The results are really for techies. Who created this site? It does not say.

ANDROID

May 2023: I have been very impressed with the DuckDuckGo Privacy browser. As a browser it does a great job of telling what trackers it has blocked on each web page. In addition, it can do tracker blocking system-wide. Like many such apps, it does this by installing a fake VPN. The downside is that the blocking feature can not be enabled while there is an active VPN connection. The tracker blocking feature is currently in BETA but it seemed to work very well when I tried it. It even tells you the type of data that each app was trying to collect. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).

Web browser extensions are a double-edged sword. On the one hand, they can block ads and trackers. But, if you let them, they can also read and modify the contents of every displayed page. Yikes! Nothing could be more dangerous. Your browser sees all your passwords. It sees your bank balance and account numbers. Making this worse, is that there are no clear warnings when you install an extension that it can read and modify every character on every web page. There should be a huge red flag (literally). But, there is not.

Frankly, the lack of warning is disgraceful. While the ability to see and modify everything is necessary for an extension to block ads and trackers, far too many extensions are silently granted this ability. Even the most secure, generally available operating system, ChromeOS (which runs Chromebooks), has browser extensions as an Achilles heel. The only way to hack a Chromebook is to convince someone to install a malicious browser extension.

Making a bad situation worse is that browser extensions silently self-update, with few checks to make sure they are not malicious. So, a good extension can go bad without warning. There was a big story (below) about this in December 2024.

I suggest a default posture of installing as few extensions as possible. Better yet, install uBlock Origin or uBlock Origin Lite (verify that the author is Gorhill) and nothing else. Perhaps the only other extension I would install is Privacy Badger from the EFF. On Windows, Privacy Badger runs on Chrome, Firefox, Edge and Opera. If there is an extension that you really need, install it in a web browser that you only use when you need that extension. Most of the time, use another browser.

FYI: On Android, the only browser that supports extensions is Firefox.

Never install an extension just because a web site says you need it. There is a good chance, that message is a scam; very very few websites need you install an extension.

There are user ratings of extensions, but they are useless in terms of Defensive Computing. Techies can and should check the required permissions before installing an extension.

Many techies, not just me, would suggest installing an ad blocker extension. This is not because it makes web pages load faster (it does) but mostly because ads have been abused too many times to install malicious software or take you to scam websites. And, they are distracting. And, if care about privacy, you need a tracker blocker too.

The recognized leader in the "blocking" field is uBlock Origin by Raymond Hill (aka gorhill). uBlock Origin is available for many browsers. It works with Chrome and other Chromium based browsers such as Brave. It works with Firefox. Beware however, that the popularity of uBlock Origin is such that scam copies have been created. One such scam is uBlock Pro, another goes by just uBlock. Mr Hill warns that uBlock Origin is completely unrelated to the site "ublock.org". When in doubt, check that the extension is from Raymond Hill.

Note that the Chrome browser will, in the near future (as of November 2024), disable uBlock Origin. The extension will continue to work in Brave and Firefox. Google created a new interface for browser extensions and uBlock Origin can not function in its normal manner using the new interface. To deal with this Raymond Hill (again, aka gorhill ) has created uBlock Origin Lite. Unlike uBlock and uBlock Pro, which are scams, uBlock Origin Lite is legitimate.

The downside of any blocking (ads or trackers) is that it will break some websites. One solution is learn how to turn uBlock Origin off for a problematic site (click the blue circle that has a vertical line through its top). Another option is keep a second web browser with no extensions at all. A second (or 3rd) browser is also a good idea when you really need a particular extension. Use that browser only on the site(s) that need the extension.

Another problem with browser extensions are copycat extensions. Just as with domain names, bad guys create scam extensions with names similar to popular ones. Bad guys can get away with this because, by and large, nobody is looking/checking. This article, Google Chrome: legit EditThisCookie extension removed instead of malicious copycat by Martin Brinkmann (December 31, 2024) is about a good extension called EditThisCookie that had over 3 million users and 11,000 ratings. That popularity spawned a malicious extension called EditThisCookies. At some point, the bad extension was renamed to EditThisCookie®.

This article is further proof that no one watches over Chrome brower extensions: Here's how hucksters are manipulating Google to promote shady Chrome extensions by Dan Goodin for Ars Technica (January 8, 2025). Sub-title: How do you stash 18,000 keywords into a description? Turns out it's easy.

And, there are very few trusted sources for extensions and no useful system for defining a trusted source. You are on your own with browser extensions, it is the Wild West out there.

To combat this, when installing an extension, pay close attention to who/what created the extension. Or, maybe, don't install anything other than uBlock Origin.

FYI: A Chromebook in Guest mode does not allow any extensions.

I suggest that you periodically review your installed extensions, in every browser that you use, and remove any you do not recognize or no longer use. To display the installed extensions, use these address bar URLs (perhaps bookmark them):
In chrome chrome://extensions
In Brave brave://extensions   (not valid on iOS or Android)
In Firefox about:addons

• January 20, 2025: Malicious extensions circumvent Google’s remote code ban by Wladimir Palant. Quoting: "... I consider it highly problematic that Google for a long time allowed extensions to run code they downloaded from some web server, an approach that Mozilla prohibited long before Google even introduced extensions to their browser. For years this has been an easy way for malicious extensions to hide their functionality ... This article looks into more approaches I found used by malicious extensions in Chrome Web Store."
• January 13, 2025: Chrome Web Store is a mess by Wladimir Palant
• January 6, 2025: Honey, we've been tricked: PayPal faces lawsuit over shady browser extension by Mahmoud Itani for Android Authority. Creators are unhappy about "the biggest scam in YouTube history." The PayPal-owned Honey browser extension was recently caught deceiving customers and poaching affiliate revenue from creators. Lawyer Devin Stone has filed a class action lawsuit against PayPal over these shady practices.
• January 3, 2025: The worst came to pass with 33 browser extensions: Time to check if you ran any of these 33 malicious Chrome extensions by Dan Goodin for Ars Technica. Many Chrome browser extensions have been hacked to push out malicious updates. One company whose extension was hacked was Cyberhaven which really looks bad as they are a security company with corporate customers. The hacking continued for 18 months before being discovered. In every case, the developers of a good extension were scammed by an email message. In part, they were also scammed by look-alike domain names. Had they read the Domain Name Rules page on this site, the scam would have been obvious. The bad guys wanted account credentials at Facebook and chatgpt.com. Estimates are that 2.6 million devices were running a malicious extension.
• November 3, 2024: You're overexposed online. This service fixes 223 privacy settings for you. Geoffrey A. Fowler for the Washington Post. The article is about an extension/service from a startup called Block Party. It is available on the Windows, macOS and Linux versions of Chrome, Firefox, and Edge. It works on the websites of Facebook, Instagram, Google, YouTube, X, LinkedIn, Reddit, Strava and Venmo. For these 9 companies, it reviews your privacy settings, recommends changes and can make the changes for you. There is a 7 day trial, after which the service is $20/year. I would add to the article that you might want to disable the extension when you are not using it. Quoting: "I thought I had my Facebook, Google, Instagram, X, Venmo and LinkedIn on privacy lockdown. Then I got terrified by a new service called Block Party. It scans nine critical apps for 223 privacy, security and other settings. Again and again, Block Party found problems with how I'd set up my accounts that left me exposed ... Tech companies want to collect as much of your data as possible, and, often, to share it widely. So they present privacy and other settings with so many confusing knobs and buttons that it feels like flying a 747. There are 44 different privacy settings on Facebook alone. Worse, apps move around settings - and keep adding new ones that find more ways to exploit your personal data."
• June 23, 2024: Risk of getting malicious extension from Chrome store way worse than Google's letting on, study suggests by Thomas Claburn for The Register. Three academic researchers published a paper about Chrome Web Store data that suggest the risk posed by browser extensions is far greater than Google admits to. Google uses a convenient definition of "bad" when discussing bad extensions. The researchers use a more accurate definition. They found that over 346 million users installed a bad extension in the last three years (280 million malware, 63 million policy violation, and 3 million vulnerable to know bugs.
• June 20, 2024: For Chrome browser: Staying Safe with Chrome Extensions from Google. If you go to the extensions page (chrome://extensions) it warns you of any extensions you have installed that might pose a security risk. But, this puts the burden on the end user most of whom do not know this. So, useless.
• The Chrome browser has a "Safety Check" that you get to with: chrome://settings/safetyCheck
  (Last verified with Chrome version 129 on Windows 10 in November 2024)
  Again, mostly useless as the end user has to know to do this.
• November 2023: HOW Browser Extensions Steal Your Data YouTube video by Naomi Brockwell. 21 minutes. Quoting: "Browser extensions can be a lot more dangerous than you realize. You probably don't understand the permissions that you're granting when installing a browser extension, so in this video we look at these permissions under a microscope, and explain what each one means. We also uncover the sketchy underground extension marketplace that no one talks about -- extensions that have lots of users are purchased and repurposed to collect data and do all kinds of nefarious things."
• In June 2023, many malicious Chrome browser extensions were detected, and not by Google. See Google's Android and Chrome extensions are a very sad place. Here’s why by Dan Goodin for Ars Technica. Quoting: " ... researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company's official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages ... Google has removed many but not all of the malicious entries ... Other than issuing canned statements saying Google takes user security seriously, company representatives pretty much maintain radio silence in response to questions about malicious wares available in its marketplace ... Google generally doesn’t notify users once it discovers they have installed one of its malicious offerings." As I said above, it is the Wild West. You have been warned.
• I blogged about potentially dangerous extensions here and here and here.
• Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode.
• February 2020: The Case for Limiting Your Browser Extensions by Brian Krebs. Quoting: "it's not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals."
• December 2019: Best to avoid extensions from Avast and AVG as per this story: Senator Wyden Asks Avast Antivirus Why it Sells Users' Browsing Data by Joseph Cox for Vice. Mozilla removed Avast's and AVG's extensions for harvesting user data.
• March 2019: A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account.

Matt Frisbie is a software engineer focused on web browser extensions.

• He has written many articles on his substack
• In February 2023, he wrote: Let's build a Chrome extension that steals everything
• In November 2022 his book was published: Building Browser Extensions: Create Modern Extensions for Chrome, Safari, Firefox, and Edge

MY THOUGHTS (Last updated: September 2022 with Firefox 104 on Windows)

The first thing I do with a newly installed copy of Firefox is to make the Menu Bar visible. One way is to right click on the tab/toolbar and turn on the check for Menu Bar in the window that pops up. Or, you can press the Alt key, then View, then Toolbars and finally, turn on the Menu Bar.

Review the Enhanced Tracking Protection (about:preferences#privacy) settings which offers defense against trackers and more. As of version 104, the choices are Standard, Strict and Custom. See the documentation on this.

Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.

In the Forms and Autofill section (Settings -> Privacy & Security), I suggest disabling the auto-filling of addresses and credit cards.

In the Address Bar - Firefox Suggest section (Settings -> Privacy & Security), I would turn off "Suggestions from web", "Suggestions from sponsors" and "Improve the Firefox Suggest experience".

In the Firefox Data Collection and Use section (Settings -> Privacy & Security), I would turn off all four options: "Allow Firefox to send technical and interaction data to Mozilla", "Allow Firefox to make personalized extension recommendations", "Allow Firefox to install and run studies" and "Allow Firefox to send backlogged crash reports on your behalf".

In the Files and Applications section (Settings -> General) I suggest turning on "Always ask you where to save files"

Secure encrypted DNS is configured at Settings -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS. The options are Cloudflare, NextDNS and Custom. My first choice would be NextDNS for its ad/tracker blocking, but Cloudflare is fine too. By default, Cloudflare does not block ads/trackers. If you have a NextDNS account, then use the Custom option. To use one of the Cloudflare blocking options also requires choosing Custom here.

The Disable HTML5 Autoplay extension by Afnan Khan can stop many self-starting videos.

You can customize the look of the toolbar by right clicking anywhere on it and then selecting "Customize toolbar".

Take a look at about:telemetry which "shows the information about performance, hardware, usage and customizations collected by Telemetry. This information is submitted to Mozilla to help improve Mozilla Firefox". It can be intimidating, but look to see that "upload is disabled".

Another useful "about:" URL is about:performance which invokes the Firefox Task Manager. Somewhat akin to the Windows Task Manager, this shows CPU and storage usage for each tab. It can also be invoked with: Hamburger menu -> More Tools -> Task Manager. Read about it here: Task Manager - see what tabs or extensions are slowing down Firefox.

Root Certificate Authorities: These are companies that vouch for the identity of websites. The browser lock icon exists because some company, called a Certificate Authority, issued a file (called a certificate) that says the website is legit. The problem with this scheme is that there are bad Certificate Authorities (CAs). This can result your browser displaying (for ex) citi.com with a lock icon and, still, you are not at the real Citibank website. There are different lists of trusted Certificate Authorities. Firefox has its own list, many other browsers rely on the list created by the operating system. When you hear about a bad Certificate Authority, Firefox users can delete the company from the trusted list. This November 2022 article in the Washington Post, Mysterious company with government ties plays key internet role, basically says the TrustCor should not be trusted. When I checked Firefox 106 on Windows, there were three entries in the trusted list for TrustCor. To remove them: Settings -> Privacy and Security -> View Certificates button -> Authorities tab -> Pick an entry -> Delete or Distrust button. See a screen shot. In my experience, the button only does Delete, there was no option to Distrust. While you are at it, consider deleting the Chinese Certificate Authorities.

OTHER FIREFOX ADVICE

From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks.

Privacy Guides has a Recommended Configuration for Firefox.

Github user ran-sama has roughly 300 tweaks here: Firefox preferences that aim to optimize your settings so that privacy comes first. It is available as a user.js file that offers better default parameters for built-in anti-fingerprinting features, re-enabling the old UI and UX features that advanced users like and disconnecting from services such as "safebrowsing", which are unecessary if you use Block Origin. Some of the topics with tweaks: Nuke high-entropy fingerprinting IDs on every launch, Remove Google implants in Firefox that rat out your browsing under the pretense of security, Remove Newtab advertiser botnet that tries to monetize Firefox, Disable Firefox telemetry implants from spying on your browser usage, Stop data leaks from search suggestions, webRTC and link prefetching, disable both crash and error reporting, disable Spying and advertising, fully clean your history, Enable the built-in cookie banner auto-reject and more.

August 4, 2024: uBlocked: As Chrome Transitions to Manifest V3, Ad Blockers Get Less Effective by Paul Thurrott. Chrome extensions used to use an interface that Google is removing. The old interface let uBlock Origin do a lot of stuff. The new interface restricts what it can do so there is a new "lite" version of it. The full version still works in Firefox.

The Contra Chrome website was developed by comic artist Leah Elliott in September 2022. In a comic book format, it devotes 33 pages to reasons why you should not use the Chrome browser. She distributes this as a PDF file available in 7 languages. See the English version.

Opinion: it is time to switch from Chrome to another browser by Martin Brinkmann for GHacks (Sept 2022). His reasons: Chrome is a powerful data gathering tool, Chrome's dominance gives Google a lot of weight when it comes to establishing new web standards, the move to Manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome.

8 reasons to quit Chrome and switch to Firefox by Alaina Yee for PCWorld (May 2022)

It's time to dump Chrome as your default browser on Android by Jack Wallen for TechRepublic (Nov 2021).

Individual cookie controls are removed from Privacy and Security in Chrome 97 by Martin Brinkmann (Nov 2021)

Ditching Google Chrome was the best thing I did this year (and you should too) by Adrian Kingsley-Hughes for ZDNet (Nov 2021).

Why You Should Delete Google Chrome On Your Phone by Zak Doffman in Forbes (Nov 2021).

Jan 7, 2021: Today I stumbled across another reason not to use the Chrome browser. I was using Chrome version 87 on Windows 10. In Settings -> Autofill a particular website (x.com for the sake of example) was set to never save the password. It had been configured this way for a while. I opened an Incognito window and went to the x.com website. When I went to login and clicked in the UserID box, what showed up? My userid for x.com. There is no way to tell Chrome not to save the userid. And what is the use of incognito mode anyway, if it has access to the userid of what I consider a sensitive website?

A Long List of Ways Brave Goes Beyond Other Browsers to Protect Your Privacy. Written by Brave. No date.

We're suing Google for harvesting our personal info even though we opted out of Chrome sync - netizens by Thomas Claburn of The Register (July 2020). The lawsuit claims that although Google promises that Chrome users can opt out of surveillance by not providing personal information and by not synching their data, people get spied on anyway.

Google sued for at least $5 billion over claimed Incognito mode grab of potentially embarrassing browsing data by Ethan Baron (June 2020). A new incognito page does not warn that Google knows what you do. It does warn that websites you visit and your ISP know what you do, even with private browsing mode.

Incognito mode detection still works in Chrome despite promise to fix by Catalin Cimpanu for ZDNet (June 2020). Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.

Both Firefox and Brave have defenses against browser fingerprinting that Chrome does not have.

Still another reason not to use Chrome: Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that by Thomas Claburn of The Register (March 2020)

From ProtonMail: Most secure browser for your privacy in 2020 (Dec 2019). In brief: Chrome is bad. Firefox, Brave, Tor and DuckDuckGo (mobile only) are good.

Chrome fails miserably at indicating when insecure data is being sent from a secure page. See my blog (Feb 2020).

uBlock Origin works best on Firefox where it can undo CNAME Cloaking. See If you run uBlock Origin, use the Firefox version as it offers better protection by Martin Brinkmann (Feb 2020).

These hidden cache files are bloating your Google Chrome by Adrian Kingsley-Hughes (April 2020). Chrome caches JavaScript files and there is no simple way to clear the cache, you have to find the folder and delete the files on your own. After reading this, I found data in the cache that was over 4 months old.

There is a whole website (NoToChrome.org) devoted to the bad stuff about the Chrome browser.

Study finds Brave to be the most private browser by Martin Brinkmann (Feb 2020). Only default browser configurations were tested.

October 2019: Germany's cyber-security agency recommends Firefox as most secure browser by Catalin Cimpanu. Firefox was tested against Chrome, Internet Explorer and Edge. Not tested were Safari, Brave, Opera, or Vivaldi. The big finding, to me, was that Chrome, IE and Edge have no option to block telemetry.

July 2019: It's time you ditched Chrome for a privacy-first web browser by Matt Burgess in Wired. Discusses Brave, Ghostery, Tor, DuckDuckGo and two Mozilla browsers.

June 2019: It's Time to Switch to a Privacy Browser by David Nield in Wired. Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more.

June 19, 2019: Google Chrome has become surveillance software. It’s time to switch. by Geoffrey Fowler in the Washington Post. This article has a great quote: "having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop." Alternate link

In June 2019, Firefox added "enhanced tracking protection" by default, but my opinion was formed beforehand. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container, Firefox Monitor and Lockwise by Mozilla (June 2019)

Private and Secure Browsers to Keep Your Data Safe by Sven Taylor of Restore Privacy. Created Sept. 2018, Last updated June 2019.

I protected my privacy by ditching Chrome for Brave–and so should you by Michael Grothaus in Fast Company (March 2019)

How I'm locking down my cyber-life by Larry Sanger Jan. 2019

Why I'm done with Chrome by Matthew Green (Sept 2018). Paraphrasing: I've loved Chrome in the past, but, due to Chrome's new user-unfriendly forced login policy, I won't be using it going forward.

Bye, Chrome: Why I'm switching to Firefox and you should too by Katharine Schwab (May 2018). Quoting: "I can't even remember why I decided to use Chrome in the first place. The browser has become such a default for American internet users that I never even questioned it."

Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling.