Browsers and privacy

Web browsers are the most common tool nowadays. Therefore, they are most popular target for any kind of bad people: malware authors, attackers and others.

Further, there is also a huge interest from companies to get data from users. They want to get all kinds of data. And since web browsers are the most common tools, the most obvious way is to cooperate with browser manufacturers to get data.

So far, this are the facts which are known to most privacy concerned people. But since no one can avoid using a browser, most are willing to do a compromise. But which browser does leak the fewest data of all?

Method

The premise was, that the browser is free software (open source). Although some proprietary browsers do a good job from a pure technical perspective, most security and privacy experts do agree, that using free and open source software is essential for secure and privacy-aware networking.

The testing was done on Debian 10 on amd64 with some packages from MX Linux.

The following browsers were tested:

The method itself was relatively simple. I created a new user with an empty home directory, so there were no cache or plugins. Every browser was started without any pre-configuration or cache.

At the same time tcpdump was running. I disabled IPv6 for simpleness. I made sure no other network capable program was active and made tcpdump listen to the outgoing network interface.

I started the browser, kept it open for about 10 seconds without any interaction or usage and then closed it. After that I filtered out the http and https traffic from the results

Results

Firefox

Firefox is a free web browser developed by the Mozilla Foundation. Mozilla provides two branches. The official branch gets updated every 6 weeks (every 4 weeks in the future), following a “rapid development cycle”. After this amount of time, the browser must be updated to the next version in order to receive security updates. Only the current version is supported.

For organizations and people who don't want to get the newest features every few weeks, there is a so-called ESR branch, in which a given version is maintained roughly one year. In this time the browser gets security updates. Besides that, it remains unchanged.

The Debian GNU/Linux distribution provides a package for Firefox ESR only. The distribution MX Linux provides a package for current Firefox, which is not built from source, but is in essence a re-packaged version from the binaries provided from Mozilla.

Firefox 70.0.1

Firefox 70.0.1 contacted in total 17 different hosts

104.16.142.228.https
36.75.98.34.bc.googleusercontent.com.https
93.184.220.29.http
a2-16-106-152.deploy.static.akamaitechnologies.com.http
ec2-34-223-159-30.us-west-2.compute.amazonaws.com.https
ec2-35-166-89-106.us-west-2.compute.amazonaws.com.https
ec2-50-112-59-215.us-west-2.compute.amazonaws.com.https
ec2-52-33-55-70.us-west-2.compute.amazonaws.com.https
ec2-52-35-182-58.us-west-2.compute.amazonaws.com.https
ec2-54-191-170-25.us-west-2.compute.amazonaws.com.https
ec2-54-72-168-141.eu-west-1.compute.amazonaws.com.https
mozilla-org.public.mdc1.mozilla.com.https
server-13-224-196-33.fra2.r.cloudfront.net.https
server-143-204-101-114.fra50.r.cloudfront.net.https
server-143-204-101-115.fra50.r.cloudfront.net.https
server-143-204-101-38.fra50.r.cloudfront.net.https
server-143-204-101-56.fra50.r.cloudfront.net.https

Additionally DNS queries for the A records for the following 22 domains were maid:

accounts.firefox.com.
classify-client.services.mozilla.com.
content-signature-2.cdn.mozilla.net.
detectportal.firefox.com.
firefox.settings.services.mozilla.com.
incoming.telemetry.mozilla.org.
location.services.mozilla.com.
mozilla.org.
normandy.cdn.mozilla.net.
ocsp.digicert.com.
push.services.mozilla.com.
search.services.mozilla.com.
shavar.services.mozilla.com.
snippets.cdn.mozilla.net.
tiles.services.mozilla.com.
tracking-protection.cdn.mozilla.net.
www.ebay.de.
www.facebook.com.
www.mozilla.org.
www.reddit.com.
www.wikipedia.org.
www.youtube.com.

Firefox ESR 68.2.0

Firefox ESR 68.2.0 contacted in total 13 different hosts

 104.16.142.228.https
 93.184.220.29.http
 a2-16-106-209.deploy.static.akamaitechnologies.com.http
 a92-122-254-195.deploy.static.akamaitechnologies.com.https
 ec2-34-223-159-30.us-west-2.compute.amazonaws.com.https
 ec2-34-253-23-107.eu-west-1.compute.amazonaws.com.https
 ec2-35-167-176-126.us-west-2.compute.amazonaws.com.https
 ec2-52-89-218-39.us-west-2.compute.amazonaws.com.https
 mozilla-org.public.mdc1.mozilla.com.https
 server-13-224-196-11.fra2.r.cloudfront.net.https
 server-13-225-78-51.fra2.r.cloudfront.net.https
 server-143-204-101-24.fra50.r.cloudfront.net.https
 server-143-204-101-60.fra50.r.cloudfront.net.https

Additionally DNS queries for the A records for the following 23 domains were maid:

accounts.firefox.com.
content-signature-2.cdn.mozilla.net.
detectportal.firefox.com.
firefox.settings.services.mozilla.com.
getpocket.cdn.mozilla.net.
getpocket.com.
img-getpocket.cdn.mozilla.net.
location.services.mozilla.com.
mozilla.org.
ocsp.digicert.com.
search.services.mozilla.com.
shavar.services.mozilla.com.
snippets.cdn.mozilla.net.
tirol.orf.at.
tracking-protection.cdn.mozilla.net.
www.ebay.de.
www.facebook.com.
www.mozilla.org.
www.reddit.com.
www.welt.de.
www.wikipedia.org.
www.youtube.com.
www.zeit.de.

Chromium 78.0.3904.97

Chromium is a free web browser developed by Google. While Chromium is open source, many browsers which are based on it are not. The most popular is Chrome, also developed by Google. Further, future versions of Microsoft Edge, the default web browser in Windows 10, will be based on Chromium.

Chromium contacted in total 6 different hosts

 172.217.130.9.https
 fra15s24-in-f238.1e100.net.https
 fra15s46-in-f3.1e100.net.https
 fra16s12-in-f13.1e100.net.https
 fra16s13-in-f227.1e100.net.https
 fra16s20-in-f4.1e100.net.https

Additionally DNS queries for the A records for the following 9 domains were maid:

accounts.google.com.
fonts.gstatic.com.
hsdmpfy.
huuqjdqtnjj.
r4---sn-h0jeened.gvt1.com.
redirector.gvt1.com.
vypmecteapc.
www.google.com.
www.gstatic.com.

Brave 1.0.0

Brave is a free web browser based on Chromium, developed by Brave Software. Brave includes an ad and tracker blocker. Brave advertises itself as a browser for privacy minded people.

Brave contacted in total 3 different hosts

104.28.23.242.https
151.101.113.7.https
151.101.114.217.https

Additionally DNS queries for the A records for the following 11 domains were maid:

aqkslhfmwv.
brave-core-ext.s3.brave.com.
componentupdater.brave.com.
crlsets.brave.com.
go-updater.brave.com.
laptop-updates.brave.com.
mkidosnkaqqulg.
no-thanks.invalid.
static1.brave.com.
static.brave.com.
vgjrddw.

Epiphany / GNOME Web 3.32.1.2

GNOME Web is a free web browser based on WebkitGTK. Webkit is a browser engine developed by Apple and primarily used in Apple's proprietary Safari web browser. WebkitGTK is the GTK port of Webkit.

GNOME Web is the default web browser for the GNOME desktop environment and formerly known as Epiphany. The package name and the name of the binary on Debian is still “epiphany”.

Epiphany contacted in total 2 different hosts

104.31.91.96.https
fra16s08-in-f202.1e100.net.https

Additionally DNS queries for the A records for the following 2 domains were maid:

easylist.to.
safebrowsing.googleapis.com.

Midori 7.0

Midori is a free web browser based on WebkitGTK, like Epiphany. Midori is part of the “Goodies” component of the XFCE desktop environment. It is meant as a lightweight web browser with only basic features.

During the test, Midori contacted no hosts and made no DNS queries.

Summary

Browser http(s) Req. DNS A queries
FF 17 22
FF ESR 13 23
Chromium 6 9
Brave 3 11
Epiphany 2 2
Midori 0 0

Conclusion

From the results it can be said, that Midori should be the first choice for people which are concerned about built-in data leakage to companies. Since Midori uses WebkitGTK it receives also security updates in a reasonable time frame. (The WebkitGTK project claims, that it sometimes integrate security fixes even before Apple).

However, since built-in data leakage is only part of privacy and security, one must take also other aspects into account. Midori has basic support for ad blocking, but to my knowledge no way to block trackers.

Chromium is closely connected to Google and exists primary for reasons of money making. Therefore one can not expect too much support from Google in regards to blocking ads and trackers.

Brave seems to be a good choice for having a privacy conscious browser at first sight. However, since Brave Software wants to establish an ad network of its own and is dependent of what Google releases as open source, it is possibly best to remain skeptical.

The Firefox browsers did perform worst regarding data leakage. However, it is also a browser where you can configure almost every aspect. From simple settings and privacy add-ons to complex configuration of user.js is almost everything possible. But make no mistake: it is a lot of work to make Firefox silent and really privacy-aware. The ghack-user.js site is a good start if you want to get into it.