Hey guys! In my last post, I talked about how I switched to Mullvad Browser for more anonymity for daily casual browsing. At first, I thought Mullvad Browser is very unconfigurable as I often heard that installing extensions and changing settings could make me more unique and stand out against the crowd, which make me more fingurprintable. After doing more digging, customizing, and testing however, I believe there are a lot of customization possible that will greatly improve the user experience without sacrificing much or any anonymity at all!
Since I’m relatively new and I don’t know the tech detail, I might not get everything right. Please correct me if you found something wrong! So after researching, I found these things:
- Mullvad change my browser fingerprint at every refresh
- For firefox-based browsers, the website cannot directly determine what extension you had installed. It can infer the precense of certain extension by observing the changes it done to the website.
- If an extension change the DOM (Document Object Model) (it’s like the content) of a website, such as by adding, removing, or modifying an element of the webpage, it can be detected.
- Your uBlock Origin blocklists can be detected by website. (Try browserleak)
- If you’re using VPN + Mullvad Browser, the only 3 technique left for website to identify you is browser fingerprinting, storing a unique ID in your browser (through cookies, cache, IndexDB, local storage, service worker, etc, whatever it can use), and fingerprinting based on your network response (explain later).
Since Mullvad already protected your browser fingerprint, this means that as long as you’re not doing any of the following, your anonymity is protected:
- Installing extension that add, remove, or modify elements of the webpage, how they look, and how they’re rendered. Such as:
- Tampermonkey
- Stylish
- Night Mode (i.e. Night Reader) (Yes I tested a bunch of these, even the one that claim to only add a single gray layer on top of your screen and do nothing else. They all changed the DOM)
- Installing extensions that impact network response time. They can time the delay can tell if you’re using certain extension, such as uBlock, Decentraleyes (don’t use this, it is no longer needed now).
- Modifying uBlock or installing other extensions that changes what elements get block on your screen. This can be detected and fingerprint you, but I found no evident that this is used to track you.
- Doing something that make various form of tracking cookies (don’t forget cache can be used to track you too!!) persistent.
As long as you don’t do any of the above (use your konwledge, this list is not comprehensive but is mostly it), you can change pretty much anything without worrying that it’ll reduce your anonymity. You can also make your own trade-off. For example, I personally enabled the cookies banner and annoyance filter list in uBlock. Yes, it can make me more stand out, but there is no evidence that this is being used to track me. YouTube still doesn’t recommend me videos. They can’t be confident this is me because I still blend in well, and I’m not unique enough to be identified. However, I would not suggest adding lists from somewhere else that are not listed in the uBlock, as this will likely make you much much more unique than others.
It doesn’t harm your anonymity if you use Bitwarden (and other functional extension). Just make sure you don’t enable the setting that shows an icon in the username and password bar (similarly settings in other extensions that alter the website), which I think would modify the DOM. I also found an extension called Immersive Translate. While proprietary, it seems private enough for me and it does give me the full page translation feature, which I really need. Just make sure to disable the translation buttons on the webpage and only use the keyboard shortcut. While it still inject an in-line CSS on every website for its buttons (even if you disable those buttons), it does not change the DOM per my test.
If you want even more anonymity like I do, you can take this route:
- Install Temporary Containers extension, and configure it to make a new container on domain change.
- Install Cookies AutoDelete to ensure your default container (which is no container) stays clean. Make sure you enable all cleaning options (basically just check every single box under the first 2 headers) (remember to enable automatic cleaning and disable notification so you don’t get bombarded)
Additional Tweaks for Convenience:
- [Optional] Disable the use of incognito mode if you want to keep certain cookies or certain extension doesn’t function properly under incognito.
- [Optional] Install Firefox Multi-Account Containers if you need to keep certain sites log-in or kept the preference for those sites.
It will be helpful if someone who know more tech than I do can verify what I said here. I hope this also help out those who want to give Mullvad a shot but afraid it is not configurable or would give bad user experience. If you haven’t consider Mullvad before, I also hope this can persuade you to consider giving it a try as it really improve your anonymity and separate your identified real life from your online life which should be anonymous.