New browser setup, would like to hear your opinions

Advice for Pale Moon browser

What do you want advice about?
Hi all, I hope you are having a good day. I recently browser-hopped, and am currently using a new browser setup. I would like yo hear your opinions on its effectiveness and any suggestions to improve its privacy.

If brief, tell us about your privacy threat model?
In the techlore.tech SPA quiz, my result is around above and beyond (~250-275 score). I believe my threat model is relatively high, and I am willing to go great lengths to improve my privacy. What I generally wish to avoid is government surveillance and big-tech companies (ok not necessarily big tech, but tech companies in general).

What have you considered or looked at already?
This is my current browser setup:
  • Pale Moon browser
    • Extensions, all free (libre) software:
    • eMatrix (Fork of uMatrix, and currently maintained)
    • URL Rewriter (For of Redirector, redirects me to privacy-friendly alternatives such as WikiLess instead of Wikipedia and Teddit instead of Reddit)
    • Decentraleyes (Helps me deal with those pesky CDNs)
    • HTTPS Always (Port of HTTPS Everywhere for Pale Moon)
    • Secret Agent (Helps me spoof user agents!! and a bunch of other fingerprinting properties that don't require JavaScript) so browser fingerprint is randomized on every reload of a page
    • Other settings:
    • JavaScript is disabled by default, only trusted sites that absolutely require it such as this site are allowed to run it. Otherwise, those sites are accessed on LibreWolf
    • Browser telemetry is disabled using the about:config
    • Geolocation services have been disabled in the about:config
  • /etc/hosts file (I run a Unix-like OS)
    • TikTok & its tracking pixels blocked
    • Facebook/Meta & its tracking pixels blocked
    • A bunch of other stuff I forgot the file is too long lol
What do y'all think about this setup?

It sounds like your browser matches your high threat level! Without knowing too much I would be concerned about using a browser that is less used than even Firefox and Brave, but that comes with its pros and cons.

Also, I noticed from the website that it was forked from Firefox long ago. Do you happen to know when that was?

Otherwise, it seems like you’ve turned on lots of things on top of this browser so I think your probably getting the job done for privacy. With a high threat model like you have, it may be necessary. However, I’m not sure how to judge the security of the project.

Would like to hear what other folks have to say for sure. This browser is totally new to me!

Lastly, welcome to the forum!

Its first official release as a fork of Firefox was in 2009, its history can be found here on their official website. Since its [insert the appropriate word: forking, divergence, idk lol], the browser has changed a lot and I believe, now, that it is more of its own browser rather than "Firefox-based" or "Chromium-based". That said, it is based on the Goanna engine, which is a fork of Mozilla's Gecko engine.

Admittedly, despite having "Secure: Additional security features and security-aware development" printed on their homepage, this browser is not used enough such that many penetration testers try using it as a weak spot.

Thank you for the warm welcome!

1 Like

I don’t have any recent experience with Pale Moon. Though, it used to have a bad reputation of poor security updates, and generally a worse experience than vanilla Firefox. I assume that’s changed?

Something to note: all those addons contribute to your fingerprint, making you more unique. You’re using an uncommon browser, with potential security flaws, and tons of addons. Also is HTTPS Always even needed? Most of the more common browsers have this built into the browser.

You mention that you disable JS, but do note that there are other methods of tracking. JS is just code, just like plenty others. Why not just use Librewolf, with a script blocker like uBlock Origin (or in your case eMatrix)? Have it set to disable all JS by default, and whitelist by site.

1 Like

Drop Pale moon browser for something from the modern era; like Brave or Firefox.

Stop using all these. You are currently very fingerprintable and since you said in your threat-model that you want privacy; you must stop using all these extensions. Use Brave/ Firefox in the default configuration.

For Govt. surveillance: Use Tor browser bundled with Tails/ Whonix/ Qubes.

Are the extensions also fingerprintable with JavaScript disabled? For this setup, I was thinking that fingerprint circumvention would be to randomize the fingerprint that is created without JavaScript (like CSS fingerprinting) using Secret Agent, and otherwise disable JavaScript and XHR entirely, instead of fitting in with many browsers like what Tor does. Do you think that works too?

Based on https://coveryourtracks.eff.org and https://amiunique.org my browser extensions could not be queried without JavaScript, but I’m not sure if that is the only way to do it. What do you think?

Thanks for your suggestions :smiley:

Use GNU Icecat along with all the extensions you currently have.

Yes, with CSS. Also the extensions possess a security and privacy risk. (Password manager in the browser is susceptible to Bus-sniffing attacks, extensions having read write access to DOM makes it possible to do anything really etc.)

Brave and Firefox does this with the strict settings enabled by returning default values to the CSS query params. Using Brave/Firefox would be a better deal.

99% websites won’t work so what’s the point?

Wrong. Screen heights cursor position X,Y offset etc are queried using CSS only.

Use Brave/Firefox. Brave would probably be the best choice but I must warn you it has a lot of annoyances which have to be toggled off.

Thank you for your suggestions! :slight_smile: