Contact me for feedback or questions! I reply to everyone.
Let's start with the basics. What is the point of a web browser? Originally, it was to be able to read HTML documents, but since then, the Web has changed massively, and modern browsers need to satisfy more demands. The basic terminal browser - links, w3m, Lynx, elinks - can still be used today to display websites only in text. Actually, elinks supports features that are somehow missing in "modern" web browsers (such as editing cookies, custom stylesheets or keybinding), but in the end, they can all be got back through addons. Maximum of 256 colors, no images, little or no Javascript support, limited CSS support, no loading of non-HTML content such as videos (but can load externally), and no addons make these unsuitable for modern day browsing.
I could mention many other browsers here. Surf is a graphical web browser that has image and Javascript support, but no tabs or an actual user interface. Midori has everything you'd expect from a modern web browser and even includes in-built functionality to replace some of the common addons, but it's not enough. Otter Browser is a promising project with a very nice UI, but has no addon support (so far, though it's planned). Qutebrowser is a keyboard controlled browser that recently added per-domain settings, but they are inferior to uMatrix. Many of its features can be replaced by, again, addons.
One advantage of these niche browsers is that they don't spy on you, but what I've learned from trying probably all of them is that, in the end, addons are essential - especially uMatrix is irreplaceable. So, for a day-to-day browser, you have only two options: Firefox based and Chrome based. Since they all support the same addons (with slight exception in Pale Moon), we will have to use some other criteria to judge these browsers. These consist of usability, privacy, customizability, philosophy, respect for the user, looks, and speed. Let's analyze them one by one:
There is a long history of anti-user decisions with this one - it's so big I've written a massive article about it and other Mozilla's sins. Briefly, they
include removing configuration options, having anti-privacy default search engines, lying about being privacy-based, removing
addon compatibility, disrespecting contributors, shoving you targeted advertisements, enforcing usage of certain other software, and many, many others (read the article!). Add to that the slow
speed and shitty UI and you have a browser you're never going to want to use. August 2020 update: Mozilla has now clearly ceased caring about technology, but is instead fully focusing on social issues - From combatting a
lethal virus and battling systemic racism
. As if it wasn't already obvious earlier, they have now thrown out 250 people mostly working on technical stuff such as their
rendering engine or browser security. I suspect this is preparation for ceding control of the web browsing ecosystem to Google soon (as predicted in Mozilla - Devil
Incarnate, they were always controlled opposition). I doubt any Firefox based browsers will survive this apocalypse, to be honest.
Firefox fork from the Free Software Foundation. Older versions had some spyware in there, but 60.2 removed all of it as far as I can see. Some privacy addons are included by default (as well as the annoying LibreJS), but you should still use uMatrix - though newbies might like having some privacy built-in. Though it is made by more ethical people, this browser still suffers from many of Firefox' ills - like the shitty UI, slow speed, lack of configuration, deprecated addons etc. All in all, IceCat fixes many Firefox issues but leaves more of them in - and it can't be otherwise since they are fully dependent on Mozilla's decisions in the end. UPDATE: it's fucking August 2020, and the latest release of IceCat is still version 60.7 compared to Firefox 79. Packages for most distros are also not provided, so you'll have to compile. I recommend skipping this one especially in light of the recent happenings at Mozilla.
UPDATE January 2022: old review kinda sucked, I'm rewriting it. LibreWolf is to Firefox what Ungoogled-Chromium is to Chrome. At least, so it seems, but it does not take a strict stance against unsolicited requests like Ug-C does (which is also my view - zero unsolicited requests is optimal). It includes the uBlock Origin addon by default (instead of the much superior uMatrix), and automatically updates the lists for it - as well as making a request to Mozilla's servers for their Tracking Protection. Otherwise, LibreWolf is not doing anything special, just changing some settings (which can also be accomplished by the many user.js files floating around). Their issue tracker is on gitlab which is Cloudflared and doesn't work in Pale Moon; this does not affect the browser directly, but shows the developers don't respect the users or care about their privacy. Packages for some distros, Windows and macOS exist - as well as an AppImage if your distro isn't on the list. Overall, this is the way to go if you want Firefox without (most of) the privacy violations. But - since they've only got five devs on the team - LibreWolf will always be dependent on Mozilla and unable to reverse any of their major shitty decisions, so watch out. Let me reiterate, this is nothing more than Firefox with a few settings changed and uBlock Origin added on top.
Another browser pretending to care about your privacy (archive) - We’re obsessed with protecting your privacy.
That’s why we’ve made Waterfox Private Browsing more powerful than the others.
, when in fact Waterfox does nothing whatsoever to protect it and actually spies on you almost as much as Firefox (archive) (it made 109 unsolicited requests upon
my run of it). UPDATE April 2022: the amount of unsolicited requests made now is apparently 16, according to a tester. Still wouldn't use it over Pale Moon. The more powerful private browsing
mode is a sham as well - anyone caring about their privacy will not rely on this but install essential
privacy addons, so his deceptive claims are designed to lure in newbies only. This browser is completely dependent on Firefox, has its shitty UI and all the other flaws and does not even
bother to remove much of the spyware (Bing became the default search engine over Google, that's so great, right?). It's also run by a single developer (who is also a liar and hates privacy as proven above) so you don't know how long it will keep going. There are some
positives, however - Waterfox is the only browser out there to support both XUL and WebExtensions, as well as NPAPI plugins. Still, due to all the other issues, this browser
should be ignored. UPDATE FEBRUARY 2020: yet another reason to avoid Waterfox - it's been sold to an advertising company (archive), the same one that claimed
StartPage.
Auto-updating piece of trash. Enforces connections to the TOR network (which can also be done in any other browser), but will not even run if you have TorDNS enabled system-wide (Failed to bind one of the listener ports
). UPDATE: it was reported to me that this issue can be fixed by changing the default torrc ports away from what TB uses, but I did not confirm this myself. Default addons include NoScript, which is much inferior to uMatrix. Yet, the TOR Project discourages modifying the addon setup, even though the whole basis for this has been refuted by Moonchild. Yes, a properly configured Pale Moon is better against fingerprinting than TB. TOR Browser is still dependent on the evil Mozilla - which means that when a bug like this happens (yes, the one that disabled all addons) TB is also affected, and its security laid bare. Using TOR Browser does allow you to bypass Cloudflare browser checks, but this is likely because they work together to help Cloudflare spy on people wanting to be anonymous, making TOR Browser a honeypot. This is further supported by the fact that the TOR Project deleted a ticket criticizing Cloudflare - but left all other tickets alone, proving it was not because of a pedophile attack
, like they claimed. I see no reason to use this browser, really, when PM can be configured to use TOR all the same, with all the other advantages. TB also includes a few unsolicited connections (aside from the updates) that are hard to disable:
UPDATE May 2022: it was just reported to me that, even after mitigating the spyware in this browser, it just comes back after an update - so the mitigation has to be repeated. See the danger with indiscriminate (and especially automatic) updating now?
Firefox is absolutely terrible and its forks have not much to be proud of either, as we can see. Though some of them do remove (some or all of) the spyware problems, they either add their own
or have some other issues, like IceCat's incompatibility with Flash Player and lack of updates, or Waterfox' shady ownership. LibreWolf, the only project with actual potential, has been abandoned resurrected, but still only a few people are involved. The other, more important reason to avoid Firefox-based browsers is that they are all still dependent on the evil Mozilla. If they ever officially cede control to Google (as is already happening in all but name [archive]) - the whole Internet will be pretty much
taken over by an even more evil corpo. I have predicted this in the report above, but it was somewhat speculative at the time. Now, it's pretty much a certainty it will happen in a few years.
UPDATE August 2020: Mozilla is self-destructing (see above) so a Google owned web might soon become a reality. Knowing this, it is obvious Chrome forks can't be any better,
but let us check them out anyway:
A massive platform dedicated entirely to data collection (archive)...but at least it doesn't pretend to be something else, unlike Firefox. Shitty "modern" UI (like Firefox), lack of customizability (no in-built proxy settings, even? Proxychains doesn't work, either), little in-built features, slow, dependent on the evil Google company...Avoid like the plague. Oh, since this review is kinda short, let me say that Chrome also reveals your real IP with WebRTC by default, this needs to be mitigated with the addon WebRTC Control (this applies to every Chromium-based browser). Even if you like the Blink engine, there is no reason to use vanilla Chrome, when there are open source and de-spywared versions available.
Everything in this browser is the same as Chrome except less data collection and fully FOSS. Billing itself as A BROWSER SECURING YOUR PRIVACY. THAT’S IT
, it actually fulfills the claim aside from a few spyware issues still left in. Specifically, your private
Iridium Browser will make a connection to Big G every 30 minutes to download their Safe Browsing database - what a joke. The devs have reacted dismissingly (archive) to the issue, plus have sneakily added more recent spyware (archive) - so I don't think they're to be trusted. UPDATE June 2022: this browser is slow to update, and has packages only for a few distros (plus Windows and Mac). There's no AppImage or portable build, making installation a bigger problem. This was my browser of choice for a long time (until I found the one below), but it
doesn't do anything aside from disabling automatic connections - and not even all of them, at that. If you want a private Chrome based browser, this one is a much better choice:
Unlike Iridium, Ungoogled-Chromium actually disables all automatic connections and other Google integration. The dev is also a really nice and skilled guy (at least he doesn't have a problem with people reporting stuff - unlike Pale Moon, or worse - Mozilla). However, keep in mind the Chromium codebase is massive, and it's doubtful this single guy can keep up for long (then again, he does lift patches from other similar projects such as Bromite, and has a helpful userbase). He's doing better than the Iridium team, though - with his browser being much more up to date. In the end, Ungoogled-Chromium is still just a bunch of bandages applied to Chromium, and keeps Uncle G in control of the Web. There are not any real features added beyond the privacy fixes and a few CLI options (archive). Still, it is surely the best Chromium fork out there if a Google monopoly doesn't bother you. The packages are available only for a few distros (plus Windows and Mac), but fortunately, there's an AppImage as well as a portable build that work everywhere.
This browser has made waves thanks to its built-in privacy protections - such as AdBlock, HTTPS everywhere and script blocking - but in the end, they are outclassed by uMatrix. More than that
- after checking them out, I can confidently say the Shields are pretty useless - the vast majority of trackers are left alone; in fact, sometimes it seems that a site can
have hundreds of them, and yet none of them will be blocked by the Shields. Script blocking option simply blocks JavaScript fully - it's just NoScript revisited. Brave used to be able to
install Chrome extensions only from source, but now does it the same as the other Chrome based browsers. Despite those, it not only spies on you (archive) but is actively working against your
privacy by whitelisting Facebook and Twitter trackers. Brave has also been soliciting donations in the name of other people without their consent!
Here (archive) is a thread
discussing the issue. UPDATE August 2020: since I wrote this, more shady shit from these guys has surfaced. For example, not only do they have sponsored backgrounds (recall Mozilla's Directory Tiles?) in their New Tab page but they were also earning big money from the included affiliate links without telling you (this is illegal and they've locked the convo as expected)! More recently, they
were caught rewriting typed web addresses to add referrals for various partners. Brave Browser also has auto-updates (archive) that cannot be disabled which is extremely malicious (complete with a closed topic, of course - in a Mozilla-esque fashion). The only
real reason to use Brave is their so-called Brave Rewards
program with which you can earn their Basic Attention Tokens
in exchange for watching ads (displayed as system
notifications). Here's the catch: to pay out their BATshit tokens, you need an account on Uphold, whose Privacy Policy states this:
To verify your identity, we collect your name, address, phone, email, and other similar information. We may also require you to provide additional Personal Data for verification purposes, including your date of birth, taxpayer or government identification number, or a copy of your government-issued identification
Facebook tier surveillance. But wait, it's not over:
We may obtain information from affiliated and non-affiliated third parties, such as credit bureaus, identity verification services, and other screening services to verify that you are eligible to use our Services, and will associate that information with the information we collected from you.
They will also stalk you all over the Internet to try to find already existing information. There are still more violations coming, so sit back and watch:
Uphold uses Veriff to verify your identity by determining whether a selfie you take matches the photo in your government-issued identification. Veriff’s facial recognition technology collects information from your photos that may include biometric data, and when you provide your selfie, you will be asked to agree that Veriff may process biometric data and other data (including special categories of data) from the photos you submit and share it with Uphold. Automated processes may be used to make a verification decision.
As soon as I thought I've found the biggest privacy violator possible, the cold hammer of reality struck that stupid idea right out of my skull. Anyway - again - the only way to pay
out BATshit tokens is by using this service. Even then, you can only do it once a month and Brave still swipes 30% (archive) of it - You’ll earn 70% of the ad revenue that we receive from advertisers.
This is portrayed as a way of revolutionizing the Internet
ad industry - the middlemen and platform operators capture most of today’s ad revenue, while creating malware distribution and ad fraud opportunities. Brave Rewards upends this broken
system and provides a new way forward for creator support.
However, the real revolution will happen when the whole ad business model is dead and buried, or even better - when content
creators don't need to worry about "earning a living" because the capitalist monster has been slain or at least put on a leash. For now, you can just
support the sites you like directly with Bitcoin, anonymously and on your own terms. All you need is a wallet and a person you want to donate to (I have an address at the top of the page ^_^).
Anyway, at the beginning I was way too forgiving for Slave (certainly nothing Brave
about it) Browser - let it rot along with all the scams they're pulling.
This Brave fork was whipped out in literally a few days in response to the recent wave of censorship from Twitter, Facebook, Mozilla etc. Its claim to fame is being integrated with the Dissenter extension (banned from Firefox's and Chrome's extension stores (archive)) which allows you to comment on any article from any website, bypassing their censorship policies. Quite handy. To use it, however, you need to sign up for their social network, which requires ReCaptcha (devs have dismissed the issue (archive)). Then, to post a comment, you of course have to share the site you're on with Dissenter, which, if used extensively, could build quite a profile of your browsing history. Who's to say they won't run away with all that data then? Their privacy policy (archive), consisting of one fucking sentence says literally nothing about what they collect and share, so you might assume it's everything with whoever. As for the browser, it contains the usual Brave shit like Shields, whitelisted trackers and safebrowsing. In addition to those - whenever you open a new tab, Dissenter will connect to a bunch of news sites and youtube, as well as clearbit to download their icons; fortunately, this can be disabled. Their site is also cloudflared, which means all your history and comments will be shared with the evil tech giant (archive), MITMing from the shadows. All in all, this browser is just a fad riding on the current anti-censorship climate. In fact, I'd say it's very likely a honeypot designed to collect the browsing and comment history from as many people as possible and share them with the great centralizer (Cloudflare), to help eventually create an Internet that is fully controlled by the elites. The idea is nice (and I hope someone worthy repeats it) but the execution could not have been worse. Run the fuck away faster than you would from an angry, rabid dog! Speaking of dogs, the Spyware Watchdog has an in-depth review of some other issues with Dissenter.
Used to use a custom engine and was highly praised by the users, but after switching to Blink (Chrome engine) it dropped most of its features and left waves of dissatisfied users. A few years
later it was bought by a Chinese company which put the final nail in its coffin. Forget about its bullshit marketing talk such as Now with a built-in ad blocker, battery saver and free
VPN.
Opera heavily spies on you (archive), including on your whole browsing history. Integrated by
default with spyware platforms such as Facebook, WhatsApp (owned by FB), and Telegram (apparently insecure according to the cryptographers). The VPN is very likely a Chinese honeypot and
uMatrix outclasses all adblockers. Though it has some nice features like mouse gestures and automatic currency conversion, there's not much reason to use nuOpera over the other Chrome forks.
Avoid.
UPDATE: it's August 2020, and nothing has changed for Vivaldi. It's still the most featureful browser out of the box (mouse gestures, screenshots, web panels, notes...) and boasts massive amounts of customizability (in regards to tabs, bookmarks, keyboard shortcuts that no other browser can change by default). However, it also still includes a bunch of spyware such as Google SafeBrowsing and auto-updates. But their most egregious way of privacy violation is this:
When you install Vivaldi browser (“Vivaldi”), each installation profile is assigned a unique user ID that is stored on your computer. Vivaldi will send a message using HTTPS directly to our servers located in Iceland every 24 hours containing this ID, version, cpu architecture, screen resolution and time since last message.
The above cannot be disabled even if you're a programming ninja - because Vivaldi's source code is unavailable! Their New Tab page is filled with various partners' websites by default, including violators such as YouTube and Amazon - though you can fortunately remove those. The default search engine is the anti-privacy Bing. Tracking protection is included but it's off by default. It doesn't seem as if Vivaldi cares about privacy too much - it's also closed source. The only saving grace is the massive amount of features, which is of course significant - but most of those can be replaced with extensions on browsers that support them. There also comes a point where a piece of software is trying to do too much - and Vivaldi might have crossed that bridge already. But at least it's something different compared to all the browsers that are bare-bones.
The situation with Chrome forks is better than Firefox ones - there are more of them and they are more commonly updated. We've got more variety in terms of features, included addons, looks, philosophies, etc. But something seems to be missing. The ones with more features introduce their own problems such as custom spyware, false advertising, lack of ethics, even less speed, or crashes. The ones removing all the spyware don't introduce anything new. And they all still rely on the Blink engine (and thus Google). And since Google keeps including anti-user changes (archive), the forks will have to remove / modify those in the code, which some of the smaller teams might not be able to eventually keep up with. Is that it? Are we really stuck with desperately trying to patch up the big corpo abominations?
It used to be fucking good - and still has several advantages over FF / Chrome such as independent development, lack of some antifeatures, less vulnerabilities, XUL addons support, better UI, smaller codebase, and more customizability. However it recently went off the deep end so much that I cannot in good conscience call it an "alternative" to anything anymore. Let me give some examples:
economic damageto websites. But actually, it's the ads and trackers that are causing human damage (archive) and if extensions such as AdNauseam help kill the "economy" based on them, they should be praised instead of banned. Re-enabling AdNauseam requires fiddling with about:config.
deviating from official configuration- something the PM devs hate. They also hardcode compiler parameters, especially with libvpx to use specific opcodes instead of using whatever the user or operating system sets ${CFLAGS}/${CXXFLAGS} to, breaking portability with different CPUs and operating systems.
AAA games that have heavy assets,
VR and augmented realityand
Live video augmentationonto web browsers. Talk about scope creep! It pretty much turns your web browser into another operating system since it's literally assembly to which you can compile other languages and run all kinds of "apps". Of course, you can imagine all the new security vulnerabilities coming along with that. And just a year ago it was a not recommended technology (archive)...
obsessive packrat tendancies..and Moonchild followed with
hoarding addiction. Now contrast that attitude with the quotes on their main page -
Your browser, Your wayor
offering full customization. Doesn't this sound familiar?
a terrible Web Compat footgunthat the users shouldn't have access to. Of course, it's somehow fine to allow UA setting per site or request, despite it being terribly inefficient. Even then, a global custom UA actually helps web compatibility by sneaking past those UA-sniffing sites (which will not stop existing anytime soon). All of this is besides the point though - what matters is that the users should be able to shoot themselves in the foot if they so desire, and this recent change goes against that. For honesty's sake, let me say that Moonchild reverted the change - but only because of the huge backlash (archive) on the forums. The fact that this was an idea in his mind for even one second proves he doesn't give two shits about freedom, customizability, or user respect.
sinking shipsome time ago. I hate to be the bearer of bad news but it's clear it has actually sank now. The reason? You cannot install (archive) extensions from the Classic Addons Archive anymore - just because Sensei Moonkid decided so. Hope you got out in time!
And with that, it's obvious that Pale Moon is a sinking ship. A few months ago I've said that the browser is in the beginning stages of degradation
. Now, the stage
is clearly advanced, the cancer has metastasized and cannot be removed anymore. Pale Moon has become exactly what they've fought against for so long - Mozilla-lite. It's
still a good enough piece of software (and the only decent one for browsing the modern web) - but one I cannot recommend anymore due to violating the most important
principles (which for years have defined it). UPDATE February 2022: this used to contain a recommendation for Web Browser, a Pale Moon fork - but it's pretty much abandoned and the lone developer never went far enough with mitigations, anyway. Therefore I'm deleting the section but you can still check out the project here.
Since many people have asked me to review their favorite "minimal" browser, I will just cover them all in one fell swoop. By default, a browser will load all the content that it supports, including cookies, scripts, CSS files, frames and videos. The majority of modern websites rely on lots of third party stuff which is either useless to display the website, or can track you. Here is an uMatrix grid of Euractiv:
In an unmitigated browser, all the tracking scripts, CSS and images will be loaded - sending your data to Facebook, Google and others - and also slowing down the loading times. This is despite the fact that the site works perfectly well without any of that stuff. It does look ugly though, and enabling the bootstrap CSS file fixes it. And here we encounter the problem with all minimalist browsers - they cannot block stuff they load per domain. Either they load everything from a certain category (that is, if they even support it) or nothing. So, in such browsers, if you wanted to make Euractiv look as it is supposed to, you'd have to enable all CSS - including the tracking ones from Google.
Let's look at suckless surf. You can run it with options that tell it to disable images or scripts. Disabling images means you will see pure text, enabling them shows all the images including the 1px tracking ones from dedicated spy corpos. A site could have one image needed for understanding the content, and 10 tracking ones; or one script needed to run the site and 10 advertisement spreaders, crypto miners, etc. - and the minimalist browsers can't distinguish. The only tool that can do so, is uMatrix - and the only browsers that support that are the fat ones. With minimalist browsers, you have to choose between functionality and privacy / speed - uMatrix gives you both. And that is why minimalist browsers suck, my friends. The only time I'd recommend them would be if you only visit sites that make no third party requests. This used to be common in the early Internet, now it is almost unheard of.
Don't get me wrong, the minimal browsers do have advantages. They usually don't spy on you (no unsolicited requests), they are more configurable (having keybindings by default, for example), they lack some antifeatures, sometimes they have their own engines so don't depend on big corpos, etc. However, most of the evil of the web comes from the websites themselves. And the only tool that can handle that properly is uMatrix, which the minimal browsers don't support. And unfortunately, that one single disadvantage overcomes all other advantages these minimal browsers might have. This isn't going to change, either - sites are not suddenly going to become minimal - which would have to be the case for these minimalist browsers to be viable.
There is everything wrong with autoupdate, basically you are giving whoever controls the updates full control over your software and data, with autoupdates it is possible to:
- Insert backdoors, spyware and malware.
- Add unnecessary features.
- Remove features.
- Target a single user with shit like A/B testing, treating people like guinea pigs.
- Make unwanted changes, like the dreaded UI changes.
- Locking down content behind paywalls
- Whatever else malicious developers want to do with you.
Autoupdate has always been used for bad, its purpose was always to take control away from the user, updating should ALWAYS be a choice.
Source: Nanon - hope he doesn't mind me reposting this. And let me add modifying user settings to the list of auto-update issues - something which Firefox has done many times, for example.
Pale Moon is still the only decent way to browse the modern web that's actually relevant - but it's slowly rotting from the inside. Firefox is dying and will soon bring down all its forks alongside itself, surrendering the Web to Google whose abomination of a browser is just as worthless. Promising projects such as Otter Browser or suckless surf suffer from small dev teams, no / low addon support and don't have their own engines - so depend on Google / Apple, anyway. The only reasonable choice is Pale Moon. Or, just try wean yourself off the modern web by sticking to websites such as the ones on Neocities, wiby.me, etc. which are functional in NetSurf or terminal browsers. I hate to kill the positivity of yet another summary, but if reality forces me to - what can I do?