Edit: I may have given too much weight the the Arkenfox dev’s assessment. Upon more research and consideration, I think Librewolf could still be a better option compared to straight Firefox, though hopefully the Librewolf team receive more help/contributors in the future to ensure its success long term.
I’ve been a user of Librewolf for a about a year now, and it’s always served me pretty well as a nice easy way to get a hardened Arkenfox Firefox.
However, recently I was curious why Librewolf wasn’t recommended on PrivacyGuides, and took a look through their reasoning on their forum. That thread spans multiple years, and for the most part I thought their reasons for not including it were a bit unfair, especially after Librewolf started offering automatic updates.
But towards the end of that thread in October, a Privacy guide team member posted a link to the Arkenfox github issue tracker, where a Librewolf team member reveals how the project appeared to have lost steam after a critical member left, and they are struggling to keep it up to date with the latest Arkenfox updates, despite putting out new releases.
I’m not sure if those problems have been resolved since that time. One of the maintainers did mention they’re still short staffed in this topic on taking over maintaining Mull.
After considering the arguments for and against in the PrivacyGuides thread, I think their conclusion for not recommending does have some merit. Using Librewolf adds an additional layer of trust, not only to not be malicious (which I don’t suspect they are) but to also be able to adequately fulfill what they set out to do reliably.
Another big part of them not recommending it was the existence of the Mullvad Browser, which I didn’t realize was in fact a very well hardened version of Firefox (essentially the Tor browser without the Tor part), and is far more effective for private browsing compared to Librewolf or an Arkenfox’d firefox.
Ultimately you’ll have to come to your own conclusion, but personally I’ll be switching back to Firefox as my convenient daily browser full of addons, alongside the mullvad browser for (more) private browsing.
I will not trust a site that recommends Brave as a secure browser. I’m no security expert, but for a long time Brave proved they’re shady and I can’t trust them. Also, for mobile browsers I can’t see any recommendation of a firefox-based one, which is a shame.
I agree on Brave, and I also avoid it so as not to solidify the chromium browser dominance any further.
However, from all I have read, Firefox Mobile based browsers truly are less secure from a technological standpoint. I think for most people, Firefox Mobile is secure enough for it not to be enough of a deciding factor to use a chromium browser, but objectively it is worse. Mull was making the best of that despite the downsides, so hopefully the IronFox fork succeeds on mobile.
And despite their recommending Brave, I think the arguments against LibreWolf do have some merit.
They used to recommend Mull (firefox-based) before it died.
Mull is now Ironfox
It looks like Ironfox doesn’t use Firefox sync?
Correction. It does.
Not exactly. Ironfox is a fork, not a direct continuation of Mull. I’m holding off on using it because I want to verify that the new fork can keep timely security updates. Ironfox is a big unknown.
Yeah, on the hindsight was a big unknown too
Sadly Firefox has no tab sandboxing on mobile so yeah, it is less secure.
And while I agree the Brave company is shady, the browser has good security features.
There’s Vanadium and Cromite which have ad-blocking and strong security and none of the problems Brave has barring Chromium monopoly
Unfortunately the GrapheneOS team do not provide apks for the vanadium browser. Have fun compiling it yourself.
I doubt cromite’s devs’ knowledge in privacy as they still use Adblock Plus (which has some privacy issues) instead of uBlock Origin.
Brave is even shadier with their past URL injection “accident” and overall crypto involvment.
I believe Brave is better from a fingerprinting perspective, if only due to it being easier to blend in with compared to Cromite, though Cromite has far better security AFAIK.
I’m not sure how Brave is significantly better for fingerprinting than Cromite other than being more popular, which it still isn’t popular anyways and both of them can be bypassed with more advanced scripts. Vanadium is the most secure, being part of the GrapheneOS project, but all of the Chromium-based Android browsers have better security than FF-based currently, although I just saw somewhere that IronFox is enabling process isolation which is currently experimental.
Brave does farbling: https://github.com/brave/brave-browser/issues/11770
JShelter is a nice extension that tries to implement the same things in other browsers, it’s a bit limited by the fact that it’s an extension.
Exactly. Their line of reasoning can sometimes be unreasonable.
Oh thx, I don’t trust brave for years and confused about all these privacy recommendations.
i use Fennec on android.
Let me stop you at “I’m no security expert”.
In general Fwy does not agree with the Privacy Guides assessment; and feels that the concerns about the project are simply not credible without stronger evidence of excessively slowed or missed updates.
Project devs do have lives and I’m not personally going to punish that; so long as the software remains reasonably maintained and free of bugs while still considering the project’s number of devs.
Is it better than Mullvad Browser? Probably not in the strictest sense; but I’m also not happy with “Mullvad Browser” either; as this browser makes more choices that breaks functionality than Librewolf does in the pursuit of privacy.
Additionally; I cannot trust that “Mullvad Browser” will not enshittify; it is maintained by a company who is REQUIRED to some extent to make profits. That breeds enshittification. Mullvad would be one bad CEO or core executive team shift away from potentially being targeted as a profit vehicle and it’s privacy benefits weakened or removed entirely so the company can make money.
In general I trust Librewolf on a pretty regular basis to protect my privacy when my Addon-driven version of manually hardened Firefox breaks up a websites functionality too badly. It provides essential privacy protections without breaking too many things and serves as a good baseline browser.
As a rule; I keep several different browsers installed to mitigate lack of website function and isolate away any websites that would be more invasive in what privacy protections must be disabled to use properly. “Setting-Hardened and Privacy-Addon-driven Firefox” is what I use day to day, but “a semi-Amnesic* Librewolf (Incognito windows if untrusted website)” is second and is used daily in trusted website scenarios or in case a website is breaking too badly from plugin interactions. Finally; a fairly vanilla and infrequently used copy of Ungoogled Chromium is kept on hand for situations where Chromium is just required; where I can spin up empty profiles easily for anything I don’t trust and configure it to just flush everything on exit.
Do you mean Mullvad Browser? Mull is discontinued by the sole developer, and it wasn’t run by a company.
Ah; yeah. Mullvad Browser is what I mean clearly; as I mentioned it’s maintained by a company, which while they are currently trusted by most people; are always a few management changes away from becoming corrupt and abusing customer trust.
That’s a well reasoned take, honestly.
As I investigate other options to LW, all of which also require a certain level of trust and/or diligence, ultimately I’m finding LW seems difficult to replace, as it does walk that line between ‘good enough’ security/privacy and convenience. The Phoenix project seems promising, but so far is only convenient on a few distros, leaving Windows users with LW, or perhaps Zen.
After the drama around the privacy guides website(s) and the people who maintain them fighting for control, I cannot trust them.
People who seek to control something because it gives them power over a narrative should not be trusted.
To clarify, the only relevancy PrivacyGuides has here is that their forum is where I found the link to the Arkenfox github issue, and how their arguments against Librewolf appeared to have been potentially validated by said github issue.
The main concern is that github issue, where one of the main developers of Arkenfox, from which Librefox is derived, claims:
LW since fxbrit left/died/who-knows has gone to shit - I worked with him behind the scenes to make the right choices and while he would do his own analysis, we always agreed, and his voice influenced them. Now they don’t know what they are doing, and in fact have compromised security and make really stupid decisions. Same goes for all the other forks - really dubious shit going
And directly after which a Librewolf team member then voices agreement that Librewolf’s quality control has degraded since the departure of fxbrit.
Now it could be that the Arkenfox dev is exaggerating, and tbh he comes off as a bit of a prick later in that github issue, but overall, I’d say it merits at least some concern (though perhaps less than I originally thought)
It sounds like what he was really doing was managing the relationship with upstream, and from the tone that the Arkenfox developer takes, it sounds like it was a relationship that needed managing.
On default settings, Firefox’s news feed is suspiciously similar to the stuff I browse, so I don’t trust it at all for privacy without Arkenfox. I like how LibreWolf strips all of that out by default but still lets me loosen the settings so I can install add-ons and keep data I want stored, which I’m not sure that Mullvad browser does. If it’s getting behind on updates though, that would be disappointing, although right now the LW Flatpak is on a newer version of FF than Fedora FF. Mullvad browser is better for anonymity though.
Unfortunately, adding any addons to the Mullvad browser would defeat the purpose of using it somewhat, since it would defeat the anti-fingerprinting methods.
The Librewolf team member said they’re falling behind on keeping the arkenfox tweaks up to date even as they put out new releases. Perhaps they are able to keep up with Firefox security updates despite that, which I suppose would still make them a better option than vanilla Firefox, but it does give reason to keep a closer eye on them.
For me the main use case for LibreWolf isn’t so much being anonymous as it is wanting a browser that doesn’t have ads and data mining stuff going on and has some additional privacy protections but that also doesn’t get in the way too much in terms of usability. Zen Browser might be a better fit for this use case now since it improves the UI while claiming to not have telemetry, but I haven’t tried it yet. I’m not really concerned about fingerprinting since most sites I use already know who I am since I’m logged into them. If I wanted to be really private though I’d use Tor or Mullvad, but not as a daily driver since I value UX more as long as it’s not invasive.
Another user here mentioned the Phoenix project, which may be a good solution for us, as I share the same goals.
I haven’t looked into Zen, I’ll do a dive on that now.
what “scares” me about Librewolf on Kubuntu is the permissions. When there’s an update for the browser it says: Permission: Full access to the system iirc… Did anyone noted that too? sry can’t post the screenshot. Seems to appear in the Discover app.
Is that the snap version? Or Flatpak? Depends on with one it is there is a lot of way to limit the access to maybe only the download folder.
It was from the main debian repo from the Librewolf site. Now i’ve switched to flatpak+flatseal…
firejail or flatpak+flatseal
and they are struggling to keep it up to date with the latest Arkenfox updates, despite putting out new releases.
Keyword is Arkenfox user.js. Which is not Firefox updates.
If the LibreWolf maintainers are overwhelmed at the frequency of commits of a project that tweaks Firefox preferences (which amounts to “sesame street numbers” according to Arkenfox developers) because they are short on time and resources, so what?
I’m coming around to this conclusion, and updated the post to reflect that. For something as important as a browser, it’s a little concerning the Librewolf dev team is so short staffed, but they do seem to be holding their own. I hope they’re able to stick around long term.
I do like that you signal-boosted Mullvad Browser. I think it’s a great option. And I hope somebody sees this post and gives the team a hand.
Projects like LibreWolf and Mullvad Browser are important because user settings being roughly the same across a userbase helps you to blend in. Even extensions you install can be used to fingerprint you.
@ProdigalFrog I recently started learning about the potential issues with using forks. So while I still use and love Librewolf, I have my eye on Phoenix as a possible future browser to move to instead…
Cheers for mentioning that, I hadn’t heard of Phoenix, but looks like an excellent alternative.
I just learned the dev of Phoenix forked Mull! It’s called IronFox (https://gitlab.com/ironfox-oss/IronFox) and has a F-Droid repo. I’m pumped on this, thanks a bunch for highlighting all this and to the original commenter for providing the link to Phoenix!
I just looked into using Phoenix but after reading some valid criticisms of the project, along with the pain of setting it up and keeping it updated, it didn’t feel worth it for me.
And to be clear, Phoenix is not a browser, it is a Firefox config.
I just installed it without difficulty and it apparently auto updates after that but I am interested in the other criticisms. Where did you read them?
Here is the reddit post I found that was most critical of it.
What this means to me is that when these settings break a site, it’s difficult to tweak the settings to get those sites to work with individualized settings. Personally, this is much easier for me to do with browser extensions that provide a some of Phoenix’s hardening features.
Fair enough, but so far that hasn’t bothered me. I’ve used librewolf for a year which seems to have most of the same hardening and it doesn’t break the particular sites I use.
So far, the only site that didn’t work was bsky and the solution was a simple permission.
Librewolf is great, I am glad it’s working for you!
According to their intructions, it would seem it’s trivial to install and receive updates on the supported linux distros:
By default, Phoenix is installed & updated via your operating system’s package manager. This allows for fast, easy updates & fixes as needed, right with the rest of your system!
Windows isn’t support though, so it would be a far more manual process there.
Phoenix is not a browser, is it? AFAIK it’s a similar user.js to Arkenfox… They claim to be better, and have their on comparison, but I don’t know:
https://codeberg.org/celenity/Phoenix/wiki/Comparison
Arkenfox has been like the default user.js for privacy… Perhaps phoenix already is better…
How do you feel about DuckDuckGo and how does it compare to these?
I’ve yet to see a serious review of Duckduckgo browser, the only thing I saw was that because of it’s agreement with Microsoft for their search engine the browser, for a time, had rules to avoid blocking Microsoft tracking.
Clearly it’s not that great then.
Ex-DDG Browser user here. Personally, it’s not very good. I really only used it whenever a site, usually the pesky ones by the government, broke in Librewolf (my main browser).
It’s better than Chrome, of course. Out of the box, DDG blocks trackers and ads to a certain extent as it has an extension of the same name embedded into the browser. However, it has no extension support (cannot install extensions fr the Chrome Web Store), making it subpar when it comes to content blocking (no uBlock origin) and customization (no DarkReader), among others.
Really, you’re better off using Firefox with uBlock origin set at medium mode.
I feel that the only use case for DDG browser is for non-technical people like me to have a more private browsing experience without much tinkering. Yet, it takes very little reading and experimentation to understand how uBlock origin’s medium mode works and how it is waaaaay better at ad blocking and in preventing/minimizing cross-site tracking.
I haven’t given it any research since it’s chromium based.