Browsers for Privacy, OPSEC, and OSINT
When doing an OSINT or OPSEC/Privacy investigation, not all browsers are created equal. Despite our best efforts at anonymity, they can…
When doing an OSINT or OPSEC/Privacy investigation, not all browsers are created equal. Despite our best efforts at anonymity, they can have unfiltered access to what we are viewing. Depending on the browser, it could be used for recommendations, sometimes ads. As with all software, there are always possibilities of vulnerabilities, including zero-days.
The purpose of this article is more than just “patch your browser and use a VPN.” Both concepts are important to the cause, but they are not infinite. In theory, both a Lamborghini and a Pinto can get you from point A to point B. The difference is within the experience, bells and whistles, and reliability. Modern browsers can get us to almost any website reliably, so that is a given. Whether anyone else has access to seeing us reliably get to a website is a different story — that is the intent behind Tor browser.
I will be honest, I am not a fan of Safari and even less of a fan of IE/Edge. I like Mozilla’s Privacy Promise, but Chrome (to me) feels more sleek, streamlined, and efficient. That being said, Chrome is a Google product, so it is a reasonable assumption to deduce that some usage data is sent back to the mothership. Firefox is open-source, Chrome is not. There are some plugins/extensions only available for one or the other (i.e. Hunch.ly) that warrants using Chrome.
Like with anything OSINT related, I double down on getting multiple opinions, so I like to use multiple browsers. Recently, I was introduced to Brave. It’s open-source and built on Chromium, so I could replicate that Chrome experience. I was almost immediately enamored. Bonus points, Hunch.ly works on Brave.
Comparison and Contrast of Browsers
In the section below, I will compare and contrast the browsers. I am leaving Tor off since it will fall under a different list ;-)
Chrome
Chrome is sleek and acts as a well-oiled machine. The main issue I have with it is that it seems to ‘listen’ a little too much. The availability of extensions for various types of tasks and capabilities makes Chrome a formidable competitor.
Firefox
Firefox is open source and comes from Mozilla, which evangelize their Privacy Promise. The main drawback in my opinion is the limited plugins available for the platform and that it doesn’t seem to be as fast as Chrome or the Chromium derivatives (Brave and Vivaldi).
While it is minor for me since I use Hunch.ly and Monosnap, Firefox does have a built-in screenshot tool. Also, a minor issue for me, is that Firefox has a built-in master password in addition to the password manager, whereas Brave and Chrome do not. I use an independent password manager that works with all browsers, so I don’t really care about this feature.
I haven’t put it to the test in a while, but I was able to use procdump to dump Firefox and extract passwords for a demonstration for a talk. in the past couple of years. I have not tested this recently in Firefox or other browsers, but as of 2016, using the browser’s password manager was not a good idea.
Brave
My current favorite browser. Based on the open-source Chromium. Has support for all of the Chrome extensions that I have attempted to use. Brave blocks ads and trackers, seemingly better than Firefox. I also have a PiHole running — but it mostly addresses ads.
This is a legitimate concern for me, but the PiHole will stop some of the threats and could stop more if I could find the time to enhance the ruleset. I plan on upgrading to a dual security appliance setup of a pfSense and Ubiquiti Security Gateway.
In about a month, I have saved some time and hassle in using Brave.
Vivaldi
Vivaldi is based on Opera, or at least some of the key people overlap. I have just installed it but haven't used it. It seems to have promise and be comparable to Brave, but the jury is out. Other writeups comparing the two put them on near parity. One major drawback, in my opinion, is that Vivaldi lacks the inherent ad blocking capabilities and sends some telemetry data back to the mothership.
Other writeups:
Slant - Vivaldi vs Brave detailed comparison as of 2020
When comparing Vivaldi vs Brave, the Slant community recommends Vivaldi for most people. In the question "What are the…www.slant.co
Brave vs. Vivaldi: Which Browser Is Better and Why | TechWiser
Brave is a blockchain-based browser that claims to be faster than others. They block all ads by default and have an…techwiser.com
IE/Edge
One of my favorite cynical jokes is “What is the best part of Internet Exporer?” Using it to download Firefox or Chrome. All jokes aside, Edge allegedly improves what Internet Explorer was. Being entirely honest, I don’t use Windows enough to speak one way or another. During investigations, there are good reasons for using Edge, for the user agent string and in cases where the IE/Edge site is different than the others, or restricted only to Edge. The caveat and rebuttal to that is that there are user-agent string changing tools, plugins, and extensions to bypass this though. Moreso on the negative side, there are few protections from trackers, ads, and cookies.
Safari
Safari is only available on Apple products. It was deprecated in Windows about 4–5 years ago, so it is a niche browser. It has a lot of the same qualities as Edge in terms of user-agent strings in addition to sharing the same frustrations with trackers, ads, and cookies.
Plugins and Extensions
I am not going to rehash the best plugins for OSINT and OPSEC as Null Byte has already adequately covered the topic. I will speak to the plugins and extensions that I do use on Chrome, Firefox, and Brave.
Chrome and Brave
I use the following:
Password Manager (Purposefully Vague)
Firefox
Password Manager (Purposefully Vague)
Conclusion
In conclusion, there are no absolutes. In OSINT and OPSEC, we must take steps to blend in. This survey of browsers is intended as a starting point for research and implementation based on your appetite for risk. Using one browser or another should not augment other sound advice including the use of VPNs, Encryption, Patch Management, Sock Accounts, and other tools and techniques. Your mileage may vary and as always, I am available for discussion if you have questions or concerns.