N.E.P.T.R

Can you at least credit the OP who originally posted this when reposting? What community did you get this from?

Vivaldi is proprietary. I would def avoid that. For Chromium forked browser use Cromite instead.

They is the right result, non-unique fingerprint is what you want with Tor Browser.

TL;DR The only way to avoid a near unique fingerprint is Tor Browser

Longer explanation: There are too many styles of fingerprinting protections: randomized and normalized.

Librewolf inherits its fingerprint protections from Firefox (which intern was upstreamed from the Tor uplift project. It works by taking as many fingerprintable characteristics (refresh rate, canvas, resolution, theme, timezone, etc) and normalizes them to a static value to be shared by all browsers using the feature (privacy.resistFingerprinting in about:config). The benefit of normalizing is you appear more generic, though there are many limitations (biggest of which is OS because you cant hide that). The purpose design of these protections stems from the anonymization strategy of Tor which is to blend in with all other users so no individual can be differentiated based on identifiers. Since Librewolf has different a default settings profile to Tor (or Mullvad) and even vanilla Firefox with RFP enabled, the best you can hope is to blend in with other Librewolf users (which you really cant, especially if you install extensions or change [some] specific settings). Instead, the goal is just to fool naive fingerprinting scripts, nation states or any skilled adversary is out of the scope.

Brave (or Cromite) uses the strategy of randomizing fingerprintable characteristics. This is only meant to fool naive FP scripts but in my opinion (when done right) is better at fooling naive scripts. The biggest problem is that these attempts by other browsers and not as comprehensive as Firefox. I think Cromite does a better job than Brave: it is the only browser which fools Creepjs that I have tried by creating a new FP on refresh. Cromite required some configuring to get to place I wanted it, but so does every browser.

The advantage with Firefox forks is that vanilla Firefox has RFP and therefore so do the forks (though most dont enable), but you dont blend i with a crowd (making it far less effective than MB or Tor). The advantage of Brave or Cromite is a randomized FP, bit since it isnt upstreamed (and Google will never do that) you stand out like a sore thumb. Either way is fine though for basically everyone.

The only browsers I know that work against Creepjs are as follows:

• Mullvad (persistent FP)
• Tor (persistent FP)
• Cromite (randomized FP)

Because of federation they are probably un-deletable. Most likely federated to multiple servers.

Screensharing is the only thing i dont think it does. Voice and video good. See snikket or conversations.im

Same problem pretty sure.

It is a denial of service attack. He discloses all vulnerabilities ahead of time. The only reason he released the previous one so quickly is because the Matrix team said it “wasnt a real vulnerability”.

Understood.

It seems that forward secrecy is still in development from the blog you showed.

I still wouldnt use session for the reasons stated in this Soatok’s (a cryptographer) blogs. Even if they fix(ed) these problems, I have no trust for their security implementations. Why use session instead of something like Briar?

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ https://soatok.blog/2025/01/20/session-round-2/

People keep finding significant vulnerabilities in its cryptography and the Matrix team tries to deflect or create strawmans for why it isnt actually a vuln. Soatok found a vulnerability in 2024 by just browsing the source code for tiny bit of time, and again just two weeks ago after looking for a couple hours. In both cases, Matrix then responded to his vuln report with hostility, saying it wasnt actually a vulnerability. He is sitting on another vulnerability.

Having a cleartext mode is a security downgrade and no secure messenger should support cleartext. It only barely got functional forward secrecy recently. VoIP in most Matrix clients (and servers) still use Jitsi backend which isn’t E2EE, even with the release of the newer (secure) Element call protocol. Matrix leaks tons of metadata, such as usernames, room names, emoji reactions, generate URL embedded previews. Rooms arent encrypted by default. It is also a UX nightmare and often times you cant decrypt your messages.

Matrix is not secure. You’d be better off with XMPP and OMEMO which has its own problems and isn’t secure either. Sill better than Matrix.

Session is a security downgrade. It doesnt support forward secrecy which is hella important.

I dont really understand what you mean in your last sentence.

My reason for saying GVisor is safer is because it is an application kernel which provides traps and emulates most Linux syscalls in the guest with a far smaller set of syscalls to the host kernel, helping to prevent container escapes and privilege escalation. GVisor also fully drops privileges early into start up (before running any significant logic), helping to prevent privilege escalation.

Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things). You can not use GVisor with LXC.

In order of most to least secure

VM > Docker+GVisor > Docker/LXC

Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.