Mullvad VPN shocked the community by releasing a new privacy browser: Mullvad Browser! Now, before we dismiss this as just another privacy browser - this actually IS different, so let’s take a look at what it is, who it’s for, and other important information so you can assess if this fits into your privacy workflow.

Setting the Scene

First, this is a collaboration project between the official Tor Project, and Mullvad VPN. At first glance, it appears to be a blend between a hardened Firefox & Tor Browser, as you’ll find:

• A security ‘Safe, Safer, Safest’ level similar to Tor Browser

• Identity reset option similar to Tor Browser

• A Mullvad extension (More on this later)

• The uBlock Origin extension - which many will recognize as a staple extension for hardening Firefox & blocking ads

• Many already-adjusted settings & about:config adjustments, the extent of which you can find here

The browser is free to download and does not require an active Mullvad subscription to use, though they heavily encourage using Mullvad VPN from a privacy & security perspective. We’ll chat more about this soon.

General Usability

Mullvad Browser does not utilize the Tor network, so speeds are overall good - even using it as-recommend with Mullvad VPN.

As previously stated, this is extremely similar to the Tor Browser, you have:

• NoScript

• The Tor Browser safety toggles

• No cookies or other data saved on browser exit

  BUT you have some of the hardening from Firefox, and the addition of uBlock Origin to help block ads which is incredibly nice for a browser where you don’t want ads (all of them!?)

The core downside to Mullvad Browser from a usability perspective is it utilizes private mode by default, so it’s unlikely to be your go-to browser for logging in to accounts between sessions. By all means, you definitely can, but you’ll need to log in to every account after your browser exists. And just to speak to this, webauthn is disabled by default (FIDO/Yubikey Support) unless you adjust some about:config items. (which breaks the purpose of the browser, as you don’t want to make any adjustments)

Lastly, this is currently desktop-only, which I am in support of given the various limitations on mobile devices, particularly on iOS where everything is still required to use WebKit, though Android has some limitations that would make this difficult as well.

Mullvad’s Search Engine: Leta

On a quick note, there’s an option to use Mullvad’s new search engine: Leta. Leta is similar to Startpage, in that it provides Google results, but privately proxied. I have not had the chance to test it, but those with active Mullvad VPN subscriptions can easily test it and set it as your default search inside Mullvad Browser. (Yes, it requires an active Mullvad VPN subscription to use)

Technical Information

• Right off the bat, this is a Firefox-based browser (Before we get the annoying ‘but Crapium’ comments)

• Mullvad has attempted to bridge the gaps between a standard browser (Firefox/Brave/etc.), a hardened browser (Hardened Firefox), and Tor Browser - in my eyes, the goal of Mullvad Browser is:

  • To offer strong privacy & security for the user

  • Offer strong fingerprinting resistance to prevent users from ‘standing out’ online

  • Be a bit less extreme than the Tor Browser from a usability/speed perspective

  • Push users to use at minimum a trusted VPN to protect their web traffic through a service that’s better than nothing. (but less ideal than Tor)

  • Offer private browsing by default, making this a more disposable browser - which for many people may not be their go-to browser for logging in to personal accounts.

  • Offer this in a convenient package for anyone, without requiring user configuration or manual updates.

You can use Mullvad Browser without a VPN and reap the benefits of its tracking, security, privacy, and fingerprinting protection. The ideal situation though, (and what Mullvad wants you to do) is to use Mullvad VPN, since then you’ll have the overall protection of the Tor Browser, while going through the same VPN servers as other Mullvad users, on paper achieving a similar result to Tor Browser + Tor Network. Where Mullvad VPN still greatly falls behind Tor is in the fact that the Tor network is decentralized, versus Mullvad is centralized. Though for the record, I believe Mullvad is one of two companies in the VPN realm (Mullvad & IVPN) that have the technology and reputation to pull something off like this and reassure people that it will be generally safe, despite its centralization.

On the topic of VPN usage, I personally believe the most important thing is to be using *any* trusted VPN. While using Mullvad’s VPN is the ideal option to reap the utmost anonymity benefits, I don’t see a huge sacrifice in using something like IVPN alongside this browser aside from the Mullvad extension telling me I’m not protected by Mullvad VPN. (incredibly annoying) Personally, if the difference between being safe is the minor anonymity differences between using Mullvad VPN & IVPN alongside this browser, then you should be using the Tor Browser.

My TLDR list of configurations sorted from least to most safe:

1. Mullvad Browser w/ NO VPN

2. Mullvad Browser w/ Trusted VPN (ex. IVPN)

3. Mullvad Browser w/ Mullvad VPN

4. Tor Browser

Personal Analysis

I think Mullvad browser is a great service, it provides a strong, disposable browser, in an ultra convenient package for the average end-user. For most people, it’s almost a perfect drop-in for a hardened Firefox. If you combine Mullvad Browser with Mullvad VPN, then you’re even better off - and for many threat models, with Mullvad VPN, this could take the place of Tor Browser assuming you don’t need the maximum benefits of the Tor Browser.

One fun thing is I recall in the past, several years ago, posing the question of what it would look like to use Tor Browser without actually going through the Tor network, and maybe just using a VPN for a lower threat model, and for that to actually be a mainstream product now is super exciting to me!

Additionally, I’m happy that Mullvad is making this an open product. Mullvad could very easily require you to log in to your Mullvad account on setup and paywall this behind a subscription, but they chose not to. Rather, they are paywalling their Leta search engine and hoping that people see enough incentive to using Mullvad VPN with this browser.

For those curious, PrivacyTests has already listed Mullvad Browser if you want to see how it performs against other browsers.

The Hidden Selling Point over LibreWolf, Arkenfox, & *insert Firefox Fork*

Something I didn’t touch on in our video of Mullvad’s new browser is how it stacks against other options. We may do some deeper dives into the technical differences between LibreWolf, Arkenfox, etc. but one thing I wanted to stress now:

Those who follow us know I’m a fan of long-term sustainability for projects, meaning projects that:

• Have a public team

• Are pushing fast & consistent updates

• Are constantly improving and growing their product

• Will be around in 5+ years

LibreWolf has fallen behind on security updates significantly in the past, and Arkenfox has a small number of maintainers, and require lots of DIY on the individual’s accord. (Both of these projects do awesome work, but in my eyes these are genuine limitations)

Mullvad Browser is a ‘download & forget’ service, with automatic updates, that requires 0 user configuration on any desktop OS. It’s also being maintained by a company with a solid business model that will surely be around for years to come. The cherry on top is this is a formal collaboration with THE Tor Project, so you’re getting privacy & security oversight from some of the most trusted people in the space. Even if Mullvad Browser falls behind your favorite browser today, I’m willing to bet those days are numbered.

(This isn’t to dismiss any valid positives other browsers bring to the table from a technical perspective, but I’m a huge fan of having a hardened Firefox option that’s truly recommendable to people around me without 10 asterisks around its usage. Just to speak to this, visit our resources to see the variety of browsers we still recommend for different use-cases.)

Questions I Still Have

• Is there a reason web authentication is disabled? Because that’s a pretty big usability sacrifice for people 

• If I uninstall the Mullvad extension because I’m not a Mullvad customer and have no intention of using Mullvad, is this a net loss to my anonymity with this browser?

• And lastly, is there a future to expand this ecosystem? Will there be a way to sync bookmarks natively between devices? Or how about mobile clients? Personally I’m very happy with the current offering, but I know some people may want a bit more.

Update:

1. Tor Project hasn’t audited Google’s WebAuthn library that Firefox uses yet, there is an open issue in the Tor Browser tracker which would also be applicable here.

2. There is no impact to removing the Mullvad Browser extension, I’ve already confirmed this with them a few days ago.

3. The long-term plan is for usability to be improved over Tor Browser in a number of aspects. Private Browsing mode being mandatory wasn’t the end-goal, it’s a requirement for Tor Browser’s threat model (they want to avoid writing anything to disk) which isn’t applicable to Mullvad Browser, but Private Browsing mode currently provides a lot of other privacy improvements (service worker isolation for example). Mullvad Browser needs to figure out how to take those privacy improvements and bring them over to non-Private Browsing mode, which will take time.

Overall, bravo Mullvad. 👌 And check out the video on it below for more visuals and a different perspective:

Odysee Mirror | PeerTube Mirror