Vivaldi is also proprietary. Not a good privacy browser.

Honestly, I saw it in a video recently that i cant remember. It showed some screenshots of the engineer’s Twitter taking about it.

Artix (Arch w/out systemd) supports many inits. I’d recommend dinit (which is very easy to use) or s6 (which seems more stable on Artix, but less user friendly helper tools). Both are very fast, faster than the other inits.

• There is also Chimera Linux which uses dinit and is very clean imho. A very modern take on making a traditional Linux distro which does things well and uses clean and simple OS software stack.
• Void Linux uses runit
• Devuan (Debian w/out systemd) you can use sysV, OpenRC, or runit
• And obviously there is Gentoo, which supports using OpenRC, with unofficial community guides for some other inits.

I very much doubt it. The only reason Asahi is even installable is because M series Mac were designed to allow installing other OSes. I know that sounds crazy, especially with all the reverse engineering needed to get Asahi to work. But without intentional design on the part an Apple engineer working on the initial M series chip, installing alternative OSes would be impossible.

I think it is worth noting that while what Russia is doing is evil, they are not the only evil players in the game. So many countries are complicit and actively support Israel (monetarily), and most countries do business with USA (mega)companies (like Google, Microsoft, Meta) even with the current regime.

And support for extensions like uBlock Origin.

On Debian I would choose Flatpak because it will be generally much more up-to-date than native packages (which becomes even further true the longer through the release cycle we are).

Having JS disabled is very rare for non-bot traffic, so you stand out far more. It isn’t about uniqueness, you are already unique if you aren’t using Tor/Mullvad browser(s). While disabling JS protects against certain kinds of fingerprinting, there is pure CSS and TCP fingerprinting. Firefox RFP (eg. Librewolf) and whatever Cromite or Brave have help to protect against much of JS fingerprinting. You are only ever going to fool naive scripts which these browsers already do a good job of that.

As for security, having JS disabled is a benefit. Just know since you will very likely have to enable to again quite often for random websites, you’ll become used to doing that to the point that it may as well be useless. If a random website doesn’t load just leave it, unless it is worthy of some actual trust. Even more useful would be setting up uBlock Origin with a blocking mode, such as medium or hard.

I still dont understand /e/OS. Just use LineageOS. It supports all the same devices and doesnt lag as far behind. You can choose to run an insecure OS if you like (see: all Windows 10 users) but definitely don’t recommend it to others.

You cannot have privacy without at least basic security. Targeted attacks are not the most common kind of attack by long shot. Threat actors scan for vulnerable devices and use automated scripts to execute attacks. Android is one of the most exploited targets. With an outdated OS your browser could be exploited and used to get a sandbox escape, possibly chaining it into root escalation. It all depends on the vulnerabilities found and the longer you wait the more likely for the “stars to align” for the perfect attack. Look at CVE-2025-48593 for an example, zero-click RCE. In recent memory there was also a zero-click RCE utilizing specially crafted MMS, meaning an threat actor could send messages to all phone numbers and try the attack in mass.

/e/OS is by far the most behind on updating security patch levels of the AOSP ROMs (at ~2 months), iode is ~1 and everything else is better than those two.

Privacy without security is not real privacy, it is a mirage.

Security without privacy is like a fortress with cameras inside, a known threat (eg. Gapps Android).

Privacy with security is like a fortess with no known threats at all (eg. AOSP with timely security patches).

Privacy without security is like a fortress where some of the locks have rusted through and if someone tries they can open the doors. It is like replacing the walls with cardboard. “No one can spy on me now” you say in your cardboard castle.

There is no privacy without security. Android is one of the most widely exploited OSes and every month a dozen or more critical severity vulnerabilities are patched. Being 1-2 months behind on security patches is inexcusable for a privacy project.

It still gives metrics. And yes, Creepjs is not very useful against randomized values, though I noted it still because Brave fails (resulting in a persistent fingerprint) whereas Cromite succeeded to fool Creepjs. Both have many methods of fingerprinting protection.

Checking the fingerprinting protections of Mullvad and Tor is better done with TorZillaPrint test page by Arkenfox. It is optimized to tell you whether you blend in correctly with RFP normalized values.

Vivaldi is proprietary. I would def avoid that. For Chromium forked browser use Cromite instead.

They is the right result, non-unique fingerprint is what you want with Tor Browser.

TL;DR The only way to avoid a near unique fingerprint is Tor Browser

Longer explanation: There are too many styles of fingerprinting protections: randomized and normalized.

Librewolf inherits its fingerprint protections from Firefox (which intern was upstreamed from the Tor uplift project. It works by taking as many fingerprintable characteristics (refresh rate, canvas, resolution, theme, timezone, etc) and normalizes them to a static value to be shared by all browsers using the feature (privacy.resistFingerprinting in about:config). The benefit of normalizing is you appear more generic, though there are many limitations (biggest of which is OS because you cant hide that). The purpose design of these protections stems from the anonymization strategy of Tor which is to blend in with all other users so no individual can be differentiated based on identifiers. Since Librewolf has different a default settings profile to Tor (or Mullvad) and even vanilla Firefox with RFP enabled, the best you can hope is to blend in with other Librewolf users (which you really cant, especially if you install extensions or change [some] specific settings). Instead, the goal is just to fool naive fingerprinting scripts, nation states or any skilled adversary is out of the scope.

Brave (or Cromite) uses the strategy of randomizing fingerprintable characteristics. This is only meant to fool naive FP scripts but in my opinion (when done right) is better at fooling naive scripts. The biggest problem is that these attempts by other browsers and not as comprehensive as Firefox. I think Cromite does a better job than Brave: it is the only browser which fools Creepjs that I have tried by creating a new FP on refresh. Cromite required some configuring to get to place I wanted it, but so does every browser.

The advantage with Firefox forks is that vanilla Firefox has RFP and therefore so do the forks (though most dont enable), but you dont blend i with a crowd (making it far less effective than MB or Tor). The advantage of Brave or Cromite is a randomized FP, bit since it isnt upstreamed (and Google will never do that) you stand out like a sore thumb. Either way is fine though for basically everyone.

The only browsers I know that work against Creepjs are as follows:

• Mullvad (persistent FP)
• Tor (persistent FP)
• Cromite (randomized FP)

They have the best ARM CPUs in any consumer product and very good software/hardware security. I hate Apple because their shit is overpriced and locked-down but that doesnt mean its garbage.

Same problem pretty sure.

It is a denial of service attack. He discloses all vulnerabilities ahead of time. The only reason he released the previous one so quickly is because the Matrix team said it “wasnt a real vulnerability”.

Understood.

It seems that forward secrecy is still in development from the blog you showed.

I still wouldnt use session for the reasons stated in this Soatok’s (a cryptographer) blogs. Even if they fix(ed) these problems, I have no trust for their security implementations. Why use session instead of something like Briar?

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ https://soatok.blog/2025/01/20/session-round-2/

People keep finding significant vulnerabilities in its cryptography and the Matrix team tries to deflect or create strawmans for why it isnt actually a vuln. Soatok found a vulnerability in 2024 by just browsing the source code for tiny bit of time, and again just two weeks ago after looking for a couple hours. In both cases, Matrix then responded to his vuln report with hostility, saying it wasnt actually a vulnerability. He is sitting on another vulnerability.

Having a cleartext mode is a security downgrade and no secure messenger should support cleartext. It only barely got functional forward secrecy recently. VoIP in most Matrix clients (and servers) still use Jitsi backend which isn’t E2EE, even with the release of the newer (secure) Element call protocol. Matrix leaks tons of metadata, such as usernames, room names, emoji reactions, generate URL embedded previews. Rooms arent encrypted by default. It is also a UX nightmare and often times you cant decrypt your messages.

Matrix is not secure. You’d be better off with XMPP and OMEMO which has its own problems and isn’t secure either. Sill better than Matrix.