Using Vanadium is highly recommended and Bromite is a good alternative if you want - a few more features like ad-blocking and more aggressive anti-fingerprinting. Vanadium - is working towards including these features and is actively collaborating with - Bromite. Standalone browsers based on Chromium have by far the best sandbox - implementation. Site isolation can also be enabled, which makes the sandbox enforce a - security boundary containing each site rather than isolating content as a whole. - Vanadium enables site isolation by default, and Bromite enables it on high memory - devices, including all officially supported GrapheneOS devices. Site isolation - prevents an attacker from obtaining cookies (like login sessions) and other data tied - to other sites if they successfully exploit the browser's rendering engine. It also - provides the strongest available mitigation for Spectre-based side channel - attacks.
+Using Vanadium is highly recommended. Bromite is a solid alternative and is the + only other browser we recommend. Bromite provides integrated ad-blocking and more + advanced anti-fingerprinting. For now, Vanadium is more focused on security hardening + and Bromite is more focused on anti-fingerprinting. The projects are collaborating + together and will likely converge to providing more of the same features. Vanadium + will be providing content filtering and anti-fingerprinting, but it needs to be done + in a way that meets the standards of the project, which takes time.
+ +Vanadium is designed for use on GrapheneOS and does not duplicate the OS privacy + and security features such as the hardened malloc implementation. This leads to some + of the differences from Bromite, such as relying on OS support for encrypted DNS + rather than enabling Chromium's DNS-over-HTTPS support.
+ +Chromium-based browsers like Vanadium and Bromite provide the strongest sandbox + implementation, leagues ahead of the alternatives. It is much harder to escape from + the sandbox and it provides much more than acting as a barrier to compromising the + rest of the OS. Site isolation enforces security boundaries around each site using the + sandbox by placing each site into an isolated sandbox. It required a huge overhaul of + the browser since it has to enforce these rules on all the IPC APIs. Site isolation is + important even without a compromise, due to side channels. Browsers without site + isolation are very vulnerable to attacks like Spectre. On mobile, due to the lack of + memory available to apps, there are different modes for site isolation. Vanadium turns + on strict site isolation, matching Chromium on the desktop. Bromite enables strict + site isolation on high memory devices, including all the devices that are officially + supported by GrapheneOS.
+ +Chromium has decent exploit mitigations, unlike the available alternatives. This is + improved upon in Vanadium by enabling further mitigations, including those developed + upstream but not yet fully enabled due to code size, memory usage or performance. For + example, it enables type-based CFI like Chromium on the desktop, uses a stronger SSP + configuration, zero initializes variables by default, etc. Some of the mitigations are + inherited from the OS itself, which also applies to other browsers, at least if they + don't do things to break them.
+ +We recommend against trying to achieve browser privacy and security through piling + on browser extensions and modifications. Most privacy features for browsers are + privacy theater without a clear threat model and these features often reduce privacy + by aiding fingerprinting and adding more state shared between sites. Every change you + make results in you standing out from the crowd and generally provides more ways to + track you. Enumerating badness via content filtering is not a viable approach to + achieving decent privacy, just as AntiVirus isn't a viable way to achieving decent + security. These are losing battles, and are at best a stopgap reducing exposure while + waiting for real privacy and security features.
+ +Vanadium will be following the school of thought where hiding the IP address + through Tor or a trusted VPN shared between many users is the essential baseline, with + the browser partitioning state based on site and mitigating fingerprinting to avoid + that being trivially bypassed. The Tor Browser's approach is the only one with any + real potential, however flawed the current implementation may be. This work is + currently in a very early stage and it is largely being implemented upstream with the + strongest available implementation of state partitioning. Chromium is using Network + Isolation Keys to divide up connection pools, caches and other state based on site and + this will be the foundation for privacy. Chromium itself aims to prevent tracking + through mechanisms other than cookies, greatly narrowing the scope downstream work + needs to cover. Bromite is doing a lot of work in these areas and Vanadium will be + benefiting from that along with this upstream work. The focus is currently on research + since we don't see much benefit in deploying bits and pieces of this before everything + is ready to come together. At the moment, the only browser with any semblance of + privacy is the Tor Browser but there are many ways to bypass the anti-fingerprinting + and state partitioning. The Tor Browser's security is very weak which makes the + privacy protection weak. The need to avoid diversity (fingerprinting) creates a + monoculture for the most interesting targets. This needs to change, especially since + Tor itself makes people into much more of a target (both locally and by the exit + nodes).
WebView-based browsers use the hardened Vanadium rendering engine, but they can't offer as much privacy and control due to being limited to the capabilities supported @@ -233,7 +285,7 @@ include support for it as it does for JavaScript, location, cookies, DOM storage and other older features. For sensors, the Sensors app permission added by GrapheneOS can be toggled off for the browser app as a whole instead. The WebView sandbox also - currently runs every instance within the same process and doesn't support site + currently runs every instance within the same sandbox and doesn't support site isolation.
Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable