Backlit header graphic

Browser Evaluation: Mullvad vs Floorp vs LibreWolf

All browser providers claim to care about privacy. Most of them are straightforwardly lying. It's easy to kid a lay crowd. But once in a while, a browser raises applause among tech knowledgeables. The threesome in this privacy evaluation have won just such an ovation. But do they live up to the hype?

Floorp felt like Microsoft Edge or Opera out of the box, and displayed a similar attitude to privacy... I find it disillusioning that the FOSS community is really no different from the mainstream, in that it will completely disregard basic privacy and freedom in exchange for toys and pretty pictures.

BACKGROUND

It's hard for the non-technical public to assess browsers. We can blame the system for that. Here's how it works... A browser provider creates or commissions an advertorial framework - essentially a press release - for its product. Penned by marketers, this is inevitably going to be a complete fairytale.

Palms are then greased, and by hook or by crook, the advertorial ends up in the hands of a lazy, profiteering "tech blog", which is fiercely counter-motivated when it comes to critically assessing the product. The advertorial is thus presented to the public, uncritically, as "journalism", and the public accept the advertorial as fact. Commonly referenced as "paid media" or "growth hacking" among insiders, this is the de facto advertising regime for tech providers. I find reputation laundering to be a much more accurate term of reference.

As a society, we haven't kept pace with the underhanded nature of marketing at all. But the comedy writer Mark Grant understood it so well in the early days of the commercial Web, that I feel compelled to hand over to the corporate assessor from his sublime TV sitcom Perfect World, for a funny-because-it's-true encapsulation of how the marketing industry thinks...

Vanessa Edwards
Quote

"I have never, been subjected, to such a tirade of fabrication, half-truths, and out and out lies… You are the most brazenly corrupt, conniving, manipulative, arrogant and altogether morally bankrupt character that I have ever met!

In short, you are marketing material of the highest possible calibre. Your Director is to be congratulated on his unorthodox yet inspirational choice of executive."

- Perfect World, BBC TV, 2000

That really is the marketing qualification set in a nutshell, and it's exemplified in tech. The tech marketer of the 2020s simply bullshits the public through the uncritical lens of specialist journalism, and virtually no one has a clue how badly most tech products are treating them. But amid the Web's conspiratorial wall of willing deception, it's possible to find small pockets of authentic, organic praise for techware. Three browsers that regularly pop up as recommendations among tech-knowledgeables are Firefox-based, and come in the shape of Floorp, Mullvad and LibreWolf. In this post I'm putting on my own assessor hat for a dig into what lies behind the buzz...

FLOORP

Floorp appears to have taken inspiration from Vivaldi, but as I mentioned, it's built on the Firefox development base rather than Chromium. It has a raft of extras not found in Firefox, similar in broad concept to Vivaldi's embellishment of the Chrome feature set. It's undeniably sophisticated, but that comes at a price.

The first clue as to Floorp's complete absence of privacy integrity comes in its distribution website's use of Cloudflare, and total rejection of visitors who block JavaScript. From the Linux download page I was given a portable folder in the form of a tarball, and after extraction I could see no setup utility or installer, so I had to create a launcher manually.

As I went through the browser settings for the first time, Floorp felt like Microsoft Edge or Opera, and it displayed a similar attitude to privacy. If you're used to fighting browsers' attempts at privacy invasion, you can see all manner of red flags in Floorp's settings even before you open your web connection.

The website PrivacyTests.org, which ranks Brave as the most private browser, is run by a Brave employee. If that doesn't tell us to take recommendation resources with a pinch of salt, I don't know what will.

For example, there's a sidebar setting for "icon provider", which means that rather than loading icons locally, Floorp has to call them from either Google or Microsoft. Which serves as a neat and typically sneaky way to tell either Google or Microsoft when you're using the browser. Officially, the two-option choice is Google or DuckDuckGo, but DuckDuckGo is so deeply-embedded into Microsoft's architecture that there's no real separation between the two. And I could find no way, other than firewalling, to turn this needless bullshit off. Even if you disable the sidebar it still calls the preds - which means it's not about the icons. It's about the surveillance.

Floorp also attempted a series of calls to its home servers, as well as multiple Google Translate domains. None of these calls were triggered by an action. Just open the browser and it embarks on a snitching extravaganza. And if I hadn't combed through the settings and disabled a pile of obvious backchat functions, it would have been worse. This is a hardcore data-mining tool packed full of classic Big Brother tricks. The surveillance industry has a "childcatcher" mentality. It uses toys and pretty visuals to lure people into cages. Floorp is brimming with toys and pretty visuals, and it is, without question, a cage.

I find it disillusioning that the FOSS community is really no different from the mainstream, in that it will, in large part, completely disregard basic privacy and freedom in exchange for toys and pretty pictures.

Other red flags in Floorp were too numerous to mention. But as a quick example, the Autoplay setting was hardwired to play sound from Floorp, would not respect alterations, and persistently auto-reverted to factory settings.

I quickly gave up on Floorp as a serious means of achieving acceptable privacy.

MULLVAD BROWSER

Mullvad self-describes as a VPN company, but it's really, whether by intention or not, a reverse gatekeeper. Whereas a gatekeeper inserts itself between the public and their Internet destinations, and conditionally decides who is or is not allowed through, a reverse gatekeeper inserts itself between the surveillance machine and the public, and regulates the machine's access to the public.

Let's remember one important question that we should pose when assessing why tech features exist. The question: Who asked for this? If a large quota of people asked, a feature is feasibly there to serve public demand. If no one asked, it's almost inevitably there to serve the provider.

Reverse gatekeeping can be both good and bad for the public. A reverse gatekeeper is incentivised to full-on block the surveillance machine's access to the public by default, and to make a damn good job of it - which is great. But Big Brother is then heavily incentivised to re-establish its access to the all the vision, insights and data it's losing. And the surveillance machine is not short of money. You might have noticed. Which means that surveillance capitalists usually end up paying reverse gatekeepers for under-the-table data exchanges. I would suggest that this is why so many reverse gatekeepers - very particularly VPN providers - have sprung up in the course of the past decade.

This is not to make any insinuations about Mullvad's handling of data. But we should not be under any illusions about the pressure reverse gatekeepers are under to sell data from the back hatch - which is perfectly legal and does not require disclosure provided they... ahem, "anonymise" the data first.

Had it not been for a single feature of Mullvad Browser, I wouldn't have brought up the reverse gatekeeping thing, and would have evaluated the product solely in its own right. But the feature in question does make Mullvad's status as a reverse gatekeeper relevant. That feature is a hardwired DNS service, which routes all browsing through Mullvad's own systems. You actually can disable it, but there's no obvious toggle switch. Indeed, the settings changes you'd expect to work, don't. Which is why I describe the feature as "hardwired". I'll come back to this, and explain how I disabled the DNS proxy.

Mullvad Browser is an adaptation of Tor Browser, and unlike Floorp, its basic state is classic hardened Firefox. The typical surveillance calls, telemetry, Normandy, etc, are disabled, and you get anonymisation features at a depth beyond the scope of this brief comparison post. But as an example, there are three preset levels of security, ranging from Standard up to Safest. Set to Safest, JavaScript is notably blocked on all sites, along with a range of embeds. It's encouraging to find browsers that acknowledge JavaScript en masse as a security and privacy risk, and this option - also present in Tor Browser - should be applauded.

Mullvad Browser comes with uBlock Origin pre-installed, but every successful tech product goes sour in the end, and uBlock Origin seems to be on its way downhill. I froze uBlock updates at version 1.41.2 for a period of time. When I next updated at 1.49, the filter list updater had adopted the mentality of some Godawful precinct security officer...

It's more than my job's worth to let this settings screen load without pinging some irrepressible update server, guv.

It didn't seem to make any difference whether I disabled auto updates. The only way I could prevent connection was with a firewall, upon which the filter lists settings page refused to load, and loading of other settings pages was delayed.

So I've retained the well-behaved version 1.40 for Firefox, and I now just replace more recent versions of uBlock with that. The easiest way to do this is to uninstall the newer uBlock, then drop the older version's installer file, uBlock0@raymondhill.net.xpi, into the extensions folder in your browser's active profile directory. You can find the active profile directory by typing about:profiles into the browser's address bar. The old uBlock version should install automatically when you next launch the browser - although you may need to activate or enable it manually from about:addons.

I did say I'd return to the issue of Mullvad's DNS service. DNS lookups have become yet another go-to resort for the surveillance industry, because they afford the provider a comprehensive and basically uninterrupted vision of your web browsing history. Firefox created a minor uproar when it inserted and switched on Cloudflare DNS, but everyone's trying to do this kind of thing. It doesn't matter how many DNS lookups are already queued up; there will always be someone else desperately vying to be your DNS provider.

And it's no great surprise that Mullvad - whose core goal is to encage users in an externally-blind but internally-compromising enclosure - would be a likely candidate for the DNS bandwagon. The phrasing there sounds quite negative. I'd prefer it to be interpreted as neutral. But let's remember one important question that we should pose when assessing why tech features exist. The question: Who asked for this? If a large quota of people asked, a feature is feasibly there to serve public demand. If no one asked, it's almost inevitably there to serve the provider.

A lot of people ask for VPNs. Not many ask for DNS services. Couple that with pretty clear evidence that Mullvad does not want you switching its DNS service off, and a host of other question marks present themselves.

Mullvad has straightforwardly switched the Tor relay proxy entrance for its own DNS service and, if you're subscribed to Mullvad VPN, it will route through that as a full replacement for Tor. If you trust Mullvad there's no problem. If you smell a little too much desperation to insert an all-seeing DNS service that no one asked for, you can hack the settings to disable it.

I tried tinkering with the DNS settings in about:config to no avail, and ultimately just went into the Network Settings at the bottom of the General options, set the proxy to Manual, and then left all of the entry boxes blank. This gave me the equivalent to No proxy. But you should get No proxy when you select the dedicated No proxy radio box. That's what it was put there for. And I'm now a lot more suspicious of Mullvad as a result of this dark pattern. I don't have any problem with a custom DNS lookup being available. It's the calculated obstruction of the off switch that creates the suspicion. And this kind of obstruction, as you'll see, is a theme with LibreWolf too.

However, with uBlock rolled back, the Mullvad DNS proxy disengaged, and some other tweaks which I'll document in a moment, Mullvad proved to be an extremely good privacy option. I did not detect any unprompted calls to third-party domains, and the browser felt robust.

The other main tweaks I made were:

  • Pulled out the NoScript extension and let the rolled back version of uBlock Origin handle all of the script blocking in Hard Mode.
  • In about:config, set keyword.enabled to false so that the address bar decouples from the search engine.
  • Changed permissions settings (location, camera, mic, etc) to auto-block.

Something I really like about Mullvad Browser is the way it's set up within the operating system. Unlike Floorp, on Linux, Mullvad has a clearly-marked, one-click setup icon included in the portable folder, and the setup process places the user/profile data directory inside the browser's own parent folder. This makes Mullvad Browser fully portable, and means you can either move or delete the whole thing, with all data, just by moving or deleting one folder. All privacy-themed browsers should operate like that.

LIBREWOLF

LibreWolf is the only browser in this trio that doesn't look like it's backed by a sales initiative. Its literature harbours the slightly grumpy air of independent development, and I find that encouraging. There's a native LibreWolf installation for Debian- and Ubuntu-derived Linux systems, and I have, in the past, also tried out the Flatpak option, which can be used across a broader range of Linux distros. I ditched Windows before I began using LibreWolf, so I can't vouch for its performance within the MS Hell-hole.

I'd rather have arrogance and privacy, than smiley faces and surveillance.

But seriously [public service interlude alert], if you're still using Windows, and you care about your quality of life, start your migration to Linux now. You can keep your Windows installation and install a Mint, Ubuntu or Debian Linux system on the same device. The Linux installer will guide you through setting up a dual boot - you don't have to make the partitions or create the boot menu yourself. And you can access all of your Windows files from within Linux anyway. Windows is still there when you need it.

Using the Web with Linux is no different from using it on Windows, because the browsers are exactly the same. And if you can get all your Web usage migrated to Linux, you can do what I did: simply wall off Windows as an offline-only resource. Linux Mint - which I'd suggest as a first Linux OS after Windows - is not brilliant in terms of privacy, but it's vastly less abusive than Windows 11, and it'll teach you Linux in a smooth, familiar fashion. Once you know the ropes, you can move to a more select Linux setup and really take control of your privacy.

If you download a "live" installer for Linux, you can try the OS straight from a DVD or USB stick without installing anything at all. No commitment. Just an introduction. And remember, you don't have to learn overnight. I flitted between Linux and Windows for about a year before sidelining Windows. But the sooner you start the process, the sooner you'll be free from Microsoft's digital terrorism.

Returning to the plot, LibreWolf doesn't contain gimmicks, which is another encouraging sign. It's essentially just a hyper-hardened Firefox, and I'd say that out of the box, it's currently just about as private as a browser with general Web compatibility can be.

Perhaps one of the most welcoming signs a privacy advocate can find in a Firefox-based browser is a policies file full of overrides.

I've become very wary about giving a thumbs-up to tech products, because their providers are so easily bought off by people with villainous intent.

policies.json is a small but important file containing JavaScript Object Notation. It sits in the distribution folder, which - if it exists - resides in the top level of a Firefox-based browser's program directory. The human-readable code in policies.json comprises special instructions to the browser, and it's most commonly used by privacy gurus to block undesirables. On installation, LibreWolf's policies file is already bursting with user-respecting customisations. It disables Pocket, telemetry, studies, etc. It uninstalls Google, Amazon, Bing, and other search engines that Mozilla only put there for the money. It installs a Searx instance as one of the replacements - which is unprecedented in the genre as far as I'm aware. It diverts external URLs to a local address. It even subs in embedded code for the external search engine icons so there's no need to fetch them from the providers.

Mullvad also customises the browser for enhanced privacy, but I prefer this to be done in a user-accessible file a la LibreWolf. For one, it lets you easily see exactly what's been changed, and for two, it lets you reverse any customisations you don't want.

Whereas Mullvad runs by default in permanent private browsing mode, LibreWolf is set to clear cookies and browsing history on exit. The main difference is that, out of the box, Mullvad doesn't show the option to add rule exceptions. No cookies or history at all can survive shutdown. LibreWolf by default presents the option to exempt sites from the prevailing policy, and potentially retain cookies and site data on a per site basis. You can restore Mullvad's ability to add exceptions by switching off permanent private browsing in the History block of the Privacy settings.

LibreWolf's team have deliberately removed the permanent private browsing option, which is present in the base Firefox build. Their rationale is that it doesn't achieve anything other than compromises. But this is debatable, and my hunch is that permanent private browsing mode was in truth binned due to incompatibility with LibreWolf's hardwiring of Strict Enhanced Tracking Protection. Speaking of which...

Perhaps the most notable LibreWolf feature is its hardwiring of Strict Enhanced Tracking Protection. This does offer real privacy benefits to the user, but it means you can't disable cookies altogether. Unless you keep deleting your cookies manually, you have to wait until the browser is closed to get rid of them. So if you don't close the browser all day, a site you visited in the morning will recognise you again in the afternoon.

Per se, I don't wildly disagree with implementing Strict Mode in place of a more traditional cookie-blocking regime. I think it's probably the best policy for non-technical users, because it heavily reduces the amount of necessary tinkering with the settings and still resists persistent tracking. I do, however, disagree with taking away the choice to disable LibreWolf's default strict protection mode. LibreWolf's support docs say:

"Finally, there's no point in changing from strict to any other mode, as strict mode doesn't usually cause any kind of breakage, and changing to custom mode to block cookies will come at the expense of disabling partitioning: not worth it, so we decided to hide the UI that allows users to change this setting."

Sounds a bit arrogant, and whilst I'd rather have arrogance and privacy than smiley faces and surveillance, there's even less point in removing a pre-existing choice, and then having to go to the trouble of providing a tenuous explanation as to why you did it. The decision is made even more suspicious by the fact that Strict Mode makes network calls to Mozilla (which can, to most intents and purposes, be regarded as a Google subsidiary).

I'll be careful to note, though, that you can disengage Strict Mode and restore conventional cookie-management to LibreWolf by manually creating an override configuration file (see here for details of where to put it), and adding the line:

defaultPref("privacy.trackingprotection.enabled", false);

I should also mention that LibreWolf installs the latest version of uBlock Origin, which raises the same problem I described re Mullvad. I would roll back uBlock Origin to version 1.40, so that the extension doesn't play rough when you disable updates.

CONCLUSION

I've become very wary about giving a thumbs-up to tech products, because their providers are so easily bought off by people with villainous intent. You give something a glowing review, then the rug is pulled, and you either have to go back and change the review, or people are misinformed by it.

But at the present time, circa June 2024, provided you caveat the issues I've raised (particularly the uBlock updates and the Mullvad DNS), both LibreWolf and Mullvad Browser do provide way-above-average freedom from surveillance blight.

Floorp should not be considered alongside LibreWolf and Mullvad. It's a different type of product, which is not private, and would instead appeal, or should instead appeal, to the convenience and gadget market.

Floorp also contacts Google domains. That's a huge problem, because most privacy nuts still have to clear Google domains through their firewall in order to access and use vital services. Therefore, browsers that call Google are much more difficult to prevent from backchatting than browsers that call alternative domains.

Floorp should not be considered alongside LibreWolf and Mullvad. It's a different type of product, which is not private.

For example, Waterfox phones home, and so does Brave. But most people can firewall Waterfox and Brave domains without suffering any interruption to their essentials. This is the reason that, despite my loathing of Brave's CEO, its "business model" and its grotesque exploitation of youngsters, I would still rather use Brave browser than Vivaldi.

Vivaldi necessarily calls Google (or at least it did the last time I had it online), whereas I was able to confine Brave to easily-firewalled Brave-labelled domains only. I use the phrase "Brave-labelled" very deliberately, because some of the domains Brave contacted when I last used it were actually Google or Fastly servers with Brave's domain name applied to them. Brave Search is on Amazon Cloudfront servers, we should also note. But firewalls block by domain name - so in preventative terms it makes no difference who runs the servers.

Thankfully, circa June 2024, both LibreWolf and Mullvad can be detached from home-phoning entirely, which makes firewalling unnecessary.