Web browsers are the most common tool nowadays. Therefore, they are most popular target for any kind of bad people: malware authors, attackers and others.

Further, there is also a huge interest from companies to get data from users. They want to get all kinds of data. And since web browsers are the most common tools, the most obvious way is to cooperate with browser manufacturers to get data.

So far, this are the facts which are known to most privacy concerned people. But since no one can avoid using a browser, most are willing to do a compromise. But which browser does leak the fewest data of all?

Method

The premise was, that the browser is free software (open source). Although some proprietary browsers do a good job from a pure technical perspective, most security and privacy experts do agree, that using free and open source software is essential for secure and privacy-aware networking.

The testing was done on Debian 10 on amd64 with some packages from MX Linux.

The following browsers were tested:

Firefox 70.0.1 (Mozilla Binaries from MX Linux)

Firefox ESR 68.2.0 (Debian package)

Chromium 78.0.3904.97 (Debian Package)

Brave Browser 1.0.0 (Package from Brave web site)

Epiphany 3.32.1.2 (Debian package)

Midori 7.0 (Debian package)

The method itself was relatively simple. I created a new user with an empty home directory, so there were no cache or plugins. Every browser was started without any pre-configuration or cache.

At the same time tcpdump was running. I disabled IPv6 for simpleness. I made sure no other network capable program was active and made tcpdump listen to the outgoing network interface.

I started the browser, kept it open for about 10 seconds without any interaction or usage and then closed it. After that I filtered out the http and https traffic from the results

Results

Firefox

Firefox is a free web browser developed by the Mozilla Foundation. Mozilla provides two branches. The official branch gets updated every 6 weeks (every 4 weeks in the future), following a “rapid development cycle”. After this amount of time, the browser must be updated to the next version in order to receive security updates. Only the current version is supported.

For organizations and people who don't want to get the newest features every few weeks, there is a so-called ESR branch, in which a given version is maintained roughly one year. In this time the browser gets security updates. Besides that, it remains unchanged.

The Debian GNU/Linux distribution provides a package for Firefox ESR only. The distribution MX Linux provides a package for current Firefox, which is not built from source, but is in essence a re-packaged version from the binaries provided from Mozilla.

Firefox 70.0.1

Firefox 70.0.1 contacted in total 17 different hosts

104.16.142.228.https 36.75.98.34.bc.googleusercontent.com.https 93.184.220.29.http a2-16-106-152.deploy.static.akamaitechnologies.com.http ec2-34-223-159-30.us-west-2.compute.amazonaws.com.https ec2-35-166-89-106.us-west-2.compute.amazonaws.com.https ec2-50-112-59-215.us-west-2.compute.amazonaws.com.https ec2-52-33-55-70.us-west-2.compute.amazonaws.com.https ec2-52-35-182-58.us-west-2.compute.amazonaws.com.https ec2-54-191-170-25.us-west-2.compute.amazonaws.com.https ec2-54-72-168-141.eu-west-1.compute.amazonaws.com.https mozilla-org.public.mdc1.mozilla.com.https server-13-224-196-33.fra2.r.cloudfront.net.https server-143-204-101-114.fra50.r.cloudfront.net.https server-143-204-101-115.fra50.r.cloudfront.net.https server-143-204-101-38.fra50.r.cloudfront.net.https server-143-204-101-56.fra50.r.cloudfront.net.https

Additionally DNS queries for the A records for the following 22 domains were maid:

accounts.firefox.com. classify-client.services.mozilla.com. content-signature-2.cdn.mozilla.net. detectportal.firefox.com. firefox.settings.services.mozilla.com. incoming.telemetry.mozilla.org. location.services.mozilla.com. mozilla.org. normandy.cdn.mozilla.net. ocsp.digicert.com. push.services.mozilla.com. search.services.mozilla.com. shavar.services.mozilla.com. snippets.cdn.mozilla.net. tiles.services.mozilla.com. tracking-protection.cdn.mozilla.net. www.ebay.de. www.facebook.com. www.mozilla.org. www.reddit.com. www.wikipedia.org. www.youtube.com.

Firefox ESR 68.2.0

Firefox ESR 68.2.0 contacted in total 13 different hosts

104.16.142.228.https 93.184.220.29.http a2-16-106-209.deploy.static.akamaitechnologies.com.http a92-122-254-195.deploy.static.akamaitechnologies.com.https ec2-34-223-159-30.us-west-2.compute.amazonaws.com.https ec2-34-253-23-107.eu-west-1.compute.amazonaws.com.https ec2-35-167-176-126.us-west-2.compute.amazonaws.com.https ec2-52-89-218-39.us-west-2.compute.amazonaws.com.https mozilla-org.public.mdc1.mozilla.com.https server-13-224-196-11.fra2.r.cloudfront.net.https server-13-225-78-51.fra2.r.cloudfront.net.https server-143-204-101-24.fra50.r.cloudfront.net.https server-143-204-101-60.fra50.r.cloudfront.net.https

Additionally DNS queries for the A records for the following 23 domains were maid:

accounts.firefox.com. content-signature-2.cdn.mozilla.net. detectportal.firefox.com. firefox.settings.services.mozilla.com. getpocket.cdn.mozilla.net. getpocket.com. img-getpocket.cdn.mozilla.net. location.services.mozilla.com. mozilla.org. ocsp.digicert.com. search.services.mozilla.com. shavar.services.mozilla.com. snippets.cdn.mozilla.net. tirol.orf.at. tracking-protection.cdn.mozilla.net. www.ebay.de. www.facebook.com. www.mozilla.org. www.reddit.com. www.welt.de. www.wikipedia.org. www.youtube.com. www.zeit.de.

Chromium 78.0.3904.97

Chromium is a free web browser developed by Google. While Chromium is open source, many browsers which are based on it are not. The most popular is Chrome, also developed by Google. Further, future versions of Microsoft Edge, the default web browser in Windows 10, will be based on Chromium.

Chromium contacted in total 6 different hosts

172.217.130.9.https fra15s24-in-f238.1e100.net.https fra15s46-in-f3.1e100.net.https fra16s12-in-f13.1e100.net.https fra16s13-in-f227.1e100.net.https fra16s20-in-f4.1e100.net.https

Additionally DNS queries for the A records for the following 9 domains were maid:

accounts.google.com. fonts.gstatic.com. hsdmpfy. huuqjdqtnjj. r4---sn-h0jeened.gvt1.com. redirector.gvt1.com. vypmecteapc. www.google.com. www.gstatic.com.

Brave 1.0.0

Brave is a free web browser based on Chromium, developed by Brave Software. Brave includes an ad and tracker blocker. Brave advertises itself as a browser for privacy minded people.

Brave contacted in total 3 different hosts

104.28.23.242.https 151.101.113.7.https 151.101.114.217.https

Additionally DNS queries for the A records for the following 11 domains were maid:

aqkslhfmwv. brave-core-ext.s3.brave.com. componentupdater.brave.com. crlsets.brave.com. go-updater.brave.com. laptop-updates.brave.com. mkidosnkaqqulg. no-thanks.invalid. static1.brave.com. static.brave.com. vgjrddw.

Epiphany / GNOME Web 3.32.1.2

GNOME Web is a free web browser based on WebkitGTK. Webkit is a browser engine developed by Apple and primarily used in Apple's proprietary Safari web browser. WebkitGTK is the GTK port of Webkit.

GNOME Web is the default web browser for the GNOME desktop environment and formerly known as Epiphany. The package name and the name of the binary on Debian is still “epiphany”.

Epiphany contacted in total 2 different hosts

104.31.91.96.https fra16s08-in-f202.1e100.net.https

Additionally DNS queries for the A records for the following 2 domains were maid:

easylist.to. safebrowsing.googleapis.com.

Midori 7.0

Midori is a free web browser based on WebkitGTK, like Epiphany. Midori is part of the “Goodies” component of the XFCE desktop environment. It is meant as a lightweight web browser with only basic features.

During the test, Midori contacted no hosts and made no DNS queries.

Summary

Browser http(s) Req. DNS A queries FF 17 22 FF ESR 13 23 Chromium 6 9 Brave 3 11 Epiphany 2 2 Midori 0 0

Conclusion

From the results it can be said, that Midori should be the first choice for people which are concerned about built-in data leakage to companies. Since Midori uses WebkitGTK it receives also security updates in a reasonable time frame. (The WebkitGTK project claims, that it sometimes integrate security fixes even before Apple).

However, since built-in data leakage is only part of privacy and security, one must take also other aspects into account. Midori has basic support for ad blocking, but to my knowledge no way to block trackers.

Chromium is closely connected to Google and exists primary for reasons of money making. Therefore one can not expect too much support from Google in regards to blocking ads and trackers.

Brave seems to be a good choice for having a privacy conscious browser at first sight. However, since Brave Software wants to establish an ad network of its own and is dependent of what Google releases as open source, it is possibly best to remain skeptical.

The Firefox browsers did perform worst regarding data leakage. However, it is also a browser where you can configure almost every aspect. From simple settings and privacy add-ons to complex configuration of user.js is almost everything possible. But make no mistake: it is a lot of work to make Firefox silent and really privacy-aware. The ghack-user.js site is a good start if you want to get into it.