are the only exception of this list. The Situation is complex but currently Flatpak Browsers are less secure.
The Flatpak Sandbox restricts the Browsers abilities to isolate the processes from another, and also valuable internal data like your history or passwords.
So, if your Distribution has updated packages, use the repositories version. This does not count for Debian or other "stable" Distros, as these packages are all outdated and not all bugfixes can be backported.
Web Browsers have a security vs. Privacy problem. Chromium is assumed more secure, while Firefox grants more user Freedom and Privacy (especially in the Manifest v3 Future). There are many different opinions here though, Firefox has core components rewritten in Rust, while Chromium focuses on sandboxing or processes.
Both Firefox and Chromium support Wayland natively now, which took Chromium way too long but this makes them even.
Firefox is most likely preinstalled on your System. It is mostly untouched though, and not a privacy browser out of the box. It is reasonably secure for most users, and using some tweaks in the graphical settings and the Addons UBlock Origin, NoScript, as well as more specialized ones like Canvas Fingerprint Defender, WebGL Fingerprint Defender and User Agent Switcher in "random" mode can help to mimic Braves random Fingerprint abilities.
Securitywise, Firefox is okay, probably. With v121 they are Wayland by default, and it can use portals. But regularly you have to trust it a lot, especially as Flatpaks are probably less secure, no matter if their Flatpak is officially supported.
If your Distro does not have updated packages, you can simply download the Firefox Archive and create your own Desktop entry. It will update itself and be optimized to run on Linux.
If you want to harden Firefox yourself, to reduce its attack surface a bit and improve privacy a lot, use Arkenfox.
This project makes it easy to download and apply your own changes, but it needs testing!
This is the best Fork of Firefox currently. It is available as Flatpak, but you should use a native package, which are available for many distros, and as a universal binary!
Librewolf adds nice graphical additions for privacy settings, and out of the box it is a private Browser.
Not being a bad Browser, having the fingerprint protection of TorBrowser, it uses private Browsing just like it, while not using the Tor Proxy. So it is not anonymous, but just as unconvenient as TorBrowser.
Just use Librewolf.
While this is also available as a Flatpak, you may want to install the official Archive.
The Torbrowser is based on Firefox ESR for stability reasons. ESR gets all security bugs backported, you may argue that not every bug is correctly labelled as security sensitive though.
Torbrowser has a strong focus on privacy, but the enforced "Private Browsing" makes it very user friendly, as it deletes everything you do. Disabling "private Browsing" can be detected, so do not do it!
You can install UBlock Origin on the Browser, as well as Add Custom Search Engine (which is probably okay) and add a few search engines!
Be aware that adding region-specific Filterlists may be detectable, and do not install "privacy addons" on the Browser, as its goal is a small and unified fingerprint, not randomization.
First download the Signature, then the Archive from this website.
You need to verify the download using these commands:
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg --verify /home/user/Programs/Browser/tor-browser-linux-x86_64-x.x.x.tar.xz.asc
if you get this output, you can proceed:
gpg: assuming signed data in 'tor-browser-linux-x86_64-13.0.8.tar.xz'
gpg: Signature made Thu 21 Dec 2023 02:29:32 PM CET
gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
gpg: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
The important part is the "Good Signature". Now unpack the Archive, delete it and go into it, where you see the folder "Browser" and the File "start-tor-browser.desktop".
Open a Terminal here and run ./start-tor-browser.desktop --register-app. Now the Brower will appear in your App Menu.
Chromium may come from your repositories and thus automatically updates (something nonexisting on Windows!). The updates may not be on time though, and there is no official binary repository by Google.
Also, Chromium is a rolling release, being upstream of Chrome, so it has to be considered as "testing" and versioning is a task of the packagers or downstream projects like Chome, Edge, Brave or Vivaldi.
Ungoogled Chromium is a variant that actually removes telemitry and tracking by Google. Chromium lacks many features of Chrome, but still sends loads of Data to Google.
Chromium is not optimized at all to protect against Website Fingerprinting. There are different stands on the topic, and a general "unified vs. randomized" debate.
There are some ways to download the latest binaries
Chromium now supports per-website opt-in to use Javascript JIT in a policy file, so videocalls, some encryption websites etc. work, while you are safe from unknown exploits of this exception.
Brave is a fork of Chromium, that adds many privacy optimizations. It is often critizised for some "bloat" it brings, like
- BAT (Brave Attention Token) system
- Crypto Wallet Builtin
- Brave News
- non-local Translations, still having popups
- Leo AI integration
- Dependency on the Chromium Web Store
But similar to Firefox, these Features can be disabled, and you can use policies and config files to preset brave://flags. This is not well documented on Linux though, we can hope that this improves.
It seems that Brave reads /etc/chromium/ if /etc/brave/ is missing.
Its strengths are
- builtin Adblocking
- accountless E2EE (end to end encrypted) synchronisation
- Randomization of User Identifiers for Anonymity
- Builtin IPFS, Tor and Bittorrent support
- continued support for Manifest v2 Addons (allows Addons to download Data, e.g. Adblock/Malware Filterlists)
Brave has repositories for many Distros, which is the recommended way of installing.
The Flatpak is currently very insecure, using zypak to replace the tab isolation Sandbox, weakening it.
Brave is a deviation of Chromium. It may lack behind on security features, where especially Edge with its "Super Duper Secure Mode" made some hardening like disabling WebAssembly JIT compilation very accessible.
You can disable JIT compilation in Brave by adding --js-flags=--jitless to its Exec= line, similar to the general Chromium override.