Passa al contenuto principale

The Mullvad Browser hard facts: list of settings and modifications.

Last updated:

Want to know exactly how the Mullvad Browser combat fingerprinting and other tracking? This is the place.

Private browsing mode by default

Private browsing does not save your browsing information, such as history and cookies, and leaves no trace after you end the session.

This means that when you close the Mullvad Browser, you don't have to worry about cookies and cache making you traceable.

What won't be saved in private browsing mode?

  • Visited pages: Pages will not be added to the list of sites in the history menu, the library window's history list, nor in the address bar drop-down list.
  • Form and search bar entries: Nothing you enter into text boxes on web pages nor the search bar will be saved for form autocomplete.
  • Download list entries: Files you download will not be listed in the downloads library.
  • Cookies: Cookies set in private windows are held temporarily in memory, and will be discarded at the end of your private session (after the last private window is closed).
  • Cached web content and offline web content and user data: Temporary internet files (cached files) and files that websites save for offline use will not be saved.

What will be saved in private browsing mode?

  • Bookmarks you create
  • Extensions settings
  • Browser's cache for internal (mostly UI) components

Fingerprinting resistance

To mitigate browser fingerprinting, privacy.resistFingerprinting is enabled.

Here is a list of the main modifications:

  • Your timezone is reported to be UTC
  • Not all fonts installed on your computer are available to webpages
  • The browser window prefers to be set to a specific size (see letterboxing section)
  • Your browser reports a specific, common version number and operating system
  • Your keyboard layout and language is disguised
  • Your webcam and microphone capabilities are disguised
  • The media statistics web API reports misleading information
  • Any site-specific zoom settings are not applied
  • The WebSpeech, gamepad, sensors, and performance web APIs are disabled

Here are the preferences:

  • privacy.resistFingerprinting set to true
  • privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts set to true
  • privacy.resistFingerprinting.block_mozAddonManager set to true
  • privacy.resistFingerprinting.exemptedDomains set to *.example.invalid
  • privacy.resistFingerprinting.jsmloglevel set to Warn
  • privacy.resistFingerprinting.letterboxing set to true
  • privacy.resistFingerprinting.randomDataOnCanvasExtract set to true
  • privacy.resistFingerprinting.reduceTimerPrecision.jitter set to true
  • privacy.resistFingerprinting.reduceTimerPrecision.microseconds set to 1000
  • privacy.resistFingerprinting.target_video_res set to 480
  • privacy.resistFingerprinting.testGranularityMask set to 0
  • services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter set to true
  • services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.microseconds set to true

Here are a list of other changes:

  • WebGL readPixel function is disabled
  • Disable NTLM authentication
  • Disable OS CA certificates and make sure that after disabling them any OS CA certificate is removed
  • Disable speculative connections
  • CSS system fonts are normalized, to hide any customization at the OS level, or the defaults that different locales might have
  • Disable privilege elevation in the updater code
  • Disable some mechanisms of code injection for 3rd party applications (including antiviruses)
  • Disable the mechanisms to synchronize settings with Mozilla
  • Updates are verified using the open source NSS library, instead of relying on OS crypto
  • Remove some of Firefox's default extensions, such as screenshots, etc...
  • Disable special privileges of Mozilla sites (including, addons.mozilla.org)

And here's a listing of the compile options:

  • --disable-crashreporter (minimize telemetry)
  • --disable-parental-controls (to disable local/OS MTIM)
  • --disable-eme (Encrypted Media Extensions, for other DRMs)
  • --enable-proxy-bypass-protection
  • --disable-system-policies (make sure Mullvad Browser does not obey policies system administrators set for Firefox, or, in other words, give users complete control of their browser)
  • --enable-bundled-fonts
  • --disable-backgroundtasks
  • --disable-update-agent
  • --disable-default-browser-agent (Windows only, another telemetry thing)

Letterboxing

Mullvad Browser in its default mode is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That works so far until users start to resize their windows (e.g. by maximizing them or going into fullscreen mode).

Mullvad Browser ships with a fingerprinting defense for those scenarios as well, which is called letterboxing, a technique developed by Mozilla and presented in 2019. It works by adding margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that minimize the likelihood of singling them out with the help of window dimensions.

In simple words, this technique makes groups of users of certain window sizes and this makes it harder to single out users on basis of window size, as many users will have same screen size.

Security levels

Increasing the security level in the Mullvad Browser security settings will disable or partially disable certain browser features to protect against possible attacks. You can enable these settings again at any time by adjusting your security level.

Standard

At this level, all Mullvad Browser and website features are enabled.

Safer

This level disables website features that are often dangerous. This may cause some sites to lose functionality. JavaScript is disabled on all non-HTTPS sites; some fonts and math symbols are disabled; audio and video (HTML5 media) are click-to-play.

Safest

This level only allows website features required for static sites and basic services. These changes affect images, media, and scripts. Javascript is disabled by default on all sites; some fonts, icons, math symbols, and images are disabled; audio and video (HTML5 media) are click-to-play.

New identity button

This option is useful if you want to prevent your subsequent browser activity from being linkable to what you were doing before. Selecting it will close all your open tabs and windows, clear all private information such as cookies and browsing history. Mullvad Browser will warn you that all activity and downloads will be stopped, so take this into account before clicking “New identity”.

Warning! Clicking this button will not change your IP address. You'll need to use a VPN and manually switch server as well.

  • DuckDuckgo is the default search engine.
  • No search suggestions when you start typing. Enabling this leaks what you type to the search engine before you press Enter.

Telemetry

Telemetry and crash reporting are entirely disabled in the browser at compile time. The pingsender executable, which would send the telemetry to Mozilla is removed as well.

Here are a list of the only connections automatically made by the browser:

  • Browser update (Mullvad)
  • Mullvad Browser Extension update (Mullvad)
  • Mullvad DoH (Mullvad)
  • NoScript/uBlock Origin update (Mozilla)
  • Certificates (via OCSP; CAs, including but not limited to, Mozilla, Google, Let's Encrypt, Digicert, Globalsign, etc. triggered either by browsing, or by other background requests that are over HTTPS)
  • Domains update
  • uBlock Origin filter lists update (various lists)

Browser Settings (Interface)

  • No extension recommendations
  • No search engine recommendations
  • No addition/recommendation of third-party services
  • No password manager (it's better to keep password manager as a separate tool)
  • No phishing and malware protection ( we want to prevent this feature from phoning home and reaching out to Mozilla when double-checking URL hits, and to Google when checking downloaded files. Moreover, the databases locally cached for performance and privacy by these features are periodically updated through remote settings, which we currently disable on the same "reduce phoning home" theme)
  • Do Not Track is disabled
  • HTTPS-Only Mode enabled in all windows

Extensions

uBlock Origin

To the default uBlock Origin configuration, these two lists have been added:

  • Adguard URL Tracking Protection (query string tracking parameter stripping)
  • EasyList Cookie (cookie banners removal)

NoScript

NoScript is used as the back-end of the Security Level feature and provides additional protections like Cross-Site Scripting (XSS) filtering. NoScript's icon is hidden by default like in the Tor Browser, but can be added along other extensions from the Customize Toolbar menu.

Mullvad Browser Extension

Mullvad Browser Extension improves your browsing experience while using Mullvad VPN:

  • Easily check connection details
  • Verify you have no IP/webRTC/DNS leaks
  • Recommend the use of HTTPS-Only & uBlock Origin
  • While using Mullvad VPN, connect to any of our proxy (socks5) servers with one click. This will make your browser traffic go through the location of your choice.

Dns Over HTTPS (DoH)

Mullvad Browser is configured to use Mullvad DoH for all DNS requests, without fallback. In the settings, you can also configure it to use Mullvad Adblocking DoH.

See our recommendation for DoH usage.

Nearly identical fingerprint

Mullvad Browser is specifically engineered to have a nearly identical (we're not perfect!) fingerprint across its users per operating system. This means each Mullvad Browser user looks like many other Mullvad Browser users, making it difficult to track any individual user.

Want to learn more about browser fingerprinting? Here's our article about it.

No un-audited features

Mullvad Browser, like Tor Browser, is based on Firefox. When new features are added in Firefox, they will be first audited and reviewed in order to minimize the risk for security and privacy. Only then will they be considered for addition in Mullvad Browser.

Differences with Tor Browser

  • No Tor Network patches
  • No multilanguage support
  • No onboarding patches
  • Different branding/installer metadata
  • WebRTC is enabled
  • Web Audio API is enabled (needed for WebRTC)
  • uBlock Origin / Mullvad Browser Extension
  • NoScript Cross-tab Identity Leak Protection is disabled by default
  • Mullvad DoH
  • A Tor Browser specific cryptocurrency targeted protection is removed
  • No drag and drop protections (it's a specific proxy-bypass measure)
  • No download warning popup (the one that says that you should use Tails to open downloads)

Content under CC BY-SA 3.0 - Some of it is adapted from Mozilla and from Tor Browser manual.