This post has been completely refreshed on November 28, 2022
Your web browser is your window into the online world. On desktop PCs and laptops, it’s your primary means of accessing the world wide web and other internet services.
Thanks to the popularity of apps, the browser is less important on mobile platforms, but it’s still the main way to access most content on the web. And if you care about privacy, accessing a service using its website exposes much less of your data(new window) than using its app.
Your browser has direct access to troves of your most personal and intimate data. In theory, your browser could send a record of everything you do online back to its developers — even what you type into fields on individual web pages.
For that reason, we at Proton feel it’s important to explain to people which browsers they can use if they want to keep their online activity private. There are hundreds of browsers out there, so we could not examine them all. However, we were able to assemble a list of six open-source browsers that respect your privacy to varying degrees.
You might notice that many of the most popular browsers, namely Google Chrome but also Apple Safari and Opera, aren’t included in our list above. That’s because they, like most popular browsers, use proprietary closed code, so we cannot know how they handle your data. Browsers that use closed code include:
- Google Chrome
- Microsoft Edge
- Apple Safari
- Samsung Internet
- UC Browser
- DuckDuckGo Privacy Browser
These browsers are undoubtedly secure, as they have numerous highly effective protections against hackers. But should we trust them to respect our privacy?
Google’s entire business model is to invade our privacy so it can better target us with highly personalized ads. Microsoft also makes money from targeted advertising and has a long record of violating its users’ privacy(new window).
Apple markets itself as a champion of its users’ privacy, but it fully cooperated with the NSA’s PRISM spying program(new window) that Edward Snowden exposed in 2013. Its attitude to rival browsers on its iOS platform (discussed below) also makes it clear that the best interests of its users are not a top priority for the company.
The bottom line is that we simply don’t know how invasive these browsers are to our privacy because they are closed (although Chrome has been shown to use trackers to “absurd proportions(new window)”).
It comes down to how much you trust the developers with these browsers. Even if you do trust them, this is not how good security works.
Open source is not a miracle cure when it comes to ensuring software is private and secure. The sheer amount of code involved in creating a browser means things can be missed even by professional software auditors.
However, the fact that anyone can examine the code (and in the case of popular browsers, many have) provides the best assurance possible that its code is error-free and contains no hidden surprises.
That’s why we’re only considering fully open-source browsers in this article.
Browsers on iOS and iPadOS
Apple forces all browsers(new window) that run on its iOS and iPadOS platforms to use its own WebKit browser engine(new window). (A browser engine(new window) transforms an HTML file into a visual web page you can interact with.) This means that all third-party browsers on iOS are basically just rebranded versions of Safari (except that Safari for iOS offers advanced features that Apple blocks from its competitors).
Therefore, all comments about the browsers discussed in this article explicitly exclude their iOS versions. These browsers may still be useful on iOS (for example, for syncing bookmarks, open tabs, and browsing history across all your devices), but they’re not included among the apps discussed below.
Although not directly relevant to this article, it should be noted that in-app browsers on iOS, such as those used by the Tiktok(new window), Instagram, and Facebook(new window) apps, can be very insecure and should be avoided at all costs.
Best secure and privacy-first web browsers
- Fully audited
- Lots of privacy-enhancing features, with more always in development
- Large ecosystem of browser add-ons
- Secure cross-device and platform syncing
- The only real open-source competition to Google’s browser engine
- Available on all major platforms
- Vulnerable to browser fingerprinting
Firefox is a fully audited(new window) open-source browser from the nonprofit organization Mozilla. It focuses on protecting your privacy with built-in enhanced tracking protection(new window) and canvas fingerprinting resistance(new window). That said, in recent tests performed by us, a clean installation of Firefox still had a unique browser fingerprint(new window).
Firefox’s default settings emphasize privacy, but you can customize them to provide even greater privacy. For example, you can fine tune which cookies and trackers you block.
The ability to customize Firefox is further enhanced by its support for a huge range of third-party add-ons(new window), many of which provide excellent privacy benefits. Great examples include Privacy Badger(new window), Cookie AutoDelete(new window), uBlock Origin(new window), Decentraleyes(new window), and more. The snag here is that each add-on you use increases the uniqueness of your instance of Firefox, making you more vulnerable to fingerprinting.
Outside of privacy considerations, Firefox is a lightweight, fast, and fully featured modern browser that can sync your tabs, bookmarks, and browsing history across multiple platforms using end-to-end encryption.
Firefox isn’t perfect. For example, bundling the proprietary Pocket app with all browser installs annoyed many open source purists. Firefox also sends more telemetry data(new window) back to Mozilla by default than most people should be comfortable with (although you can disable this).
Firefox is currently Chrome’s only major free and open-source competitor. Its decline in market share(new window) should be a cause for concern for anyone who values their privacy.
- It’s Chrome with all the proprietary code stripped out
- Supports Chrome browser extensions
- No built-in syncing solution
- No auto-update (by default)
- Vulnerable to browser fingerprinting
- It’s still a Google product
To see the value of making code open source, you need look no further than Chromium. Google makes the core code for its Chrome browser (easily the most popular browser in the world(new window)) open source so that it can be reviewed and audited by the security community.
Chromium is an open-source version of the Chrome browser with all of Google’s proprietary code stripped out. Or at least that’s how it’s supposed to work. One of the biggest concerns over Chromium is that, because of the sheer size and complexity of its code base, some undesirable Google code might remain undetected.
Chromium is available as a pre-built download for Windows, macOS, and Linux. There is no pre-built APK, but it is possible to self-compile the open-source code for Android devices.
Other than some minor branding details, Chromium provides an almost identical browsing experience to Chrome. Unfortunately, in 2021, Google pulled support for syncing tabs, history, and bookmarks(new window) using your Google account. Third-party syncing options exist, but most of these are not open source.
Syncing issues aside, Chromium offers a seamless way to transition away from Chrome (as long as you don’t mind still using code created by Google). It includes no specific privacy-enhancing features, but you can, at least, be fairly sure the browser itself isn’t spying on you.
Full support for Chrome browser extensions means you can install third-party privacy solutions, although any browser extension increases the uniqueness of your browser fingerprint. When we tested a new clean install of Chromium, Cover Your Tracks(new window) reported that it had a unique fingerprint.
Another issue is that, by default, Chromium does not auto-update, which we advise everyone to do since updates contain the latest security fixes. This isn’t a major problem on Linux, as most package managers will update the app. On Windows and macOS, there are several third-party tools designed to help with this.
- Fingerprinting resistant
- Lots of out-of-the-box privacy-enhancing features
- Compatible with Chrome browser extensions
- Secure cross-device and platform syncing
- Available on all major platforms
- No telemetry
- Optional cryptocurrency and ad-supported features may not please purists
- Automatically redirected cryptocurrency searches to affiliate links
- Based on Google code
It has tracking protection, a built-in ad and script blocker, built-in HTTPS-Everywhere(new window) functionality, and one-click anti-fingerprinting. In our tests, Brave was the only browser that was completely effective against browser fingerprinting on their desktop and Android app (although, unsurprisingly, not on iOS/iPadOS).
In a recent study(new window), it was also easily the most private browser in terms of telemetry sent back to its developers.
Brave blocks third-party cookies by default and can even block cookie consent notices. Because Brave is based on Chromium, you can use regular Chrome browser extensions (download from either its own Brave Web Store or the Chrome Web Store). Brave also offers secure tab, history, and bookmark syncing across devices and platforms.
However, Brave also offers more controversial features. Brave Rewards(new window) allows you to earn BAT (Basic Attention Tokens, Brave’s own cryptocurrency that you can convert into cash) by opting to see ads from commercial partners.
Other features include Brave News and Brave Wallet(new window), a cryptocurrency and NFT wallet built into the browser. Brave News(new window) is a personalized, ad-supported news feed (with the personalization performed on-device to protect your privacy).
It should be noted that all these “features” are strictly opt-in. However, in 2020, Brave had to apologize for automatically redirecting cryptocurrency searches to affiliate links(new window) that it was paid for. It did this without asking its users’ permission.
- The best way to access the Tor anonymity network
- Strong privacy focus
- Provides partial protection against fingerprinting
- Available on most platforms (not iOS)
- Can lag behind Firefox in terms of features
- No syncing function
- Very slow when using the Tor network
Tor Browser is a forked version of Firefox ESR that routes all connections through the Tor anonymity network(new window). It’s also “hardened” to improve privacy, offering out-of-the-box features, such as pre-installed HTTPS Everywhere(new window) and NoScript(new window) (with all scripts disabled by default) add-ons, and it always uses private browsing mode(new window).
Because all unmodified Tor Browsers look exactly alike, experts often recommend it as the best way to defeat browser fingerprinting. However, in our own tests, it only provided partial protection and was outperformed by Brave.
Tor Browser is built on Firefox ESR (extended support release for enterprise use), which usually trails behind the regular version in terms of features. Additionally, Tor extensively tests and modifies new versions for improved privacy before releasing them. The net result is that Tor Browser can lag behind Firefox’s latest features (these new features are often disabled for privacy reasons anyway).
Tor Browser can use regular Firefox browser add-ons, but this isn’t recommended because they add uniqueness to the browser. There is no syncing function.
When used with the Tor network, Tor Browser provides the highest level of true anonymity possible on the internet (but even this should never be considered 100% anonymity). The price for this is a huge reduction in browsing speeds (typically around 90% or more), making the Tor network impractical for most day-to-day internet tasks.
You can use Tor Browser without connecting to the Tor network. In this use case, it’s a good privacy-focused browser but provides a rather bare-bones experience for day-to-day browsing.
- Strong protection against tracking
- Unique fingerprint
- Too minimal for day-to-day use
- Usage stats and Studies are opt-out
This mobile browser from Mozilla started life as a tracker-blocking app on iOS. You can still use it as a tracker blocker on iPhones and iPads even if you don’t use the browser itself.
Firefox Focus is, of course, based on Firefox, but it has a minimal aesthetic. There’s no support for syncing, browser add-ons, or even opening new tabs (tabbed browsing is only possible by opening a link in a new tab).
Unsurprisingly, Firefox Focus has effective tracking protection and ad-blocking (not unlike Proton VPN’s own Netshield Ad-blocker(new window) feature). However, it’s vulnerable to browser fingerprinting.
Another issue is that usage statistics are sent to Mozilla by default, as are Studies(new window) (new feature trials). You can opt out of these, but a truly privacy-focused browser should require users to opt in to these programs.
With its stripped-back feature set, Firefox Focus is too limited to recommend for day-to-day browsing, but it remains a good option if you need a high level of privacy (especially on iOS).
- It’s Firefox, but with even better privacy protections
- A truly community-led, open-source project
- Nearly-unique fingerprint
- Binaries aren’t digially signed
- Desktop only (but can sync with Firefox using Firefox Sync)
- Although promising, LibreWolf is a new browser, and as a community project, its longevity can’t be guaranteed
- No built-in autoupdate
LibreWolf is a custom version of Firefox designed to increase protection against tracking and fingerprinting techniques while including many additional security improvements. It’s available for Windows, macOS, and Linux.
LibreWolf collects no telemetry, uses privacy-friendly search engines (DuckDuckGo, Searx, Qwant, etc.), has the uBlock Origin browser extension installed by default, and implements various other hardening features(new window).
In our fingerprinting tests, LibreWolf scored better than vanilla Firefox with a “nearly-unique” fingerprint, but this is still a long way from ideal.
LibreWolf is always based on the latest version of Firefox and aims to release updates within three days of the latest Firefox release. Although not enabled by default, you can easily enable Firefox Sync in LibreWolf’s settings and sync your bookmarks, tabs, and browsing history across platforms and devices.
Update January 2024: It’s been brought to our attention that LibreWolf binaries aren’t digially signed, which is a serious security issue. Less important is that there is no auto-update feature (although various thrid-party solutions exist for this, such as using a respected open source package manager). This situation isn’t ideal, but any risk is likely minimal if you trust your package manager.
All the browsers listed above are good for privacy. They each have different pros and cons that will appeal to different people’s priorities when choosing a browser, so we have not listed them in any particular order. We encourage you to try them all to see which one works best for you.
It is also the nature of open source that there are numerous lesser-known browsers (almost all forked from either Firefox or Chromium). These include the likes of GNU Icecat(new window), SeaMonkey(new window), Iridium(new window), Pale Moon(new window), Waterfox(new window), and others that have small but (no doubt deservedly) loyal fanbases.
While it has not been possible to examine them all in detail here, we encourage anyone with a keen interest in this subject to explore all options available.
Update December 2, 2022: We removed the DuckDuckGo Browser from this list after it came to our attention that it’s only partly open source.