• General
  • Questions about GrapheneOS and related topics

gk7ncklxlts99w1 "Tor itself makes people into much more of a target (both locally and by the exit nodes)". I'd like more information. Is it talking about the browser, or the network? Using Tor properly, without bridges, in a country that doesn't ban the use of Tor, your ISP might flag you, but other than that they have no idea what you're doing. Using bridges, I don't see how using Tor makes you a target, and even if it did, given how much better Tor is compared to VPNs or the clearnet, there's no better option available that I'm aware of.

It is talking about Network.

ISPs can see that you are using Tor network (they see that your computer connects to one of the entry Tor nodes) hence they might or might not (no one knows this for sure - it depends on country, ISP, etc, etc - no one knows for sure!) flag you as using Tor often associates with doing shady things.

If you use bridge then it will try to mask your entry node so your ISP won't see you are connecting to Tor network so you are unlikely to become a target.

Its again boils down to the question: what you want to achieve? You can't use Tor for social media, banking, etc. Whilst you can use VPN for these (although, some streaming or other services might block the access if they think you are on VPN).

You can use a trusted VPN for your day-to-day activities so that it will hide your traffic from ISP (some ISPs are known for monitoring and selling your data)

    gk7ncklxlts99w1 "If you're using a VPN, you should consider using the standard DNS service provided by the VPN service to avoid standing out from other users.", does this suggest using other DNS providers like cloudfare, Google and Quad9 make you stand out, or that not using any DNS provider makes you stand out?

    It says the following "if you are using a VPN provider, its better to use their own DNS server". Because the sites will see: Mullvad VPN with Mullvad DNS is connecting - hmmm, there are thousands of people using Mullvad VPN + Mullvad DNS - so its hard for us to find the person.

    If you use a custom DNS, then the websites will see: Mullvad VPN with 3rd party DNS is connecting - lets see, it seems much less people are using this config, so we can probably guess who it is.

    Also, using a 3rd party DNS with your VPN provider means trusting 2 parties: your VPN and DNS as both will see part of your traffic. You ideally want to avoid this as the less parties see you traffic, the better it is.

    If you don't use VPN at all, its good to use a privacy-friendly DNS.
    You can find a good comparison here: https://www.privacyguides.org/dns

    If you are using Mullvad, then just add their own adblocking DNS as your Android Private DNS and then it will be used both with and without VPN: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/

      Volen I suppose a DNS blocklist would be able to block specific IPs, but it doesn't have the same convenience as a firewall app like RethinkDNS, where you can easily see which IPs are being accessed in real time, and block or allow them easily. The ability to actually monitor your network activity is really handy.

      Again, the documentation says not to use apps like Netguard.

      Most apps I install probably aren't tracking me, but there are a few nasty ones like Amazon, which is something I can't live without (I like being able to quickly add books to my wishlist).

      Also, the privacy and security features provided by RethinkDNS have not been addressed yet.

        matchboxbananasynergy How does GrapheneOS gain root? Sorry, I'm not really clear on the process of how to root a device (I will google this, and read the article you mentioned). So just to be clear, when you root a device, you're actually exposing all apps that you install?

          Volen

          Vanadium (and other similar browsers) provide more security, which means they are great for day-to-day browsing, logging in to your preferred websites etc.

          Does this also suggest Chromium based browsers would be better for logging into accounts with on desktop? Since Chromium is more secure than Firefox/Gecko, why aren't Chromium browsers touted as being better for security in the desktop space (any browser privacy guide worth it's salt recommends firefox over chromium, I have not heard of any recommendation for using chromium (eg. Brave) for logins).

          Using Vanadium (and any other browser) over Tor/Orbot will ultimately make you unique as each browser has a unique fingerprint based on some of the configs, etc. And websites will see its you as your browser will have the same unique fingerprint with or without Tor.

          So are you suggesting there's no way to prevent browser fingerprinting on Android, with or without Tor? If that's the case, then that sucks. I would like to know what specific configs make the browser unique (if you're able to provide that information).

          Using Tor browser (with default settings) means every single person who is using Tor browser will have the same browser fingerprint so websites will not be able to identify you. This is why it is strongly recommended to not touch any Tor browser settings, not install any extra add-ons, etc - just browse the web using default settings, to avoid fingerprinting.

          This contradicts the previous paragraph, but I'll just assume you meant "any other browser besides Tor".

          So to summarize, it sounds like the best option for Android is to use Vanadium for logins, and Tor with default settings (which is how Tor is meant to be used) is best used for non-logins and general browsing where speed is not important. I don't want to put words in your mouth (or hands, in this case...) so correct me if I'm wrong.

            Volen replying to https://discuss.grapheneos.org/d/2061-questions-about-grapheneos-and-related-topics/13

            That guide doesn't tell me much. It just says to avoid Firefox because it doesn't have site isolation or IsolatedProcess, use Chromium because they do, and use Tor for anonymity. It then proceeds to show information for Brave, which is not as secure as Vanadium, which means I won't be using it, and the rest of the section talks about iOS making the guide mostly irrelevant for me.

            It does provide a bit more information about site isolation (here, which I'll read up on.

            I see your point about Arkenfox, but that shouldn't prevent someone from making a Firefox fork that tweaks the source code to enable site isolation / IsolatedProcess. I'm not a developer, so I don't know the hurdles associated with such a change.

            Containers are considered dead, as this guy explains.

            Also, I want to mention that the GrapheneOS documentation explains that Tor has poor security, therefore has poor privacy. But as you mentioned, and as the guide that you linked mentions, Tor is the only browser that has the capacity to be truly anonymous. If Tor has poor privacy, then Vanadium must have even worse privacy. Something doesn't add up.

              Volen replying to https://discuss.grapheneos.org/d/2061-questions-about-grapheneos-and-related-topics/14. That sounds fair, but the phrase "Tor itself makes people into much more of a target" sounds very ominous and overly dramatic. I suppose it depends on the country you're in, if you live in a country that really doesn't like people using Tor, then ISP's might end up cancelling your internet. I don't see how it would end up in you being targeted by a state government or hackers (as the phrase might suggest, at least to me).

                gk7ncklxlts99w1 I do not know. You shouldn't root your device. Keep in mind that if you root the device, you're running an unsupported setup, and not something that can really be called GrapheneOS at that point. GrapheneOS assumes that all of the hardware security features of the device are in place.

                gk7ncklxlts99w1

                Have you ever tried Adguard Private DNS (not public DNS but private DNS, the new service they offer)? Its does exactly what you said you want.

                The documentation says not to use Netguard for blocking Internet access as you can use Network toggle to do it much more effectively, natively and correctly. No one said you are not allowed to use Netguard or that you can't use it for other purposes, for example, monitoring your traffic.

                Its up to you to decide what to use in your case - you want Netguard - then use Netguard. You want RethinkDNS - then use it instead. The choice is yours.

                You're just overthinking all this.

                  gk7ncklxlts99w1

                  Again, you're overthinking all this.

                  Desktop (Windows, Linux, Mac, etc) and Android are 2 completely different platforms.

                  Firefox for Desktop is NOT the same as Firefox for Android, Chrome for Desktop is NOT the same as Chrome for Android.

                  Both Firefox and Brave have a good reputation of being good browsers for Desktop users. No one said Chromium-based browsers are not recommended. See here: https://www.privacyguides.org/desktop-browsers/

                  Of course there is NO WAY to completely prevent fingeprinting if you are using a browser for day to day activities. There are tons of settings (browser settings, IP, locale, time, your operating system, etc) that contribute in creating a unique fingeprint. You need to do more research on this, there are tons of articles online about fingeprinting.

                  No browser, except Tor browser, will give you anonymity nor make you invisible (100% fingerprint protection). Its simply impossible.

                  You want anonymity - use Tor browser. You want a good and secure day to day browser? - use Vanadium or Brave, depending on your needs. That's it.

                  gk7ncklxlts99w1 I see your point about Arkenfox, but that shouldn't prevent someone from making a Firefox fork that tweaks the source code to enable site isolation / IsolatedProcess. I'm not a developer, so I don't know the hurdles associated with such a change.

                  Yes, it shouldn't prevent someone from making it. You can't code, I can't either, so we just need to sit and wait for this feature to be available one day.

                  gk7ncklxlts99w1 Containers are considered dead, as this guy explains.

                  You don't use containers in Firefox for security, you use them for convenience, if you want to login to 2 different websites without having to opening and closing Firefox, you use containers. Its up to you to use them or not, they don't provide any extra security.

                  gk7ncklxlts99w1 Also, I want to mention that the GrapheneOS documentation explains that Tor has poor security, therefore has poor privacy. But as you mentioned, and as the guide that you linked mentions, Tor is the only browser that has the capacity to be truly anonymous. If Tor has poor privacy, then Vanadium must have even worse privacy. Something doesn't add up.

                  Again, privacy and security are two completely, completely different things.

                  Tor is private but not as secure, Vanadium is not private but more secure. Thats it.

                  gk7ncklxlts99w1 replying to https://discuss.grapheneos.org/d/2061-questions-about-grapheneos-and-related-topics/14. That sounds fair, but the phrase "Tor itself makes people into much more of a target" sounds very ominous and overly dramatic. I suppose it depends on the country you're in, if you live in a country that really doesn't like people using Tor, then ISP's might end up cancelling your internet. I don't see how it would end up in you being targeted by a state government or hackers (as the phrase might suggest, at least to me).

                  Its not dramatic, its a correct statement that warns people about possible side effects of using Tor. No one can guarantee your ISP won't make you a target if you use Tor, hence the precaution.

                  This is something you can again do some more research on the web .

                    Volen gk7ncklxlts99w1 I see your point about Arkenfox, but that shouldn't prevent someone from making a Firefox fork that tweaks the source code to enable site isolation / IsolatedProcess. I'm not a developer, so I don't know the hurdles associated with such a change.

                    Yes, it shouldn't prevent someone from making it. You can't code, I can't either, so we just need to sit and wait for this feature to be available one day.

                    This is someone that was attempted with Mull, but it had to be reverted cause it broke horribly. IsolatedProcess is just not ready on Firefox for Android at this point.

                    Volen

                    No one said you are not allowed to use Netguard or that you can't use it for other purposes, for example, monitoring your traffic.

                    The documentation doesn't say you can't use Netguard or firewalls, but that they're not recommended. Here it explains the reasons. I'm simply asking for a better explanation. However, since I haven't really gotten a definitive answer about it, I'll just use my VPN instead.

                    You need to do more research on this, there are tons of articles online about fingeprinting.

                    I have done plenty of research on fingerprinting. I may not know everything, but browser privacy is probably my area of expertise in terms of privacy. Firefox, hardened with Arkenfox, is recommended as being more private than Chromium. I never said Chromium-based browsers had a bad reputation (although, they do). I never asked for complete privacy or complete anonymity. That wasn't part of my question. My question was why Vanadium was recommended over Tor, and why the documentation says that Tor has weak security therefore weak privacy, which is completely false as you and other articles have demonstrated. The only explanation that I've received for why Vanadium is more secure over Tor (and other browsers) is that it uses isolation. I have yet to read this article, which may shed some light on site isolation.

                    You don't use containers in Firefox for security, you use them for convenience, if you want to login to 2 different websites without having to opening and closing Firefox, you use containers. Its up to you to use them or not, they don't provide any extra security.

                    While I think they do provide some privacy (or at least they used to), you can also achieve the same thing by using separate profiles (which is what I do), which is more private. But yes, if you wanted a simple solution, containers would work.

                    Again, privacy and security are two completely, completely different things. Tor is private but not as secure, Vanadium is not private but more secure.

                    I understand that they are different, as I explained in my original post. However, you can't separate the two, they are intertwined like two sides of the same coin. If we're going to debate about the differences between security and privacy, then we may as well get our definitions straight. There are numerous good articles that explain the differences, and anyone remotely knowledgeable about InfoSec knows that privacy and security go hand-in-hand.

                    It seems to me that, in the privacy community, you have two types of people. Those who don't understand the differences between security, privacy and anonymity, and those that think they're all completely different and have no overlap with each other. Not only do they overlap, they enable each other.

                    gk7ncklxlts99w1 It sounds like what you might be looking for is a tool like Blokada. There's a tab in the app where you can see connections in real time if you want to, and block/allow as you choose, along with installing various available blocklists. Blokada 5 is free, and available from the blokada website itself (don't know if another source for it is better?) Blokada does NOT require root, but it does work by acting as a VPN, so bear that in mind if you choose to use it. I've used it before and my experience was very favorable, but I think the suggestion by users much more knowledgeable than myself of using a custom DNS blocklist might be the way to go, as it will allow you to use an actual VPN, whereas using Blokada simultaneously prevents that, I believe.

                      Shendai If using a non-root firewall prevents me from using a dedicated VPN, and root firewalls aren't secure, then I'll probably use a VPN. I don't know if the benefits of any non-root firewalls warrant using that over a dedicated VPN so I'm a bit in the dark about that.

                        gk7ncklxlts99w1 I believe that Netguard allows you to use a VPN as well as Netguard.

                        So while Netguard would be occupying the VPN slot, it also lets you use your VPN through Netguard.

                        I might be misremembering, however, or this may no longer be possible.

                        I'm just remembering that this was the case at some point. It might be something you might want to look into.

                        That said, I would personally recommend using the network permission when you don't want an app to have network access. That's robust, not leaky, and in my experience very reliable.

                        gk7ncklxlts99w1 As others have stated, getting root access defeats a significant aspect of the increased security offered through GrapheneOS. If something you want to use requires root access, I'd highly recommend looking for an alternative solution.

                        As for your browser related questions, they're almost a completely different beast on mobile vs desktop. On desktop I use Librewolf or Brave, depending on what I want to do. On GrapheneOS, the work they've done to harden their customized Vanadium browser is impressive. It's not as private as using the TOR browser (though you can still access that network using Vanadium I believe) but the primary vector of infection nowadays on mobile (other than deliberately but unknowingly installing an infected app) is through the browser. Vanadium successfully mitigates all of the CVE's related to browsers that I dove into checking personally before making the decision to use it exclusively. Just my $.02.

                        Volen

                        Wait, websites know what dns server you used? So if I connect to youtube.com then google will know the dns server I used to resolve the IP address of youtube.com?

                          Ghj456

                          Of course they know - go to any DNS LeakTest website, it will show what DNS servers you use. They can see your DNS the same way they can see your IP.

                          6 days later

                          Volen Using Vanadium (and any other browser) over Tor/Orbot will ultimately make you unique as each browser has a unique fingerprint based on some of the configs, etc. And websites will see its you as your browser will have the same unique fingerprint with or without Tor.

                          so vanadium whith vpn vor security and tor for privacy?