- Edited
Curious to hear folks thoughts on the pros and cons with running Tor Browser and Orbot on GrapheneOS.
The GrapheneOS website says regarding Tor Browser:
At the moment, the only browser with any semblance of privacy is the Tor Browser but there are many ways to bypass the anti-fingerprinting and state partitioning. The Tor Browser's security is weak which makes the privacy protection weak. The need to avoid diversity (fingerprinting) creates a monoculture for the most interesting targets. This needs to change, especially since Tor itself makes people into much more of a target (both locally and by the exit nodes).
Later on it says:
Avoid Gecko-based browsers like Firefox as they're currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn't have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android.
Regarding using Orbot for something like Vanadium or Brave, the Tor Project says:
We strongly recommend against using Tor in any browser other than Tor Browser. Using Tor in another browser can leave you vulnerable without the privacy protections of Tor Browser.
With all that info, what then is the best tradeoffs for folks that would like to maximize privacy and security? Does the increased attack surface of having two browser engines offset any privacy gains from using the Tor Browser (even with the Security Level set to "Safest", turning off JavaScript for all sites) On the other hand, does using Orbot for any applications (Whether a web browser or things like NewPipe and RedReader) ruin a lot of the privacy gains that Tor provides.
I understand there probably isn't a perfect answer, but curious to hear how others approach this.