Vanadium and Social Media Trackers

naibed

Skimmed a few prior convos re: Vanadium + privacy, and the standard response is that fingerprinting unavoidable. What about general social media tracking though?

Social media trackers don't primarily rely on fingerprinting. They rely on network requests you make to their infrastructure. When a Twitter embed loads in Vanadium, Twitter receives your IP, a timestamp, and behavioral data, not because they fingerprinted you, but because your browser made a request to their server.

I run AGH and my understanding is that DNS blocking handles dedicated tracking domains but cannot operate below the domain level. A content domain like twimg.com serving a legitimate image can simultaneously execute tracking scripts and cookie syncing in the same request. DNS only sees one thing while uBO can differentiate between them.

Social media embeds are arguably the most widespread tracking vector on the modern web — they're on news sites, forums, blogs, everywhere. Vanadium has no mechanism to address this layer. The choice is binary: block the domain entirely (breaks content) or allow everything through.

There are mainstream, popular, existing tools that solve this already (ie uBO) allow the content, strip the tracking payload. This isn't about fingerprinting at all. It's about whether your browser can perform surgical request filtering, which requires extension support Vanadium deliberately omits.

I get that Vanadium makes sense if you are being threatened by a government et al, but for the vast majority of the rest of us, I am curious why a seemingly basic level of privacy protection isn't enabled?

DohnJoe

naibed block the domain entirely (breaks content)

I am sotty about the OT, but maybe this can help you, even if you partially covered this option.

I currently am using mullvad VPN with DNS filtering, blocking completely all major social networks (X, Facebook, Instagram and so on), and in the last year I didn't see sites breaking.
Of course, this is an option only if you don't use X, Facebook, Instagram or othe marjor social networks.

Also, for a lot of platforms you can use different frontends (nitter, imginn, teddit, invidious, and so on) which are compatible with the DNS filter.

Not gonna lie, you will lose some features on those platforms.

naibed

DohnJoe Thanks for the suggestion. I already use sidestep for privacy-friendly front-end alternatives, and I self-host redlib. I'm thankful for the suggested workarounds but perhaps more interested in someone pointing out if I'm offbase.

W/ my laptop, thanks to uBO + Firefox Enhanced Tracker Protection, I can block social media trackers. If I'm understanding things correctly, then every time I do a search on my phone instead of my laptop, I am sacrificing my privacy?

If I just installed IronFox + uBO on my phone, would that be substantially more private than Vanadium? Am I correct that for the typical, vanilla threat model, Vanadium's security hardening protects against improbable security issues whereas the most obvious privacy concerns are largely unaddressed?

Can someone tell me if I'm misreading things? I appreciate that Vanadium is best-in-class if law enforcement are after me or I live under a repressive regime, but if I just care about big tech spying on me, which I'm assuming is the most popular use case, is Vanadium ever the best choice from a privacy perspective?

Novalissoide

naibed Vanadium

Yes.
And use RethinkDNS for blocking, monitoring and logging.
Second browser, not Firefox but Vanadium in Private Space.

DohnJoe

naibed
I am not sure about what a "vanilla threat model" is, but I would agree that the first focus of Vanadium is security and not privacy. Some privacy features are still implemented and are very effective.

As a rule of thumb, every plugin you install can break privacy in ways you might not forsee and blocking a third party communication might be as much revealing as not blocking it.

Badness Enumeration is not considered the best solution, you can read this as: having a specific way to block what you are trying to block will eventually finish in websites implementing a new tracking system you have to fight.
If you didn't already, give it a read, it explains also why uBO already fails in what you are trying to achieve.

The best privacy focused browser you can get it's probably TOR browser (sacrificing security), which aim to complete anonymity.
If that is not an option for you (or you just don't want anonymity), you are probably left with Brave (?).

I hope someone else can give you better insight on this topic, as I am currently relying on Vanadium most of the time.

Novalissoide

naibed Vanadium's security hardening protects against improbable security issues

How on earth do you know this probability?

Novalissoide

DohnJoe TOR browser (sacrificing security)

Vanadium based Torbrowser, this really would be something..

Novalissoide

DohnJoe privacy focused browser you can get it's probably TOR browser (sacrificing security), which aim to complete anonymity.

I've started replacing Torbrowser with Private Space Vanadium + TorVPN

naibed

DohnJoe

Badness Enumeration is not considered the best solution, you can read this as: having a specific way to block what you are trying to block will eventually finish in websites implementing a new tracking system you have to fight.

IIRC Social Media trackers are on +80% of websites on the internet
Badness Enumeration doesn't apply to social media trackers (ie: Google Analytics, Facebook pixel, Twitter widgets) which have stayed on the same domains for years.
Even if Badness Enumeration did apply, it is already partially built into Vanadium as per their Features page: High performance content filtering engine using EasyList + EasyPrivacy with per-site toggle via drop-down permission menu

So to summarize, I am not looking for a whack-a-mole solution for every tracker created... I am concerned about deGoogling and avoiding big tech. What it sounds like is that contrary to most advice I've seen online, I'd be better suited using IronFox + uBO if I care about privacy, and Vanadium if I have above average security concerns.

DohnJoe

naibed IronFox + uBO

That seems to be a good privacy setup, especially if you don't mind about site isolation or using gecko based browsers in general.

If you do, I would trade it for Brave + Shield set as aggressive.
They (uBO and Shield) block roughly the same trackers by default, because they use many of the same filter lists (EasyList, EasyPrivacy, etc.), but using Brave you will benefit of other things you might miss with IronFox.

The two most important things I would spend some words on are:

Brave will get upstream updates from chromium, giving you better security overall.
Brave Shield is not a plugin, but part of the engine itself, so it will not have the same restrictions uBO (will) have as a plugin.

The discussion might be infinite, because with every choice you will have pros and cons.

uBO will give you more flexibility on filter lists and dynamic filtering, but it will introduces new risks you woudn't have without plugins.

At the end of the day, choose what you think it's best for you and what helps you sleep better at night :)

TrustExecutor

DohnJoe Isn't Vanadium already blocking the trackers OP mentions, due to the EasyList/EasyPrivacy content filtering?

NoahRaketic

Novalissoide Yeah, 0-days are found in Chromium all the time, so Vanadium's hardening becomes invaluable as defense-in-depth protections when these vulnerabilities can and do appear.

naibed

Novalissoide How on earth do you know this probability?

My understanding is that common browser-related security exploits are regularly patched inside of mainstream, modern browsers (read: IronFox) and so keeping the browser up-to-date would cover the vast majority of probable security issues.

The additional security layers that Vanadium provides are useful if you have an elevated threat model, but if you do not have an elevated threat model, then the additional functionality doesn't seem to make a noticeable difference yet greatly increases your privacy surface attack level relative to alternatives that cna use uBO et al.

NoahRaketic Yeah, 0-days are found in Chromium all the time, so Vanadium's hardening becomes invaluable as defense-in-depth protections when these vulnerabilities can and do appear.

Obviously when we go down the "well actually what if someone exploits a zero day on you specifically" path, Vanadium wins. I do worry you are conflating what is possible w/ what is probable though. Curious how many zero days were used against you prior to installing GrapheneOS for example.

I am all for depth-in-defense approach, but I think that actually proves my point. If I am using a GrapheneOS, I already have a hardened phone, the latest security updates, every app is sandboxed and cannot talk to other apps w/o my permission, my software is up-to-date software, and I am not visiting dodgy sites either. These things minimize my security attack surface from the start and so Vanadium appears to have diminishing security benefits in the grand scheme of things, but it does create a larger attack surface from a privacy perspective.

Johnnyloans

naibed

Use what you find comfortable. If you're staying awake at night, chromium. If not, get a hot-pink themed browser.

Novalissoide How on earth do you know this probability?

I wrote this elsewhere:

Zero days are extremely valuable and have a lifespan. Yes, viruses can spread indiscriminately to everything it sees; however, the virus will be studied and patched with haste--the software will be secure from it. Likely a waste of the exploit. Conversely, very few people in the word have the knowledge and resources to target 1 person or organization. We aren't the target.

Some people on privacy forums say you are going to get hacked any second now and encrypted hard drives are extremely easy to break the encryption on.

About all exploits used today are used to change the world. Not to steal the nudes of old Johnny Loans Esquire.

Novalissoide

NoahRaketic Yes, and then the cursed cause of convincing users about security that really works. Since it works, things stays mostly normal, almost boring.

DohnJoe

TrustExecutor

I think the lists Vanadium has are for ads (?)
Maybe someone that know better can enlight us

vont

I'm no expert, you could try disabling Javascript all together and white list what sites to leave Javascript enabled and or click on the left of the address bar to enable a one time permission to a website you badly need to view.

I don't know if the javascript stays enabled if you don't clear your cookies. I'm almost always in incognito mode so all my stuff gets deleted.

I have found it isn't terrible to have javascript disabled. It's been actually quite peaceful. Granted, there are some websites that will not load at all. If it's just generic info I'm looking for I just move on to another website that has aimilar info but will load.

The biggest problems with no javascript is generally website menus don't work and if you really want more info and want to navigate the site, you can do the one time javascript enable.

Some say it makes you easier to track or finger print becuase less than 2% of internet users actually disable it. I don't care about that myself. My personal opinion is there's more benefits in having disabled. Though I could be wrong with my analysis and willing to learn more.

naibed

vont This is what I do to varying degrees w/ uBO actually. Seems like yet another reason to use IronFox lol