What does the idea of a secure browser mean? The world is now more complex than it was in 2010 when we last looked at the contenders. People are more oriented to mobile devices running under very different conditions while a range of security features such as URL filtering, download protection and do not track have transformed mainstream desktop browsers such as Chrome, IE and Firefox. In a sense all browsers could now plausibly claim to be ‘secure’ browsers.
If that’s the case, what has happened to what were once considered secure browsers? One answer is the specialised products are now more focused on the issue of user privacy, of handing back control to the user and opting out of data collection systems of the sort that underpin firms such as Google.
It is perfectly possible to tweak Chrome, Firefox or IE, fine tuning them for security and privacy if that’s important. Each now has a privacy mode – which might or might not convince the skeptic of course. But the philosophy behind the true secure browser is to eschew the notion of platforms and plug-ins, stripping back every non-essential feature to create a more minimalist experience.
The following eight (OK, plus one plug-in) achieve this is in different ways. This list is not intended to be exhaustive, merely an indication of what’s on offer from ones that caught our eye. Privacy usually requires compromises so they won’t be for everyone.
Our top picks are:
– Epic Privacy Browser
– Comodo Dragon
– Brave
– Tor
Read on for the full list.
Epic privacy browser
Based on Chromium, Epic is the perfect example of a browser that strips out every conceivable feature to maximize privacy. It’s rather like using a minimalist Google Chrome with the Google. Cookies and trackers are eliminated after each session, all searches are proxied through the firm’s own servers (which means there is no way to connect an IP address to a search), and it attempts to prioritize SSL connections wherever possible., useful for open Wi-Fi connections. It does not collect data about its users and comes with excellent built-in ad blocking.
For a fully-encrypted connection, it includes a one-button proxying feature that does slow down browsing but will appeal to some users (it can’t necessarily be used as a regional bypass proxy because Epic’s servers are based in the US). Despite eschewing plug-ins a handful are available to make life a bit easier, for example password manager LastPass.
Downsides? Epic’s one-click proxy does slightly slow browsing down, although for high-spec machines this shouldn’t be an issue.
Comodo Dragon/Ice Dragon
Comodo offers two browsers, one based on Chromium (Dragon) and the other on Firefox (Ice Dragon). Which one you choose would depend on your current investment in either Chrome or Firefox because each aims to maintain compatibility with thing like plug-ins, stored passwords, and favourites if desired.
Features? Probably the first one is the ability to choose whether to use Comodo’s SecureDNS servers for either Dragon or all applications (or not at all), which potentially offers privacy and security compared to a user wanting to bypass their ISP’s infrastructure. This incorporates a domain filtering system designed to limit exposure to problem domains of the sort used by malware
Probably the most intriguing feature is the browser’s ‘virtualised mode that isolates it from the host system. This is a free feature but requires the user to install Comodo Internet Security (CIS), a free version of the company’s anti-virus software. Not everyone will want to do that but the added security of this approach is worth considering.
Downsides? Comodo is set up as a parallel world to Chrome or Firefox minus some of the tracking and with some extra added layers of security. Impressive as this sounds it’s almost the polar opposite of Epic’s minimalism – worth experimenting with perhaps.
Brave
Announced by Brendan Eich, co-founder of the Mozilla Project, Brave is an open source browser that offers a respectable Chrome and Safari alternative, even in its early stages.
Brave offers great speeds and advanced ad-tracking controls, ideal for the privacy conscious who are also after a lightweight browser.
Available for Windows, Linux and OS X users, Brave includes HTTPS Everywhere integration, blocks cookie capture and has an active developer community which is always improving the browser.
Downsides? It’s a pretty new browser that’s in beta testing so don’t expect a fully polished product.
Tor
The Tor browser has become the watchword for the anti-surveillance because it is built on an entire infrastructure of ‘hidden’ relay servers. Built atop a modified Firefox, it can be installed on a Windows, Mac or Linux PC but also on a USB stick if that’s preferable.
The important thing to remember about Tor is that it is really an advanced privacy browser rather than a secure one in that it includes no anti-malware technology and blocks plug-ins by design. It is designed to anonymise a user within certain constraints such as the requirement to use only HTTPS connections (enforced by HTTPS Everywhere – see next entry). The Tor Project offers a list of do and don’t for using it securely, including being very careful about downloading and opening documents which require external applications. Tor is a privacy browser not a secure environment.
Downsides? Using Tor will be slower than with other browsers and it can be demanding to use to its full privacy potential. Some people think that anyone who uses Tor is trying to hide something. Of course they are right. If privacy is that important, let them think what they want.
Dooble
Dooble is a lean Chromium-based multi-platform (Windows, Linux, OS X) browser that won’t be for everyone despite its privacy features. In its default state it disables insecure interfaces such as Flash and Javascript which will make it difficult to use with a lot of sites but might be worth it for its stripped-down approach. The browser assumes the user wants to travel incognito from the off, while HTTPS can be enforced and third-party session cookies in iFrames blocked. The handling of cookies is unusually granular.
An innovative feature is that all user content (bookmarks, browsing preferences and history) can be encrypted using various ciphers and a passphrase. Another interesting feature is to set privacy, for example private browsing, for each tab using the right-click option.
Reviewers haven’t taken to Dooble because it lacks refinement in places but we found it fast and in some of its ideas clever.
Downsides? As stated.
Maxthon Cloud Browser
Maxthon is not so much a secure browser as a totally new type of HTML5-compatible browser that wants to act as a straight replacement. With origins in China, and designed around synchronisation between PC and mobile and builds in features often enabled in other browsers using plug-ins.
Although not a security browser per se, it embeds claimed protection from AdBlock Plus including the (for some) contentious ‘Acceptable Ads’ technology, AES256 encrypted synchronisation of files to its cloud services, and says it limits employee access at its end to customer data. That probably gives most people the collywobbles but it’s worth pointing out that exactly the same issues exist for any cloud service, including Google.
Downsides? Despite the interesting aspect of cloud integration, we couldn’t see how Maxthon was inherently more secure than running a branded browser with the security settings turned up. In places poorly explained and documented, it’s also unclear whether it has features such as download protection that would come as standard elsewhere.
HTTPS Everywhere
A browser plug-in rather than a browser as such, HTTPS Everywhere is an EFF/Tor project that enforces SSL security wherever that’s possible in Chrome, Firefox and Opera. Its promise is to make what would otherwise be a complex and uncertain process much simpler because it is easy to start out using HTTPS on a website and be sent back to non-HTTPS pages without realising it.
Downsides? It’s another plug-in of course but it’s worth it. A boon for café surfers everywhere.
Cocoon browsing
When we first looked at Cocoon in 2014 we were put off by the fact that it didn’t seem to have been much recommended since its first appearance around 2011-2012. Last year, the firm seems to have re-launched itself as an ad-supported free product and a “military-grade” product offering a range of alluring security features –anonymous browsing, anti-Facebook tracking, better Wi-Fi security on open hotspots, and an encrypted end-to-end connection.
Based on a plug-in design (Firefox, Chrome, Safari and IE), Cocoon is really a proxy VPN-like service in which the user logs into its server using a created account, and logs out after conducting any browsing. In theory, this makes it ideal when using unsecured PCs away from home.
We have yet to properly test the browser’s security for this review (that is imminent) but the paid version does advertise some interesting additional features such as ‘mailslots’, basically disposable email addresses that hide the real address (webmail services also offer this through aliases although the underlying service such as Gmail or Yahoo is always apparent). Deleting the temporary email address effectively unsubscribes you from anything signed up for.
Avira Scout
The philosophy behind Scout from German anti-virus firm Avira is to bundle a range of third-party security plug-ins inside a dedicated Chromium-based browser with a few additional tricks up its own sleeve.
Integrated security on offer includes Avira Safe Browsing (blocks known phishing websites), Avira Safe Search, Secure Wi-Fi, which enforces HTTPS (based on https Everywhere) when connecting to sites across insecure Wi-Fi, and anti-tracking (the excellent Privacy Badger plug-in).
Scout does appear to be ‘hardened’ with a few tweaks, however and additional ones are also possible in future. A script is included to check extensions against an allowed list. The extensions mentioned above are also implemented with the browser itself and cannot be removed, a protection of sorts. Near-term releases will add Avira’s AV scanning, including at some point the firm’s cloud-scanning facility.
Leave a Reply