We might want to set network.IDN_show_punycode to true by default to fix very hard to notice Phishing Scam - Firefox / Tor Browser URL not showing real Domain Name - Homograph attack (Punycode). Waiting to see if any arguments come up against that in near future.
That’s kinda leading into modifying Tor.
It’d probably be best to wait until the Tor Project enables it.
Applies to Tor Browser. Offtopic here.
Does not apply to SecBrowser. There we have full flexibility to optimize for clearnet, security, non-Whonix.
For history purposes, it’s archived.
- https://web.archive.org/web/20191116075907/https://www.whonix.org/wiki/Tor_Browser_without_Tor
- https://web.archive.org/web/20191116075929/https://www.whonix.org/w/index.php?title=Tor_Browser_without_Tor&action=history
- https://web.archive.org/web/20191116080115/https://www.whonix.org/w/index.php?title=Tor_Browser_without_Tor&oldid=30298
Redirecting SecBrowser™ has been deprecated! to SecBrowser™ has been deprecated! since that page pops up in google results, is outdated and could be confusing. Wiki history is still there in case you like to archive something extra.
Yay! SecBrowser ™ has been deprecated! was recently updated by anonymous (have my theories who that was, though :)). Motivated me to add some updates on top. All recent changes:
Without any customization, SecBrowser ™ default configuration offers better security than Firefox, Google Chrome or Microsoft Edge.
This isn’t true. Chrome has far better security than Firefox due to having a much stronger sandbox [1], strict site isolation [2], hardened memory allocator [3], control flow integrity [4] etc. SecBrowser can’t add any of this.
Just look at what experts like Daniel Micay [5] or thegrugq [6] say. Also see this (although dated) study http://files.accuvant.com/web/files/AccuvantBrowserSecCompar_FINAL.pdf
In no way am I recommending chrome though (since it’s spyware), but we should at least stay factual.
[1]: Chromium Docs - Sandbox
[2]: Site Isolation
[3]: PartitionAlloc Design
[4]: Control Flow Integrity
[5]: Usage guide | GrapheneOS
[6]: https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
Your sources are outdated. Modern Firefox has significantly improved it’s security.
No they are not. Firefox doesn’t have site isolation yet as that’s to come in project fission Project Fission - MozillaWiki
Firefox does not have a hardened memory allocator as it uses a fork of jemalloc, a performance-oriented malloc, not security unlike chrome’s PartitionAlloc mozjemalloc.cpp - mozsearch
Firefox does not support CFI and there’s no progress at all on that.
Daniel Micay and thegrugq also regularly say those things.
They aren’t outdated.
Unless you know more than mozilla, security experts and even the firefox source code…
It has. Still not close to chrome though.
Without any customization, SecBrowser ™ default configuration offers better security than Firefox, Google Chrome or Microsoft Edge.
SecBrowser is a side project. I won’t have time to stay up to date on these comparsions. Therefore removed text “Google Chrome or Microsoft Edge”.
This tor-talk thread mentions SecBrowser, but makes a fair point - for clearnet browsing, wouldn’t using the ghacks user.js file with standard Firefox provide better, finer-grained security?
https://lists.torproject.org/pipermail/tor-talk/2020-July/045615.html
It is updated often with many, many changes to about:config - probably a lot better than just Tor Browser without Tor (which is really just Firefox private browsing mode without Tor?)
See:
- GitHub - arkenfox/user.js: Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
- Home · arkenfox/user.js Wiki · GitHub
PS I think the main documentation page is all looking pretty good now except for outstanding tidy up to do here:
- Non-Qubes-Whonix Only section
- The specific Tunnel chaining config pages (various permutations)
- Random pages in the Appendix section
Probably a few months work here and there at part-time, $0/hr rates 
IMO not really, because most of the enhancements are patched into the TBB codebase and not merely some toggled prefs. I know there is the uplifting project, but ultimately not everything will be included in FF and the latest stuff will not be right away.
ghacks is interesting to document for those who can;t use SecBrowser for some reason.
add with bold text deprecated on first post.