Privacy Tools and Why They Matter
Tools and recommendations get updated over time, services change hands, get acquired, get audited (or stop publishing audits), so check the date above and don’t treat this as gospel six months from now.
This page covers the privacy tools we recommend, what each one actually protects against, and more importantly what it doesn’t.
What is a “privacy tool,” really?
A privacy tool reduces the amount of information you leak to a specific observer: your ISP, the website you’re visiting, an advertiser (i see you Google, RIP “don’t be evil”), or a government. No single tool protects against all of these at once, and using the wrong tool for your actual threat model can give you a false sense of security while doing nothing useful.
Before picking a tool, it helps to ask: who am I trying to keep this information from?
Browsers
What does your browser leak?
Every request your browser makes can include your IP address, a TLS Server Name Indication (SNI) field revealing the domain you’re connecting to, cookies, and a fingerprint built from your screen size, fonts, installed extensions, and timezone. Even with HTTPS everywhere, the site you’re connecting to is often visible to your network, and the sites you visit are visible to the browser vendor if it phones home telemetry.
Recommendations
Firefox with arkenfox-user.js
Firefox is the only major browser that isn’t built on Chromium. Out of the box its defaults are mediocre, but applying the arkenfox user.js configuration disables telemetry, hardens cookie handling, and reduces fingerprinting surface significantly. Expect some site breakage; that’s the tradeoff of wanting privacy, gosh how much i love the internet.
LibreWolf
The same hardening as above, pre-applied, with telemetry code removed at build time rather than disabled via config. Good if you don’t want to maintain a user.js yourself.
Mullvad Browser Built jointly by Mullvad and the Tor Project. It’s integrated into Mullvad Ecosystem and has multiple fingerprinting protection.
Why not Chromium-based browsers?
Brave, Edge, Opera, and Vivaldi all share Chromium’s rendering and extension engine, which is controlled by Google’s release cadence and architectural decisions. Built-in privacy features in these browsers are configuration on top of an engine whose primary business model is advertising. Brave additionally ships cryptocurrency integrations that have, on multiple occasions, been enabled without clear user consent.
DNS
What does DNS leak, and to whom?
Every domain lookup you make is sent in plaintext to whatever resolver your device is configured to use, by default, your ISP’s resolver via DHCP. Because the query is unencrypted, any network operator between you and that resolver can log it, and in some jurisdictions ISPs are required to filter or redirect specific lookups using this visibility.
Encrypted DNS: DoT vs DoH
DNS over TLS (DoT) runs on a dedicated port (853) and wraps DNS queries in TLS. Because it uses a single recognizable port, it’s trivial for a restrictive network to block outright.
DNS over HTTPS (DoH) wraps queries inside standard HTTPS traffic on port 443, the same port as ordinary web browsing. This makes it harder to block without also blocking the web, which is why most modern clients (Firefox, Android, and recent versions of major operating systems) default to DoH when encrypted DNS is enabled.
Recommendations
Self-hosted: Unbound or AdGuard Home Running your own resolver means your DNS logs if you keep any are yours. AdGuard Home additionally blocks ad and tracker domains network-wide before they’re even resolved.
Third-party encrypted DNS (Mullvad’s, Quad9) Useful if your ISP’s resolver does intrusive redirects or basic filtering and self-hosting isn’t an option. This does not make you anonymous, it just moves your query log from your ISP to a different provider. UNLESS THE PROVIDER DOESN’T LOG ANYTHING AT ALL!!
What encrypted DNS does not do
This is the part most guides leave out. Even with encrypted DNS:
- The SNI field in your TLS handshake still discloses the domain you’re connecting to, unless the server and client both support Encrypted Client Hello (ECH). Some governments have responded by blocking ECH or QUIC outright.
- OCSP certificate checks can leak the certificate serial number of the site you’re visiting in plaintext, which can be matched against public certificate transparency logs.
- The destination IP address itself can identify the site if it’s not behind a shared host like Cloudflare or GitHub Pages.
If your goal is to get around basic ISP-level redirects, encrypted DNS to a third party is fine. If your goal is anonymity or evading active censorship, encrypted DNS alone won’t get you there that’s what Tor and VPNs are for, and you should be using their DNS resolution, not your own.
Should you bother with DNSSEC?
DNSSEC authenticates DNS responses with a chain of digital signatures from the root down to the domain’s nameserver, so a response can’t be forged or tampered with in transit. It provides no privacy bonuses, the queries themselves are still visible to anyone who can see them but it does protect against DNS spoofing and cache poisoning. Worth enabling if your resolver supports it, but it solves a different problem than encrypted DNS does.
VPN and Tor
What problem does each one solve?
A VPN moves your trust from your ISP to the VPN provider. Your ISP can no longer see your traffic, but the VPN provider technically can. This is useful against a nosy or hostile ISP, but it is not anonymity you’re still one entity, just a different one, that can see what you’re doing.
Tor routes your traffic through three independent relays, so no single party sees both who you are and what you’re accessing. This is the closer answer to “anonymity” at the cost of speed.
Recommendations
Mullvad VPN Accepts cash payment, doesn’t require an account email, and has undergone independent audits of its no-logging claims. The things to evaluate in any VPN are jurisdiction, audited logging policy, and payment anonymity.
Tor Browser Use this when your threat model includes “I don’t want anyone, including my VPN provider, to be able to link my identity to this activity.” Slower by design, that latency is the cost of the three-hop routing.
AirVPN Use this if you’re into torrenting or P2P. It supports crypto payment, and doesn’t require a REAL email (give them one if you want, otherwise use a throwaway, it’s not the kind of service that’s “GIVE ME YOUR EMAIL” while holding a gun to your head). The main draw is DDNS plus port forwarding, which most privacy-focused VPNs block outright. It also supports extra connection types like OpenVPN over SSH or SSL, useful if you’re on a network that blocks regular VPN traffic. (Or if you’re in a country such as Russia or China)
Messaging
What’s the actual threat here?
Two separate things get conflated under “encrypted messaging”: content (what you said) and metadata (who you talked to, when, how often). End-to-end encryption protects content. Very few services protect metadata, and metadata is often more revealing.
Recommendations
Signal (Alternatively, Molly hardened fork) Strong content encryption via the Signal Protocol, plus active work on metadata protection (sealed sender, private contact discovery). Centralized, which is a tradeoff worth being aware of, but its track record on both the protocol and the organization’s transparency is solid.
Matrix Federated and self-hostable, with optional end-to-end encryption per room. More setup overhead than Signal, but no single party controls the network.
SimpleX No phone number or persistent identifier required, with traffic routed through relays you can choose or self-host. The newest of the three, and it shows in client polish, but the architecture is the most metadata-resistant.
None of this is a substitute for thinking about your actual threat model first. A journalist evading state surveillance and someone who just doesn’t want Google building an ad profile of them need very different tools, and using the journalist’s toolkit for the second case (or vice versa) often just adds friction without adding protection.
Have a correction, an addition, or disagree with a recommendation here? Send a writeup to contribute@foss-daily.org.