Secure Browsing and Fingerprinting Protection

The web browser is often the primary entry point for state surveillance. Internet Service Providers (ISPs) like TCI and Irancell, along with government-controlled infrastructure, utilize sophisticated tracking methods to monitor activity, censor content, and identify users.

Merely using a VPN is no longer sufficient to guarantee anonymity. Advertisers and state actors use Browser Fingerprinting to identify you even when your IP address is hidden. This guide details how to choose the right browser, configure it for the hostile Iranian internet environment, and protect yourself against fingerprinting.

Understanding the Threat: What is Fingerprinting?

Browser Fingerprinting is a technique used to collect information about your device settings to create a unique profile (or "fingerprint") of you.

Unlike cookies, which can be deleted, a fingerprint relies on your system configuration, including:

• Screen resolution and window size.
• Installed fonts and emojis.
• Operating system version and language settings.
• Hardware details (battery status, audio hardware).
• Browser version and extensions.

The Danger: If your browser fingerprint is unique, you can be tracked across the internet even if you switch VPN servers or clear your cookies. In a surveillance state, correlating a unique fingerprint with a real-world identity can lead to de-anonymization.

---

Recommended Desktop Browsers

To mitigate these threats, we recommend browsers that prioritize anti-fingerprinting (making you look like everyone else) over customization.

1. Mullvad Browser (Top Recommendation for Privacy)

Developed by the Tor Project in collaboration with Mullvad VPN, this browser is essentially the Tor Browser but designed to be used with a VPN instead of the Tor Network.

• Why it works: It enforces a uniform fingerprint. By default, your "fingerprint" looks identical to every other Mullvad Browser user. This provides a "crowd" to hide within.
• Best for: Activists and journalists who already use a trustworthy VPN and need maximum protection against tracking without the slowness of the Tor network.
• Key Features:
  • Blocks third-party trackers and cookies by default.
  • Comes with uBlock Origin pre-installed.
  • Clears cookies and history automatically on exit.
  • Warning: Do not install extra extensions, as this makes your fingerprint unique again.

2. Brave Browser

Brave is built on Chromium (same engine as Google Chrome) but strips out Google's tracking code and adds privacy shields.

• Why it works: It is user-friendly and compatible with almost all websites. It includes a built-in "Shields" feature that blocks ads and trackers aggressively.
• Best for: Daily usage, accessing heavy websites that might break on Firefox, and users migrating from Chrome.
• Configuration for Iran:
  • Go to Settings > Shields.
  • Set Trackers & ads blocking to Aggressive.
  • Enable Block Fingerprinting (Strict/Aggressive may break some sites, Standard is usually sufficient for daily use).
  • Tor Mode Warning: Brave has a "Tor Window." While useful for bypassing simple censorship, it does not offer the same anonymity level as the actual Tor Browser. Use the official Tor Browser for high-risk anonymity.

3. Firefox (Hardened)

Firefox is the only major browser not based on Google's Chromium engine, making it vital for internet health. However, standard Firefox is not private enough out of the box.

• Why it works: It is highly customizable. With specific settings (or using a "hardening" profile like Arkenfox), it offers immense privacy.
• Recommended Settings:
  • Enhanced Tracking Protection: Set to Strict.
  • HTTPS-Only Mode: Enable in all windows.
  • Telemetry: Go to Settings > Privacy & Security and uncheck all "Firefox Data Collection and Use" boxes.
  • Search: Change default search engine to DuckDuckGo or Brave Search.

---

Recommended Mobile Browsers (Android & iOS)

Mobile devices are harder to secure due to operating system restrictions.

Android

1. Mullvad Browser / Tor Browser: Use the official Tor Browser for Android for high-risk anonymity. There is no official "Mullvad Browser" app for Android yet; however, Mullvad VPN paired with a hardened browser is a good alternative.
2. Cromite: An open-source fork of Chromium (based on the now-defunct Bromite) with built-in ad blocking and privacy patches. Available via F-Droid.
3. Brave Browser: Excellent out-of-the-box protection. Enable "Block Fingerprinting" in Shields settings.
4. Firefox Android: Good support for extensions. We recommend installing uBlock Origin immediately.

iOS (iPhone/iPad)

On iOS, all browsers are forced to use Apple's WebKit engine. This means Firefox and Chrome on an iPhone are technically "skins" over Safari.

1. Safari: Surprisingly robust if configured correctly.
   • Go to Settings > Safari.
   • Enable Prevent Cross-Site Tracking.
   • Enable Hide IP Address.
2. Brave on iOS: Adds a layer of content blocking over the WebKit engine.
3. Onion Browser: The recommended way to access Tor on iOS (though less secure than Tor on Android/Desktop due to Apple's restrictions).

---

Essential Browser Extensions

The Golden Rule: Install as few extensions as possible. Every extension you install changes your browser fingerprint, making you more unique. Extensions also require high-level permissions to read your data.

1. uBlock Origin (Mandatory)

This is not just an ad-blocker; it is a "wide-spectrum content blocker." It is the single most effective tool for removing trackers and malicious scripts.

• Available for: Firefox, Chrome, Edge, Brave (though Brave has built-in shields).
• Why for Iran: It blocks tracking scripts used by both foreign ad-tech and domestic surveillance tools. It also saves bandwidth (expensive in Iran) by blocking heavy ads.
• Warning: Ensure you install uBlock Origin (by Raymond Hill), not "uBlock" or "uBlock Plus."

2. Avoid Redundant Extensions

• Do not use: AdBlock Plus, Ghostery, or Privacy Badger alongside uBlock Origin. They perform similar functions but are often less efficient or have business models based on "acceptable ads." uBlock Origin replaces all of them.

---

Critical Configurations for Iranian Users

1. Enable HTTPS-Only Mode

The Iranian regime uses Deep Packet Inspection (DPI) to sniff traffic. Unencrypted HTTP traffic allows them to see exactly what pages you are reading and inject malware.

• Action: In Firefox, Brave, and Chrome settings, enable "HTTPS-Only Mode" or "Always use secure connections." This forces the browser to alert you if a site does not support encryption.

2. Encrypted DNS (DoH / DoT)

Iranian ISPs (like MCI and Irancell) use DNS hijacking to redirect users to censorship pages or fake websites.

• Action: Enable DNS over HTTPS (DoH) in your browser settings.
• Providers: Use Cloudflare, Quad9, or Mullvad.
• Note: The regime actively tries to block known DoH providers. If standard providers fail, you may need to rely on your VPN/V2Ray client to handle DNS routing rather than the browser.

3. Avoid Domestic Certificates

Never install "root certificates" provided by Iranian websites, banks, or government portals.

• The Risk: Installing a government root certificate allows the issuer to perform a "Man-in-the-Middle" (MitM) attack, decrypting your HTTPS traffic (including passwords and messages) without your browser showing a warning.

4. Language and Time Zone Spoofing

Your system language (Persian/Farsi) and time zone (Tehran) are strong fingerprinting indicators.

• Mitigation: If using Mullvad Browser or Tor Browser, the browser automatically spoofs this to appear as English/UTC. On standard browsers, consider setting your browser's preferred language to English (US) to blend in with the global majority.

---

Summary Checklist

1. Desktop: Use Mullvad Browser (with a VPN) or Tor Browser (for anonymity).
2. Mobile: Use Brave or Firefox with uBlock Origin.
3. Extensions: Only install uBlock Origin. Remove everything else unless strictly necessary.
4. Settings: Enable HTTPS-Only Mode immediately.
5. Behavior: Never install domestic root certificates. Log out of accounts (Google, Meta) when browsing sensitive topics to prevent cross-site tracking.

By following these steps, you significantly increase the cost and difficulty for state actors attempting to track your digital footprint.