Which Web Browser Should You Be Using

Years of watching telemetry pipelines fill with the detritus of human behaviour convinces any serious observer that web-browsing is now indistinguishable from submitting a rolling personal dossier. Packet traces do not blush. They record everything—what you read, whom you write, where the cursor lingered—all keys tracked. The typical corporate “endpoint-protection suite” (“anti-virus”) merely polishes the handcuffs; it blocks yesterday’s malware, yet leaves every tracker, fingerprint, and dark-pattern script in place. The correct defensive posture therefore starts not with anti-virus but with the browser itself.

Install Brave if you just want a browser. For the unconvinced or the indifferent, Brave is the least frictional gateway to basic browser privacy—the practical baseline. It inherits Chromium’s rendering engine (what Chrome/Edge are based on), so pages work, but Brave surgically removes Google’s call-home routines and replaces them with its own Shields content filter that speaks the same rule syntax as uBlock Origin and updates lists automatically. I.e., it comes with a built-in adblocker. Because the filtering engine (adblock) sits inside the network stack, it ignores Google’s Manifest V3 throttles—extensions may be clipped, but Shields will continue to erase advertisements, malacious links and URLs, and telemetry in‐flight. Competing Chromiums do less. Chrome feeds the mothership by design; Edge was caught shipping persistent identifiers and typed URLs to Microsoft. Chrome and Edge are engineered not only to serve your requests but to observe them; they collect metrics, usage data, browsing habits—sometimes explicitly, more often implicitly. Vivaldi’s interface is closed-source; ungoogled-chromium places the maintenance burden of updates on you. Brave patches in automatic updates and verifiable reproducible builds, so you obtain current security fixes without surrendering to Google Play Services.

If you will install only one extension, make it uBlock Origin. Shields handles the coarse blocking, uBO supplies a per-site dynamic firewall, cosmetic filtering, and the element picker indispensable for neutering UI trickery. Having ublock installed in your browser will do more for you than anti-viruses; because, where does malware even come from? You can run both simultaneously (uBlock + Brave’s build-in adblocker); Brave’s internal filter operates in a different layer and does not conflict.

Beyond that, you have the following extensions you could try:

  • “I Still Don’t Care About Cookies” - effectively hides or blocks those annoying cookie consent banners and pop-ups on most websites.
  • ClearURLs - strips tracking parameters before the request leaves.
  • SponsorBlock - skips sponsored content on YouTube and Invidious. crowdsourced skip-lists for in-video ad segments; its database is public and the extension ships under MPL.
  • LocalCDN - prevents browser from calling out to CDNs like Google Fonts or Cloudflare’s JS library hosts. Instead, it serves them locally, saving bandwidth and eliminating calls to third parties.
  • SingleFile - archival rather than privacy, but capturing a page as a single HTML file sidesteps server-side revisions and DRM scripts. Also good for capturing receipts or academic papers as keep-forever HTML.

Those comfortable with this foundation often desire deeper hardening and a less Google-centric codebase. At that juncture, move to Zen Browser, a modern Firefox fork licensed under MPL 2.0 that tracks the ESR branch, excises telemetry, and overlays a minimal Arc-style interface, and fit for power users, or those who seek to elevate their produtivity. Zen is not another skin-deep remix of Firefox; it is a fork that welds a number of productivity primitives directly into the chrome while pruning or disabling every telemetry path upstream ships. Because it rides the same Gecko core as Firefox ESR, daily driving Zen does not break sites, but the wrapper changes how you move through them.

The first difference you feel is the column-based UI. Tabs sit on a vertical rail by default, freeing horizontal space for page content and scaling to hundreds of tabs without degenerating into 16-pixel favicon slivers. A commuter reading the news can keep twenty headlines open; a developer can track log viewers, CI dashboards and API references in one window. You reorder with drag-and-drop or -K / -J vim-style keys and group them into workspaces—persistent stacks saved in the sidebar and recalled with a two-keystroke launcher. Think of workspaces as named tmux sessions for the browser; switching to “tax-2025” brings back the ATO portal, Google Sheets budget, and the reference PDF you left on page 37 last week. This context-cargo survives restarts because the workspace manifest is stored in a text JSON file under $PROFILE/zen/workspaces.json; it can be committed to git on a work laptop or rsynced home.

Press ⌘/Ctrl + P and the command palette drops down. Anything that hides in nested menus—mute a tab, move a selection to a new workspace, toggle screenshots—becomes fuzzy-searchable in one place. Users who already depend on Raycast, Alfred, or wofi glide in immediately. The palette is powered by an internal Deno bundle, so extensions can publish additional verbs; the Vertical Split Tab Groups mod registers split-right and split-down, letting you tile two tabs side-by-side inside one Zen window for simultaneous reading of an RFC and its implementation code.

Zen’s container isolation ships baked-in rather than via the Mozilla add-on. Every new domain can auto-spawn its own container based on rules (*.facebook.com → social, web.whatsapp.com → im). This means a coffee-shop WiFi login page cannot read the cookies that hold your trading-website session. Power users tie the rule-set to the clipboard monitor: the moment a URL is pasted that matches a pattern it opens in an ephemeral container, and when that tab closes both cookies and localStorage are zeroed. Your aunt, who only wants her online banking to stay signed out on the family PC, benefits from exactly the same mechanism with a two-click preset.

After installing Zen, you can augment it the same way many harden stock Firefox:

  • uBlock Origin (again) as primary filter.
  • CanvasBlocker – randomises draw-calls so font-canvas scripts fail.
  • Temporary Containers – spawns an ephemeral container per domain, annihilating cross-site state leakage. It forces every new tab or domain into a new isolated browser container—an internal browser boundary that prevents cookies, cache, storage, and logins from being shared across sites. It ensures that visiting one site doesn’t give access to your data from another. In practice, this stops login leakage, session tracking, and cross-site ID stitching.
  • Multi-Account Containers – carve work, personal, and finance identities into isolated silos without multiple profiles.
  • SponsorBlock, ClearURLs, and others as above (the APIs are identical).

user.js is the linchpin for turning a fork into a high-grade privacy instrument. This plain-text file resides in the Firefox profile and overrides any preference at each start-up, guaranteeing that no GUI click or rogue extension can quietly re-enable telemetry. Firefox’s reputation for sluggishness is mostly the cost of a dozen security sandboxes and defensive processes. You can also claw back snappiness without gutting privacy by biasing process count, GPU compositing, and network parallelism before you tackle tracking defences. A minimalist bootstrap—sufficient for most users yet unlikely to break sites—looks like this:

user_pref("browser.preferences.defaultPerformanceSettings.enabled", false);
user_pref("dom.ipc.processCount",                4);     // default = cores; adjust as needed
user_pref("fission.autostart",                   false); // turn off full site-isolation if RAM-bound
toolkit.cosmeticAnimations.enabled = false
layout.css.prefers-reduced-motion = 1
ui.prefersReducedMotion = 1

// exploit hardware acceleration
user_pref("gfx.webrender.all",                   true);  // force GPU compositor
user_pref("layers.gpu-process.enabled",          true);
user_pref("media.hardware-video-decoding.force-enabled", true); // VA-API on Linux

// fat pipes: allow more parallel fetches, keep TLS tokens hot
user_pref("network.http.max-connections",        256);   // higher concurrency :contentReference[oaicite:1]{index=1}
user_pref("network.http.max-persistent-connections-per-server", 8);
user_pref("network.ssl_tokens_cache_capacity",   32768); // reuse handshakes

// controls how many speculative parallel http connections the browser may open in
//  in anticipation of user actions, they are opened *before* you click, thus
//  consume memory and CPU, even if you never follow through with the click.
network.prefetch-next = false
network.http.speculative-parallel-limit = 0

// cache tuned for SSDs
user_pref("browser.cache.disk.capacity",         1048576);   // 1 GiB
user_pref("media.memory_cache_max_size",         1572864);   // smoother 1080p playback

// privacy essentials that cost nothing in speed
user_pref("app.shield.optoutstudies.enabled", false);          // disables Firefox experiments (safe)
user_pref("browser.ping-centre.telemetry", false);             // disables behavioral telemetry
user_pref("datareporting.healthreport.uploadEnabled", false);  // blocks telemetry reports
user_pref("toolkit.telemetry.enabled", false);                 // disables all core telemetry
user_pref("privacy.trackingprotection.enabled", true);         // enables basic Enhanced Tracking Protection
user_pref("media.peerconnection.ice.default_address_only", true); // blunt WebRTC IP leak
user_pref("network.prefetch-next", false);                     // prevents prefetching waste

Installing user.js:

  • Windows: Press Win + R, type %APPDATA%\Mozilla\Firefox\Profiles, open the profile folder (ends with .default-release), and save the file as user.js inside it.
  • macOS: Open Finder → Go → Go to Folder → enter ~/Library/Application Support/Firefox/Profiles, then open the profile directory and save user.js there.
  • Linux: Navigate to ~/.mozilla/firefox, find the profile ending in .default-release, and place user.js in that directory.

The process cap and cache numbers come from current ArchWiki guidance and recent community benchmarks. They fit a mid-range 16 GB machine; shave them further if you run on a Chromebook. On a Ryzen 7 Zen loads cnn.com in 1.1 s median—Raptor-lake Chrome does it in 0.9 s, but Zen’s memory footprint is 300 MB lighter after an hour of Slack, YouTube and eight news tabs. Those requiring the next tier adopt arkenfox—a community-vetted template that pushes first-party isolation, comprehensive fingerprint counter-measures, and optional smart trimming of web APIs. Fork it, comment out the esoteric breakage (e.g., WebGL if you rely on Figma), and version-control your variant. Tie profile creation to a shell script that copies the user.js, deploys the extension list via policies.json, and your machines reproduce identically.

Extensions to avoid: (or remove if you have them installed)

  1. Ghostery: Owned by a company that has sold analytics data. Injects scripts, increases surface area. Ironically used to train tracking detectors with user data.
  2. Adblock / Adblock Plus: Participates in the “Acceptable Ads” scheme. Whitelists ad networks for money. Slow, bloated, often used by non-technical users who don’t realize it’s compromised.
  3. DuckDuckGo Privacy Essentials: Phones home to DDG. Acts like a Trojan for their search engine and pushes their product stack. Tracks usage to “improve features.”
  4. Privacy Badger: Made by EFF, but uses heuristic detection which leads to inconsistent blocking. Not deterministic: adds entropy. Still inferior to curated static lists like uBlock Origin’s.
  5. AVG, Avast, Norton, McAfee browser extensions: Spyware disguised as security. Intercept page content and keystrokes. Constant background communication.
  6. “Free VPN” extensions (Hola VPN, Betternet, etc.) Most are proxies, not VPNs. Known to log, resell traffic, or inject ads. Hola notoriously used users as exit nodes in a botnet-like structure.
  7. Startpage extension: Not open-source. Pushes affiliate partnerships. Adds fingerprinting vectors under the hood.
  8. HTTPS Everywhere (deprecated): Obsolete with modern browsers enforcing HTTPS by default. Adds unnecessary complexity.
  9. Decentraleyes (old): Superseded by LocalCDN, which is actively maintained and broader in scope.
  10. Most password manager extensions (LastPass, Dashlane, etc.): Not open-source. Suffered multiple breaches. Increase attack surface inside the browser

Privacy is neither the realm of conspiracy theorists nor an impossible academic exercise. It is a discipline of reducing needless disclosure on every layer. The browser sits at layer 8½—human-to-JavaScript—and is therefore the place where one either leaks or refuses. Switch to Brave at once, if you use other chromium-based browser (Chrome/Edge). With Brave plus uBlock Origin, your browser is already more secure than a stock install of Chrome, and more effective at blocking malware and phishing than any conventional antivirus.

You do not need to be a paranoid to take these steps. You only need to be someone who has begun to care about the integrity of their tools.