[SOLVED] Mullvad Browser

business_kid · 05-26-2023, 02:35 PM

Yet Another 'Secure' Browser (Yawn). I downloaded it on a whim, but find it usable only by root. Everything is set 0700 and owned root:root. The ~/Desktop file is overcomplicated and underperforming

Code:

[Desktop Entry]
Type=Application
Name=Mullvad Browser Setup
GenericName=Web Browser
Comment=Mullvad Browser  is +1 for privacy and −1 for mass surveillance
Categories=Network;WebBrowser;Security;
Exec=sh -c '"$(dirname "$*")"/Browser/start-mullvad-browser  --detach || ([ ! -x "$(dirname "$*")"/Browser/start-mullvad-browser ] && "$(dirname "$*")"/start-mullvad-browser --detach)' dummy %k
X-MullvadBrowser-ExecShell=./Browser/start-mullvad-browser --detach
Icon=web-browser
StartupWMClass=Mullvad Browser

Now I'm not running this thing as root. I've already chowned the ~/Desktop file to my luser. I have a distinct feeling there's some OTT weirdo behind this, another DJB in the making? Let's hope not!

How do I make behave sanely in the most elegant & secure way? It would be a pity to drop it's underwear actually trying to make it work.

Code:

bash-5.1$ sudo ls -lhF  /opt/mullvad-browser
total 8.0K
drwx------ 11 root root 4.0K Jan  1  2000 Browser/
-rwx------  1 root root 1.8K Jan  1  2000 start-mullvad-browser.desktop*

leclerc78 · 05-26-2023, 04:55 PM

I got it installed with the following instruction from somewhere

--There is not much documentation on how to install Mullvad browser. Basically, you copy the "tarball" compressed file (.xz) ~/.local/share directory and then uncompress the files. The uncompressed files go into a ~/.local/share/mullvad-browser directory.

Next, cd to the ./local/share/mullvad-browser directory and run "./start-mullvad-browser.desktop --register-app" to make the Mullvad browser appear in your desktop menu.

business_kid · 05-27-2023, 07:05 AM

That might be a better way of doing things. But with the 0700 permissions I couldn't cd to it, or run the app. I couldn't even 'ls' it.

I have /opt reserved for these 'program-in-a-directory' apps. I ran a find for desktop files and just copied them over. /The instructions you read clearly won't work with the app as it stands. It's just the insane permissions. So I'm going to take it the perms are a brain fart, restore some sanity, and mark this solved. Thanks for the reply.

business_kid · 05-28-2023, 05:16 AM

/A lot of farting about later.

I finally got it running by running /opt/mullvad-browser/Browser/mullvadbrowser under sudo as a luser. It craps out when you try to start it as root, pointing out that XDG_Runtime is user owned. This post proves mullvad can log into LQ. That also is a script and bellyaches, but nothing out of the ordinary. The default setup is decidedly spartan. It looks like Chromium. I haven't seen chrome except the Android app in years.

I have a feeling I'm driving a coach and four through all it's security features but I really don't care. It seems they are hawking Tor and their own vpn. I already have a vpn. I'm underwhelmed, but marking this solved.

boughtonp · 05-28-2023, 08:06 AM

For those wondering what all this is about...

Mullvad Browser = Tor Browser - Tor Network = Firefox + tweaks, intended (but not required) to be used with a VPN.

FAQ at https://mullvad.net/en/help/tag/mullvad-browser
Specifics tweaks at https://mullvad.net/en/browser/hard-facts

Release announcement at: https://mullvad.net/en/blog/2023/4/3/mullvad-vpn-and-the-tor-project-team-up-to-release-the-mullvad-browser

Being so new, it has obviously not yet made it to distro repos yet, and the download page only offers an XZ archive.

manchot · 05-28-2023, 08:17 AM

My concern is that people will use the Mullvad browser in a non-secure way and think that it is secure. Too much hype, not enough substance.

business_kid · 05-28-2023, 01:22 PM

Well, after my test drive, I intend to delete it. It's a PITA. Tor browser goes onto Tor and finds me the few things I want that hide there. This thing just makes a pain of itself with root:root ownership. I have the vpn, so I don't need a fancy browser unless somebody's hacking in. I never finished setting up the desktop file anyhow. Yes, it is firefox disguised to look like chrome.

boughtonp · 05-28-2023, 02:51 PM

Maybe you'd be interested in the magical command chown?

Also, default behaviour for tar is to set owner to current user and apply the current user's umask, so... *shrug*

business_kid · 05-29-2023, 04:19 AM

Yes, yes, but it's the same problem. I could have set directories to 0755 and files to 0644. I could have owned them. But am I undoing their superior security? I really don't know why everything came to me 0700 & root:root.

After looking at it, I formed the impression they could be trying to monetize Tor as a commercial vpn. My only use for Tor now is for sites like sci-hub where somebody is playing whack-a-mole with them, and they have a copy on the dark web just in case.

boughtonp · 05-29-2023, 10:37 AM

???

They are not trying to monetize Tor, and I don't see how that conclusion was reached.

Mullvad have been providing a VPN for over a decade, and appear to financially support the projects they use. (They have made at least three donations to WireGuard described as "generous".)

What's new is that they now provide a pre-configured Firefox for increased security.

Tor is mostly irrelevant to all this, except that it's the Tor developers providing their expertise in browser security, (presumably in exchange for money from Mullvad).