Three privacy-focused browsers compared

SRware Iron, Comodo Dragon, and Dooble use the Chromium browser engine but promise to protect your privacy better than Google Chrome.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
6 min read

Comodo Dragon PrivDog privacy checker
Identify the trackers and other privacy threats on the current page via Comodo Dragon's built-in PrivDog tool. Screenshot by Dennis O'Reilly/CNET

Which is the safest browser?
In terms of privacy, the answer may be Internet Explorer. According to NSS Labs' 2013 Browser Security Comparative Analysis: Privacy (PDF), Internet Explorer tops Firefox and Chrome by blocking most third-party cookies by default and offering a built-in tracking protection list.

In terms of security, the answer may be Firefox. When Mark Stockley of the Sophos Naked Security blog polled readers last September about which browser they considered the most secure, Firefox was the big winner, gleaning more than 50 percent of the votes, followed by Chrome with just under 27 percent and IE with 8 percent.

I haven't yet found a browser that by default blocks JavaScript and all third-party cookies. (Safari does the latter but not the former.) Out of the box, Firefox and Google Chrome run JavaScript and accept third-party cookies, and while IE blocks most third-party cookies, it runs JavaScript by default.

I tried out three browsers that are based on the same open-source Chromium engine as Google Chrome and that claim to offer enhanced security. SRware Iron distinguishes itself from Chrome by not sharing with Google any of the information you enter.

Comodo Dragon likewise claims not to communicate with Google. As you might expect from a security software vendor such as Comodo, the program offers other enhanced security and privacy features. (The company also provides the Comodo IceDragon browser based on Firefox's Mozilla engine.)

Dooble bears the least resemblance to Google Chrome: where SRWare Iron and Comodo Dragon use the same settings interface as Chrome, Dooble's settings use a distinct tabbed interface.

Unfortunately, one thing all three of the browsers have in common with Google Chrome is that by default they run JavaScript and accept third-party cookies.

Allowing JavaScript site-by-site is only a mild aggravation
There's no denying that taking a white-list approach to JavaScript is a bit of a pain. Considering the risk posed by rogue JavaScript, it's a pain I'll live with gladly. You might be surprised how many sites function just fine with JavaScript disabled.

In a post from October 2012, I explained how to disable Java in IE, Firefox, Chrome, and Safari. Last May's "How to improve security in Firefox, Chrome, and IE" described how to allow JavaScript on a site-by-site basis and how to block third-party cookies.

(If your PC is like my Windows 8.1 test system, it doesn't have Java installed, which means there's no need to disable Java in the browsers.)

To disable JavaScript and block third-party cookies in Chrome, click the settings icon in the top-right corner of the browser window and choose Settings. Scroll to and select "Show advanced settings," then click the "Content settings" button under Privacy.

Google Chrome JavaScript-blocked icon
Chrome shows an icon with a red X in the address bar to indicate JavaScript is blocked on the current page. Screenshot by Dennis O'Reilly/CNET

Google Chrome allow-JavaScript dialog
Add the current site to your JavaScript white list in Chrome by choosing the "Always allow" option. Screenshot by Dennis O'Reilly/CNET

Under Cookies, choose "Block third-party cookies and site data," and under JavaScript, select "Do not allow any site to run JavaScript." Then click Done.

When you visit a site that uses JavaScript, an icon appears on the far right side of the address bar that shows a red X to indicate that JavaScript is blocked.

To allow JavaScript to run on the current page and add the page to your JavaScript white list, click the icon and choose the "Always allow" option. You can also open your list of allowed sites to add or delete entries.

Another way to access your JavaScript white list is by opening the browser's advanced settings as described above, clicking the "Content settings" button, and choosing the "Manage exceptions" button under JavaScript.

Google Chrome JavaScript white list
Manage your JavaScript white list in Chrome via the "Content settings" option. Screenshot by Dennis O'Reilly/CNET

SRWare Iron: Simple and speedy, yes, but safer?
In addition to not sharing any information with Google, SRWare Iron claims three other advantages over Chrome: a built-in ad blocker, an easy-to-customize User Agent, and 12 preview thumbnails rather than Chrome's eight.

Is that sufficient reason to download and install the program? Iron's vendor says the program is fast and simple, which are two of Google Chrome's claims to fame. Other privacy and security benefits of the program aren't obvious. And as I mentioned, Iron's default settings allow third-party cookies and JavaScript, which are two of the greatest risks to people's privacy and security.

Iron gives you the option of signing into your Google account to access your bookmarks and other data. The program's phishing and malware protection is disabled by default, and when you click the "more information" link to find out about Iron's use of Web services, you open the Google Chrome help site.

Apart from not sharing your information with Google, it's difficult to find any benefit to using SRWare Iron over Chrome, particularly in terms of privacy and security.

Security firm's browser offers built-in protections
Comodo Dragon's most apparent differences from Chrome are the browser's built-in Web Inspector and PrivDog features, both of which are represented by icons on the right side of the address bar. Web Inspector performs an online scan of the current page for malware and malicious activity.

Comodo Dragon Web Inspector scan results
Comodo Dragon has the Web Inspector built in for one-click malware scans of the current page. Screenshot by Dennis O'Reilly/CNET

PrivDog identifies blocked and unblocked privacy threats on the current page in various categories: ad networks, trackers, third-party widgets, statistics, and third-party cookies. A typical PrivDog threat report appears at the top of this post.

When you install Comodo Dragon, you're offered 10GB of free online storage by signing up for the company's cloud-storage service. However, when I attempted to sign into my Comodo account from inside Dragon, I was directed to the Google sign-in page instead.

Comodo Dragon's enhanced security features include phishing and malware protection enabled by default, Comodo Secure DNS malware domain filtering on by default, and a "Clear at exit" button under the browser's privacy settings that lets you clear your browsing and download history, delete cookies and other site and plug-in data, empty the cache, clear passwords, and otherwise cover your tracks.

I'd feel better about Comodo Dragon if the browser hadn't added its own honkin' huge ads at the top of pages it opens. It's easy enough to disable the ads, and you can't blame a company for trying to make a buck, but those full-window ads are still a major distraction.

Dooble isn't ready for prime time
The Dooble open-source browser is described by its developers as "mischievous," "fair trade and organic," and "made with lots of love." I only wish the browser was more reliable.

Several of the pages I visited in Dooble didn't open correctly, including our own CNET How-To page.

Dooble browser page-rendering error
The open-source Dooble browser was unable to correctly render several pages, including CNET's How-To page. Screenshot by Dennis O'Reilly/CNET

Dooble eschews the Google Chrome approach to settings in favor of a more traditional tabbed page of options. The settings for cookies and JavaScript are found on the Security tab. The browser claims to use HTTPS by default, but when I tested the program, the HTTPS option was unchecked.

In addition to blocking third-party cookies, you can allow only those cookies already accepted, or manually edit your list of cookie-blocking exceptions. By default, Dooble allows JavaScripts to run that open alerts, that hide the menu bar, or that open a new window. Unchecked JavaScript options are for geometry-change requests, hiding the status bar and the location bar, and cross-site scripting auditing.

Dooble browser JavaScript settings
The Dooble browser's JavaScript options let you allow or block specific types of scripts, allow or block all scripts, or add sites to your exceptions list. Screenshot by Dennis O'Reilly/CNET

Dooble lets you disable all JavaScripts and add sites to your exceptions list, but I wasn't able to find an easy way to add sites to the exceptions when you encounter them the way you can when you disable JavaScript in Chrome.

There's a garage-band feeling to Dooble that shows its developers have a lot of heart, but functionality-wise, the browser leaves much to be desired.