Skip to main content
Self-Hosting & Privacy

Browser Privacy: Chrome vs Firefox vs Brave, Configured

Chrome, Firefox, and Brave all leak something by default. This guide scores them on fingerprinting resistance, third-party cookies, telemetry, and DNS-over-HTTPS, then gives the exact settings to fix each one — plus why Chrome lost the full uBlock Origin for good.

milanbuha00July 13, 202610 min read
ShareXin

You open a shopping site once, and for the next two weeks its ads chase you across every other tab you open. That is not a coincidence and it is not "targeted advertising working well" — it is your browser handing out a fingerprint and a cookie jar by default, on every one of the three most popular browsers, unless you go in and turn the leaks off yourself. The good news: every fix below is a real setting or a real extension, not "just be careful online."

TL;DR

  • Firefox ships the most configurable privacy stack: set Enhanced Tracking Protection to Strict, and DNS-over-HTTPS to Max Protection, for the strongest out-of-the-box fingerprinting resistance of the three.
  • Brave has the best privacy defaults with zero configuration — Shields blocks trackers and randomizes your fingerprint ("farbling") from the first launch, and telemetry is off by default.
  • Chrome still allows third-party cookies by default in most regions and sends the most telemetry home to Google; Privacy Sandbox is not a substitute for turning settings off yourself.
  • The full version of uBlock Origin no longer works on Chrome — Manifest V3 killed it. Firefox and Brave still run it.
  • DNS-over-HTTPS is the one leak all three miss out of the box for at least some users; it takes under two minutes to turn on in each browser.
3 of 3major browsers ship with third-party cookies, fingerprinting surface, or default telemetry still active — none is "private" until you configure it

What each browser leaks the moment you install it

Every browser exposes a fingerprint: screen resolution, installed fonts, GPU details, timezone, canvas rendering quirks — enough data points that, combined, identify a specific device without a single cookie (Mozilla's fingerprinting overview). On top of that, each browser makes its own call on third-party cookies, how much usage data it phones home, and whether encrypted DNS is on by default. None of the three gets all of it right without you touching a setting.

Chrome is the least private by default. As of 2026 Google did not complete its planned phase-out of third-party cookies — it pivoted to a user-choice model, so cookies stay on for most people until they explicitly turn them off in Chrome's privacy settings (Privacy Sandbox next steps). Chrome also generates an installation identifier and features like "Make searches and browsing better" send typed URLs to Google's prediction service unless disabled.

Firefox collects "technical and interaction data" — performance timings, feature usage, device specs — by default, but not browsing history, search terms, or passwords, and every toggle for it lives in one settings page.

Brave is the outlier: telemetry is opt-in rather than opt-out, Chromium's own usage-reporting hooks to Google are stripped out, and Shields' tracker and fingerprint protection is on from the first launch with no configuration required.

Chrome vs Firefox vs Brave: the privacy scorecard

Privacy dimensionChromeFirefoxBrave
Default fingerprinting resistanceLow — no built-in resistanceHigh — Known Fingerprinters blocked in Strict modeHighest — "farbling" randomizes fingerprint by default
Third-party cookies (out of box)Allowed by default in most regionsBlocked by default (Enhanced Tracking Protection)Blocked by default (Shields)
Telemetry sent by defaultOn, limited opt-outOn (non-browsing technical/interaction data), full opt-out availableOff by default (opt-in P3A analytics only)
DNS-over-HTTPS supportYes, off by defaultYes, off by default (Max Protection is the strongest mode)Yes, off by default
Built-in tracker/ad blockingNone (relies on extensions)Tracking protection only, no ad blockingFull ad + tracker blocking built in
Sync encryptionGoogle-managed keys unless you set a custom passphraseEnd-to-end encrypted by defaultEnd-to-end encrypted via sync-chain code, no account required

Read that table as a starting point, not a verdict — Chrome's weak defaults are fixable in about ten minutes, and Firefox's strongest fingerprinting mode (resistFingerprinting in about:config) is deliberately hidden because it can break sites.

Firefox: turning Strict mode and DoH into real protection

Firefox's default install is already decent; the gap between default and hardened is a handful of clicks.

Enhanced Tracking Protection to Strict

Open Settings → Privacy & Security → Enhanced Tracking Protection and select Strict. This blocks known and suspected fingerprinting scripts, cryptominers, and cross-site trackers, on top of the third-party cookie blocking Firefox already does by default (Mozilla's ETP documentation). Some sites will misbehave under Strict — Firefox shows a shield icon in the address bar so you can whitelist a specific site in one click rather than turning protection off everywhere.

DNS over HTTPS to Max Protection

In the same Privacy & Security page, scroll to DNS over HTTPS and set the level to Max Protection with a resolver you trust (Cloudflare or NextDNS are the built-in presets). Max Protection refuses to fall back to your ISP's plaintext DNS even if the encrypted lookup fails — the weaker "Increased Protection" mode will silently fall back, which defeats the point.

Tip

If a captive portal (hotel Wi-Fi, airport login pages) stops working after enabling Max Protection DoH, that is expected — plaintext DNS is how captive portals detect you. Temporarily switch to "Off" only for that network, then turn Max Protection back on once you are connected.

Turn off technical and interaction data

In Settings → Privacy & Security, scroll to Firefox Data Collection and Use and uncheck the telemetry boxes. This does not touch browsing history or bookmarks — only the usage-pattern data Mozilla collects by default.

Brave: what Shields already does, and what is worth adding

Brave's advantage is that most of this work is done before you click anything. Shields randomizes your fingerprint per site per session using a technique Brave calls "farbling" — instead of blocking canvas or WebGL APIs outright (which itself is detectable and can break sites), it perturbs the values slightly so every session looks like a different device (Brave's fingerprinting protections wiki). In 2026 Brave simplified this to a single Standard mode after retiring the separate "Strict" fingerprinting level, because Standard was already found to be the most aggressive fingerprinting defense of any mainstream browser without breaking as many sites.

What is still worth checking manually:

  • Shields per-site level — click the lion icon in the address bar and confirm "Trackers & ads blocked" and "Aggressive" cookie blocking are active; a small number of sites ship with Shields defaulted down.
  • DNS over HTTPS — go to brave://settings/security, find "Use secure DNS," and switch it from "With your current service provider" to a named resolver. Brave supports DoH but does not force a strict resolver by default, the same gap Chrome has.
  • Brave Sync — if you sync across devices, Brave Sync is end-to-end encrypted through a sync-chain code phrase and, unlike Chrome, requires no account at all.

Note

Brave's Standard fingerprinting mode already outperforms Firefox's default (non-Strict) mode and Chrome's out of the box — but it is still not a substitute for Tor Browser if your threat model requires anonymity rather than tracking resistance. Shields reduces tracking; it does not hide your IP address.

Chrome: the limits of Privacy Sandbox, and what you can still fix

Privacy Sandbox is Google's replacement framework for third-party cookies, and by 2026 Google had retired most of its original APIs, keeping only a handful — CHIPS, FedCM, and Private State Tokens — while abandoning the broader cookie-deprecation plan and shifting to a user-choice model instead (Google's Privacy Sandbox update). In practice that means third-party cookies are still alive in Chrome for most people, and the burden of turning them off sits on you.

Steps that actually move the needle in Chrome:

  1. Block third-party cookieschrome://settings/cookies, select "Block third-party cookies."
  2. Turn on Secure DNSchrome://settings/security, enable "Use secure DNS," and pick a named provider rather than "with your current service provider."
  3. Disable the URL prediction servicechrome://settings/privacy, turn off "Preload pages" and "Make searches and browsing better," both of which send data you type to Google before you hit enter.
  4. Disable ad-privacy featureschrome://settings/adPrivacy, turn off Ad topics, Site-suggested ads, and Ad measurement; these are the surviving Privacy Sandbox features and default to on.

Warning

The full version of uBlock Origin no longer runs on Chrome. Google's Manifest V3 replaced the webRequest API with the far more limited declarativeNetRequest API, capping filter-list rule counts and removing the dynamic, real-time blocking uBlock Origin relied on. The developer has confirmed there is no Manifest V3 build of the full extension and no working reinstatement path in 2026. Chrome users are left with uBlock Origin Lite, a reduced-capability rebuild, while the full extension keeps working on Firefox and Brave, both of which still support Manifest V2-style blocking (uBlock Origin project page). If ad and tracker blocking matters more to you than any single Chrome feature, this alone is a reason to default to Firefox or Brave.

DNS-over-HTTPS: the one leak all three miss by default

Every DNS lookup your browser makes — every domain you visit — is plaintext by default, visible to your ISP and anyone on the network path, unless you turn on DNS-over-HTTPS. All three browsers support it; none of them turns it on for you out of the box (Cloudflare's DoH configuration guide). The settings paths:

  • Chrome: chrome://settings/security → "Use secure DNS" → pick a provider.
  • Firefox: Settings → Privacy & Security → "DNS over HTTPS" → Max Protection.
  • Brave: brave://settings/security → "Use secure DNS" → pick a provider.

Pick the same resolver across browsers for consistency — Cloudflare (1.1.1.1) and NextDNS are built into all three as presets, so you are not typing a custom endpoint anywhere.

In my Proxmox homelab: how I actually run these three

In my homelab, browser configuration is one of the few things I still do by hand per machine rather than templating into a VM image — settings pages shift between releases often enough that I re-check them a few times a year instead of trusting a script. On my daily-driver desktop I configured Firefox with Enhanced Tracking Protection set to Strict and DoH set to Max Protection against Cloudflare's resolver; on a laptop I hand to family who won't touch a settings page, I installed Brave specifically because Shields protects them with zero configuration. I keep one Chrome profile only for the handful of sites — mostly banking portals — that misbehave under Firefox's Strict mode, with third-party cookies manually blocked there too. My write-up comparing Proxmox against VMware and Hyper-V covers the host underneath, if you're setting up a homelab of your own.

I did not measure exact fingerprint entropy scores across these installs — that needs dedicated tooling I have not run — so I won't claim a number I didn't collect. What I can say from running all three daily is that the settings above changed observable behavior: fewer cross-site ad retargeting hits in Firefox after Strict mode, and fewer cookie-consent banners in Brave since Shields blocks tracking scripts before the consent banner even loads.

Extensions worth adding, and the Manifest V3 catch

Settings handle fingerprinting and cookies; extensions still add real value on top, particularly for ad and tracker blocking that goes beyond what any browser does by default.

  • uBlock Origin — the strongest filter-list blocker available, full version on Firefox and Brave, Lite only on Chrome (see the warning above).
  • Privacy Badger (EFF) — a behavioral tracker blocker that learns which third parties track you, as a second layer alongside uBlock Origin.
  • A dedicated password manager — browser-saved passwords sync tied to your browser account; a standalone vault keeps credentials out of that chain. See the Bitwarden vs 1Password vs KeePassXC vs Dashlane comparison for options.

Two extensions plus the settings above cover most tracking surface across all three browsers.

Which browser should you actually trust

If you want the strongest privacy with no ongoing effort, Brave is the easiest recommendation — Shields and farbling do most of the work before you touch a setting. If you want maximum configurability and are willing to spend ten minutes in settings, Firefox with Strict mode and Max Protection DoH is the most transparent choice, and it is the one most privacy researchers audit closely because it is open source with a long track record. Chrome is workable if you already depend on its ecosystem, but only after you manually block third-party cookies, disable the ad-privacy features, and accept that the full version of uBlock Origin is gone for good. None of the three is "done" out of the box — that is the actual finding here, not a marketing claim from any of them.

If Windows telemetry is also on your list, the same instinct — decide what phones home and turn it off — applies at the OS level; see the Windows 11 debloat and telemetry removal guide for the equivalent walkthrough outside the browser.

Frequently asked questions

Which browser is the most private by default, no configuration?

Brave. Shields blocks trackers and ads and randomizes your fingerprint from first launch, and telemetry is off by default — Firefox and Chrome both need settings changes to reach a similar level.

Does Firefox's Strict mode break websites?

Occasionally. Strict Enhanced Tracking Protection blocks known and suspected fingerprinting and cross-site tracking scripts, which can break a small number of sites that depend on third-party scripts to function; Firefox lets you whitelist a specific site in one click from the address-bar shield icon rather than disabling protection everywhere.

Is Chrome's Privacy Sandbox a real replacement for blocking third-party cookies?

No. As of 2026 Google retired most of the original Privacy Sandbox APIs and did not complete the third-party cookie phase-out, shifting instead to a user-choice model — cookies stay on by default for most users until you block them yourself in Chrome's cookie settings.

Can I still use the full uBlock Origin on Chrome?

No. Manifest V3 removed the API the full extension depended on, and the developer has confirmed no full-featured Manifest V3 build exists. Chrome users get uBlock Origin Lite, a reduced-capability version; the full extension still runs on Firefox and Brave.

Do I need DNS-over-HTTPS if I already use a VPN?

If your VPN handles DNS resolution itself, enabling browser-level DoH on top is usually redundant and occasionally causes conflicts; check your VPN client's DNS-leak documentation. Without a VPN, browser DoH is the simplest way to stop your ISP from seeing every domain you visit in plaintext.

Related stories

More from Self-Hosting & Privacy

Stay in the loop

Get the latest articles delivered to your inbox. No spam, unsubscribe anytime.

Read next

Germany's Rundfunkbeitrag (GEZ): 2026 Fee Explained

Germany's Rundfunkbeitrag is a flat €18.36/month fee per household, TV or not, unchanged since 2021. This explainer covers who pays, how billing starts automatically via Meldeamt data, and who qualifies for Befreiung (full exemption) or Ermäßigung (one-third reduction).

Continue Reading