I would like to invite all of you Linux users to check out the latest release of Konform Browser.
Konform Browser is a free/libre and open-source (FLOSS) fork of Firefox with the primary goals of security, privacy, and user freedom. Hoping to be an example of how these three goals don’t have to be at odds but support each other and work in harmony. Would love to hear your feedback on if it’s in the right direction and what can be improved.
Been posting on and off the lemmies about the project during 2026 and previously on this community. Below are major highlights since 140.8.0-103 update from two weeks back:
- Bundling and enforcing use of bundled fonts. Konform Browser now carries the same font-loading patches and bundled fonts as Tor Browser and Mullvad Browser. While this does increase download- and installation sizes, it has two clear benefits: - Significantly improved resistance against font fingerprinting used by tracking scripts. Konform Browser should now be more robust against this attack by having shared global font fingerprint. - All languages and scripts should render as expected regardless of what fonts you have installed on system.
- Also bundled is now Multi-Account Containers Lite addon. It’s a debloated1 fork of Firefox Multi-Account Containers so you can utilize Container Tabs and set per-container proxies without installing addon for it.
- While “AI chatbot” feature was already disabled and hidden by default, it was previously still possible to trigger activation of proprietary networked centralized cloudbots by setting pref
browser.ml.chat.enabled=true. These have now been fully removed and replaced by a single provider utilizing locally running llamafile instance. - Ported a bunch of security fixes and improvement on fingerprinting protection from FF Rapid Release and Tor Browser which didn’t make it into upstream FF ESR.
For details and references see linked release notes. For even more details I hope the commit log is digestible.
Packages available for most Linux distributions.
Konform Browser is also on Mastodon where followers make me happy: https://techhub.social/@konform
1: Similarly as rest of Konform Browser: Removal and disabling of telemetry, analytics, ads, touting, nags (“call-to-actions”), and integrations with centralized proprietary service (Mozilla VPN in this case).
Hello.
First of all, thank you for bringing this important project to life. I always dreamed of a sane midpoint between Mullvad and Librewolf browsers that would combine best practices from both approaches.
Librewolf isn’t based on ESR, and Mullvad has no support for cookies allowlist which kills a plenora of use cases by itself.
And as if it were not enough to ask you also implemented offline mode which I always lacked when sandboxing separate browser instance specifically for LAN-only application to access it’s web-gui. Not forcing users into any extensions and automatic network request does also feel very sane for me.
And the improvement over Librewolf that I enjoy most is font spoofing support.
I have a question. I’ve read that you position Konform closer to GNU IceCat than to LibreWolf, which makes me worry: does Konform provide at least the same level of fingerprinting resistance as Librewolf does, if I 1) revert “Allow non-default theme” and 2) re-enable “Enforce OCSP hard-fail” in settings? I would guess ‘yes’ since it’s a fork of it. Right? Or there is more to it under-the-hood? Use case is try to avoid [advanced] deanonymization technics (yes, I’m aware about Tor and I do use it).
I’ll be very grateful to receive your answer.
And my first bug report:
Konforn, unlike Librewolf, fails Cloudflare verification with error code 600010 consistently across different websites login pages. It occurs in clean profile, all settings stock, with no extensions installed. I tried to select even “Just make it work” settings preset on first startup onboarding screen. It does not resolve the issue. In my tests Librewolf and Konforn are on the same device/network/IP address. Yet Librewolf passes the test even with uBlock Origin and other extensions active. Easy way to reproduce would be to go to NexusMods login page and click “Verify you are human” box.
Thank you for kind feedback! I’m glad you dig and that it fills a spot! Internal network management is very much one of a few use-case categories that’s been motivating this.
I have a question. I’ve read that you position Konform closer to GNU IceCat than to LibreWolf, which makes me worry: does Konform provide at least the same level of fingerprinting resistance as Librewolf does, , if I 1) revert “Allow non-default theme” and 2) re-enable “Enforce OCSP hard-fail” in settings?
I don’t understand the IceCat reference. Anyway, I would argue that Konform Browser has stronger privacy defaults (including less leaks for fingerprinting) and the focus is a natural part of the projects privacy goal. Reverting “allow non-default theme” makes sense but I’m wondering about your motivations for OCSP? I don’t think it should do either for or against vs sites, and if anything making the situation worse vs service provider(s).
See:
- https://youtu.be/Htms5rNy7B8?list=PLeeS-3Ml-rpovBDh6do693We_CP3KTnHU&t=2359
- https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/
I believe what you probably want instead is CRLite? Will be enabled and receive updates for presets other than
Purely Private.And my first bug report:
Hm, that’s unfortunate. But it’s also not clear to me if this is a bug in Konform Browser or not. Only Cloudflare would really know. Possibilities:
- False flag or misclassification from Cloudflare1 (ie the bug is @ Cloudflare)
- Legitimate block at Cloudflare. For example, previously they might have been able to categorize with decent certainty in a “LW users on Linux on Tor” bucket but you are fuzzier and get treated like “sus” as you’re not distinguishable enough from skillfully deployed spambot anymore. Should be resolvable on case-by-case-basis by site operator, still. This is unfortunate situation and not really something we can address without more specific information2
- If you get consistently blocked with Konform but not with Tor Browser / FF ESR over Tor, that’s an indication Konform might be distinguishable and treated differently and if so, that could be a bug in Konform Browser. If you can pinpoint what makes the difference, that would be very useful to know. “Cloudflare is blocking me at this site” is unfortunately not really actionable but if a behavioral difference can be identified, it’s possible that it can resolved by change in Konform.
In case it’s not as straightforward, and a workaround would involve something like selective UA-spoofing3, I don’t think that’s something we would work on or implement. If the site has a selective allowlist of UAs, that’s either “working as intended” or a bug on their end, not something I think of as a bug in Konform. Resistance against censorship is of course not undesired - but privacy and security are still the higher priorities.
Still, Konform Browser does bundle WebCompat system addon just like FF. So the third path for fix, if only site-specific workaround can be identified, and the issue can be reproduced in FF ESR (maybe by applying KB userprefs), I think it could be to addressable by reporting and adding such workaround.
Does Cloudflare reliably distinguish between users of LW/FF RR, and KB/TB/FF ESR, etc as part of this turnstile page and does that contribute to the difference outcome you see? If so, how exactly is it done and how exactly does it contribute? Is it explicit or emergent? We don’t know. Assuming answers to first two are yes and yes, the difference could even be explained simply by difference in user numbers. Best we can really do is striking a balance between closing the gap and closing leaks of entropy.
If nothing else, it might just work itself out over time due to unrelated changes on either side. If not before, I expect the ESR bump in a few months could “magically” sort these kinds of things out.
1: Cloudflare only provides support to their customers; not mere mortals like you and I. Resolution path: User (eg you) reaches out to site (ie NexusMods) who can then either 1) change their CF configuration or 2) contact Cloudflare who may or may not fix the issue.
2: DM me if you actually want to dig into this!
3: Konform is as vague and static as possible while conforming to FF ESR/TB format
All my reply were a bit mess. My apologies for confusion.
I was referencing your words from another post here. I read it too fastly and memorized this part out-of-context. Nothing bad intended, sorry for the bad phrasing.
“In this sense (and a few others), Konform Browser is closer to IceCat/GNUZilla than it is to Librewolf.”
Now that I re-read whole message together I think I understand what you meant (timely security updates), and it’s a good thing. I just misintrepreted this part on first read.
Thank you for linking that CRLite article. It helped me understand better. I’m not a developer but just a regular user. I wasn’t sure what exactly OCSP is, except for it’s ties to certificates. My impression were based purely on “This increases security …” comment in browser’s settings. The only reason I listed it nearby brower theme override is because those are two things that differ in this regard from Librewolf according to Konform’ readme.
My Tor mention were purely disclaimer in case someone else would feel the urge to comment on that I shouldn’t seek “advanced deanonymization technics” protection from anything other then Tor Browser. I meant that I aware about it’s existence and actively use it whenever I need it. It didn’t imply that I used Konform over Tor during Cloudflare verification fails - no, I used it over just a regular VPN instead, same one VPN that passess those checks in both Librewolf and Mullvad, from the same machine, simultaneously.
My whole blury “I have a question” paragraph should have been written as “Am I right to assume that Konform provides at least same protections as Librewolf does?”. Now I know that answer is “Yes, and much more”, and I’m happy with it.
Please allow me some more time to re-read part of your reply considering Cloudflare so that I can understand it better and give a more appropriate answer. Thanks again for your patience & work.
@ken Checking out your browser right now, looks good so far, testing the browser on my Trixie box at work . I’m a regular user but understand some basic security stuff.
I had to manually correct the entry in sources.list since the data it is pulling is wrongly formatted, I corrected it to work properly as forgejo.sources, just in case someone is lookig it up:
Types: deb
URIs: https://codeberg.org/api/packages/konform-browser/debian
Suites: trixie
Components: konform
Architectures: amd64
Signed-By: /etc/apt/keyrings/forgejo-konform-browser.ascGlad you figured it out and hope it keeps working without hitches from now on! I’m curious what error you got (feel free to DM) as I do installation in trixie with copy-pasting repo from the package registry instructions as part of testing process and I didn’t catch any issue with that. The format in the instruction is an older one than the one you list (yours is correct and preferred in any case) but works on my trixie installs so far.
I am aware of issue with RPM repo instructions not working, though. Should be fixed in next Forgejo update. These should work.
Does it support account syncing? I’m using vanilla Firefox+user.js now with a self-hosted sync server.
It does! While existing userprefs should work for enabling the feature and setting your own syncserver endpoints as expected, Konform Browser also has basic UI for convenient configuration of custom sync URLs under
about:preferences -> Konform Browser. Please report if any issue with that <3
Sounds neat!
The icon looks like a slightly balding hipster dude…
Think of the tail as a beard and the negative space (white part) as his face and the top purple part as his hair.
Awesome project though!
