Contact me for feedback or questions! I reply to everyone.

Lifting the veil - how to test browsers for spyware.

- Introduction -
- Installing mitmproxy -
- Hooking up a browser -
- What if a browser doesn't support proxy settings? -
- Enabling SSL decryption -
- Using mitmproxy -
- How to see first run requests in Chrome -
- How to see first run requests in Firefox -
- Mitmproxy vs Wireshark -


Privacy support is one of the chief criteria upon which users pick (or should, anyway) a web browser. Often, a person's opinion of a browser's privacy is manufactured by assumptions, marketing talk, or its privacy policy (which can be hard to read and understand, omit information or outright lie). Wouldn't it be great if we had a way to prove whether a browser actually cares about your privacy, or just bullshits its way through? Fortunately, there is a powerful tool to see exactly what a browser does behind your back, and I'm going to present it to you right now. Let's lift the veils! UPDATE January 2022: this method does not necessarily find all the requests. If a developer is malicious, they could code their browser to bypass proxy settings. And it just so happens that one such malicious developer has done so (archive) - of course, it's the evil Mozilla:

Starting with Firefox 91.1, Firefox now includes changes to fall back to direct connections when Firefox makes an important request (such as those for updates) via a proxy configuration that fails. Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users.

So, if a browser developer thinks a request is really important, they can make it bypass user decisions - though I think this is the only proven example of it. Mitmproxy will surely find the other 99+% of requests, but I had to mention this exception. Note: you can bypass this issue by using the proxychains method with Firefox, instead of its own settings. Carry on...

Installing mitmproxy

First of all, install mitmproxy. You can do it easily by typing this command on the terminal: pip3 install mitmproxy (you will have to install python3 first - should be available in most Linux repositories). What is mitmproxy? Simply, it is a local proxy server to which you can point your browser, which will allow you to see the connections it makes (it has many more features, but in this article, that's our only focus).

Hooking up a browser

Run mitmproxy by typing the terminal command mitmproxy -p 3128. The 3128 is the port on which the proxy will run on. Now go to your browser's proxy settings, and put in for the IP, and 3128 for the port (make sure to fill both the HTTP and HTTPS fields). Ignore everything about SOCKS proxies, since mitmproxy is a HTTP(s) proxy. Chrome based browsers have it slightly harder, since they don't support GUI proxy settings. You have to run them from the command line like this: name of browser --proxy-server="". Replace "name of browser" with the executable name, for example iridium-browser --proxy-server="".

What if a browser doesn't support proxy settings?

You will need to run it through proxychains with this config file put into /etc/proxychains.conf. Then, type proxychains4 name-of-browser into terminal. If it worked, the proxychains output should be something like this (this is for the suckless Surf browser):

proxychains4 surf
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib64/
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Dynamic chain ... ... ... OK
[proxychains] Dynamic chain ... ... ... OK
[proxychains] Dynamic chain ... ... ... OK
[proxychains] Dynamic chain ... ... ... OK
[proxychains] Dynamic chain ... ... ... OK
[proxychains] Dynamic chain ... ... ... OK
[proxychains] Dynamic chain ... ... ... OK

And of course, you should see all the requests in the mitmproxy terminal window. Note: This method also works for Firefox-based browsers, but will error out in Chrome based ones.

Enabling SSL decryption

Now, if your browser is of the spyware kind, you should already see some requests in your terminal window - but wait, setting up mitmproxy isn't over yet. By default, it only shows pure HTTP requests, since browsers won't allow it to decrypt SSL. Fortunately it has an easy way to add a root certificate to your browser, which will allow just that (the "mitm" part in mitmproxy refers to that). Switch to your browser window and type in the address bar. First, download the mitmproxy-ca-cert.pem file. For Firefox and derivatives, go to Settings, type "cert" in the search bar, scroll down, click View Certificates, import the file and trust it to identify websites. For Chrome and derivatives, enter Settings, search for "cert" at the top, click Manage certificates, import that file (Authorities tab), click the three dots near it and trust it to idenfity websites. No idea about phones or Windows, I guess use the instructions provided by Some browsers (such as the aforementioned Surf) automatically trust all certificates, so you don't need to do anything to get mitmproxy to decrypt SSL in them. If you succeeded, you should be able to go to any HTTPS website and see the request in mitmproxy (which will start with GET https://). Okay, we've got SSL decryption enabled - what now?

Using mitmproxy

Just wait! Yes that's it. The whole point is to wait and see what requests the browser makes without your input. You can scroll through requests with the arrow keys and inspect them in detail by pressing Enter. This will show ALL the data that the browser is sending, as well as receiving. Of course, understanding it takes a lot of experience, but at least you now have the opportunity to Lift The Veil, if you want to! You might be surprised to see that common web browsers make hundreds of requests without your knowledge, even ones that are generally considered "respectful of your privacy". For example, Waterfox scores at exactly 109 unsolicited requests (UPDATE: this is now wrong, but you get the point), just by turning it on! And it's advertised as privacy-based - but thanks to mitmproxy, you can lift the veil, and expose the claim for the lie it is. Isn't that empowering? No more relying on popular opinion, deceptive advertising, or shitty privacy policies (which should be called spy policies). Now it's all there for you to check.

Of course, you won't see all the spyware by just waiting. Some of it can hide in places such as the new tab pages or require visiting a website (Opera's collection of browsing history for example). Also, many requests are only made the first time you run a browser, where it's not going through mitmproxy yet, which will prevent you from seeing them. How to bypass this?

How to see first run requests in Chrome

Close your browser. Now go to the browser's config directory (for example /home/hackerman/.config/vivaldi/) and remove the First Run file. That should do it. Press the Z key in mitmproxy to delete all previous requests, so that it is easier to see only the new ones. Run the browser again.

How to see first run requests in Firefox

A little tougher. You also have to go to the browsers config directory, which will not be .config but .mozilla (for FF and IceCat), .waterfox (for Waterfox), .librewolf (for LibreWolf) or .moonchild productions (for Pale Moon). Now CLOSE YOUR BROWSER (if you have it open), find the file prefs.js, and in it, the line user_pref("network.proxy.http", "");. Now copy everything starting from that until user_pref("network.proxy.type", 1);. Delete everything else in the file and save. Your prefs.js should look like this (now probably not everything has to be necessarily deleted, but let's be safe...). Also remove all other files except prefs.js and cert8.db (contains mitmproxy certificate info) - this will leave your Firefox-based browser with ONLY the proxy settings changed from the default clean install.

Mitmproxy vs Wireshark

For the purposes of spyware investigation in browsers, mitmproxy is the best tool available. It is a lot simpler to use and needs much less resources. More importantly, Wireshark cannot split traffic by application. By default, it shows you all the traffic from your chosen network interface (e.g wlan0 or eth0). So you see all the DNS requests, NTP requests, etc. Even if you filter by HTTP, that would still show you all the HTTP traffic, instead of just the application you want. To inspect a single application in Wireshark, you'd have to install a separate operating system and ensure it's not sending any other requests. Even then, the format would still be different. However, it can inspect protocols other than HTTP, where mitmproxy is useless.

Back to the front page