GrapheneOSJun 3
WebRTC is a peer-to-peer communications protocol for web sites and therefore causes numerous privacy issues through making direct connections between participants. By default our Vanadium browser disables the peer-to-peer aspect by only using server-based (proxied) connections.
Show threadGrapheneOSJun 3

Vanadium provides a user-facing setting at Privacy and security > WebRTC IP handling policy.

From least to most strict:

Default
Default public and private interfaces
Default public interface only
Disable non-proxied UDP

For Vanadium, "Disabled non-proxied UDP" is the default.

Show threadGrapheneOSJun 3
The tracking technique described at https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ is prevented by Vanadium's default "Disabled non-proxied UDP" value. It's also prevented by "Default public interface only", which does permit peer-to-peer connections but won't try to use the loopback interface for it.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.

Ars Technica
Show threadGrapheneOSJun 3
We have a list of most of the features provided by Vanadium at https://grapheneos.org/features#vanadium. There are dozens of additional privacy and security features planned along with data import/export and improved support for system backups. It takes time to implement these things properly.
GrapheneOS features overview

Overview of GrapheneOS features differentiating it from the Android Open Source Project (AOSP).

GrapheneOS
Show threadGrapheneOSJun 3
Vanadium doesn't have billions or even millions of users which limits our ability to prevent fingerprinting. We plan to address this by launching it for use outside GrapheneOS including publishing it through the Play Store. We want to implement more of the planned features first.
Show threadFelixJun 3

@GrapheneOS

There are two things i regularly run into when trying to use vanadium:

1. No adblocking/contentblocking (for usability-reasons, not privacy)
2. Missing support for "external" password managers via the autofill service

From what i have read, 1 is a future feature (that i probably can also work around with an adblocking vpn app), and two *should* work. But i am not getting the prompts. Do i need to configure anything special for that?

Show threadGrapheneOSJun 3

@newhinton

> 1. No adblocking/contentblocking (for usability-reasons, not privacy)

That's incorrect. Vanadium has content filtering via EasyList + EasyPrivacy with a per-site toggle. It also uses EasyList Germany when German is enabled as a browser language and we plan to extend that to more language lists. This approach is being used to avoid fingerprinting.

> 2. Missing support for "external" password managers via the autofill service

That's incorrect. It fully supports password managers.

Show threadJensJun 3

@GrapheneOS @newhinton
Can fully confirm both.

1) Stuff gets filtered but not so much as some would like which is a compromise for fingerprinting not to stand out too much

2) see attached, PWM are working with autofill. KP as autofill service configured and working.

Show threadFelixJun 3

@JeGr @GrapheneOS Thanks, see my other comment. I have overlooked the 'ads' section in the settings which enables/disables adblocking. I wonder if it deserves a more prominent link to it...

Have you had issues with multi-stage logins?

Show threadJensJun 3
@newhinton @GrapheneOS
Multi Stage as in? Multiple pages and steps? User, then PW, etc instead of all on one page? Then yes that is sometimes a bit hit or miss and dependent on the form naming etc.
But most times the PW field is fine.
Show threadFelix

@JeGr @GrapheneOS Yes exactly, multiple pages.

On firefox it works (mostly) as expected, but in vanadium i never got the initial prompt for the username, which put me under the impression it wasn't supported. (And, i remembered that chromium/chrome didn't support autofill at all, but that is probably outdated regardless)

Jun 3 at 5:25pmWeb