Review: Is the Iridium browser safe?
The Iridium browser makes several claims to protect user privacy.
Its most notable claim is that it doesn't "phone home." Additionally, Iridium is relatively "de-googled."
However, how does this privacy browser stack up on other fronts in addition to its claims?
ATH aims to find out.
This is the Iridium browser at a glance...
- Good privacy-friendly defaults ()
- Disables a lot of Google dependencies/services ()
- Security/Privacy improvements over standard Chromium, especially concerning WebRTC
What is Iridium?
The Iridium browser's background isn't very clear.
It's based on Chromium and one of its main focuses seems to be eliminating "phoning home" issues and reducing dependence on Google services/components within the browser itself.
Nowadays, it's mostly maintained by a company called NETitwork GmbH, who appears to be some sort of IT vendor/support company.
Iridium is available on Windows, macOS, and Linux.
Supported Linux distros include: Debian, openSUSE, Fedora, and Red Hat/CentOS.
NOTE: The Debian version is severely outdated. Additionally, Iridium doesn't appear to be very stable on Debian-based systems.
Iridium is not available for mobile platforms such as Android and iOS. It isn't very ARM-friendly either.
|OS ver||Windows 7
Fedora 32+, Redhat 7+
|macOS X Yosemite 10.10+|
Launch and set up
Installing Iridium on my Windows machine was easy and quick.
Once installation finishes, my Iridium install made a background DNS request to cache.iridiumbrowser.de.
According to Iridium's FAQ, this domain (cache.iridiumbrowser.de) is where the browser caches the information sent to Google's API for Safebrowsing. This happens because Google's Safebrowsing component is enabled in Iridium by default.
Funny side note - if you attempt to visit this domain via a browser, you get the following web page:
First launch wasn't anything fancy, looks and feels just like standard Chromium:
A blank page welcomes on first launch and every new tab thereafter. Until/unless you decide to change it.
We'll dive into the privacy and security features of Iridium here. We'll also cover any unique features it has.
Removed many Google Components/Services
Iridium is based on Chromium, which is an open-source browser engine that is maintained primarily by Google.
However, the developers behind the Iridium browser have taken great care to remove many Google-dependent components and services that are otherwise enabled in regular Chromium, or some other Chromium forks.
The removal of Google-dependent services and components is crucial because it lessens both the likelihood and the frequently of phoning home to Google servers and APIs, which can compromise your privacy - especially since Google isn't exactly known to be privacy-friendly.
Limited background connections
Iridium claims to maintain privacy by severely limiting the browser's ability to "phone home." By extension, Iridium doesn't claim to collect and/or store telemetry data from usage of the browser.
Iridium features a few security tweaks. These tweaks mostly modify how WebRTC is handled within the browser.
Iridium uses Chromium as its engine. As noted earlier, while Chromium is open source, it was originally developed by and currently maintained by Google.
Currently, Chromium is the most common browser engine available and used today.
Iridium is not updated frequently. It does not keep up with the security patches regularly released for Chromium.
This raises serious security concerns, since Iridium's lack of updates leaves users open to vulnerabilities that can be exploited by malicious actors. Read more
As mentioned earlier: despite Iridium being based on Chromium, the developers have done a pretty good job "de-googling" the browser itself.
In other words, Iridium took care to remove many of the Google components/services built into Chromium.
Some the services/components disabled include:
- Automatic checking for updates
- Google hot word detection (typically for devices with microphones; "OK! Google")
- Google cloud printing
- Google profile-import
- Google Cloud Messaging status checks
- Google's translation service
(Source: Iridium Wiki .)
Many of these components/services would otherwise consistently phone home to Google's servers and APIs, potentially compromising your privacy by revealing data such as your general browsing history.
The only Google service/component that seems to be "intact" within Iridium is Google's Safebrowsing service, of which was touched on earlier in this review.
While this may raise a red flag for some privacy-conscious users (rightfully so), it's important to note that this "feature" can be easily disabled from within Iridium's settings:
chrome://settingsin Iridium's address bar
- Under Privacy and Security, click on Security
- Under Safe Browsing select No Protection (not recommended)
Iridium features quite a few tweaks that focus on both security and privacy. Some of these tweaks are independent of the impressive "de-googling" that Iridium has.
Many of the security tweaks found in Iridium govern how WebRTC is handled. This is important since WebRTC can't be outright disabled in Chromium - only modified - and WebRTC can leak things like your true IP address, even when behind the likes of a VPN.
Some of the more notable privacy tweaks found in Iridium include:
- Disable DNS prediction as a default (note: otherwise, when enabled, your browser may initiate connections that you may not necessarily want it to)
- Autofill related functions disabled by default
- Cookies, temporary, and site data automatically wiped when browser window is closed
- Passwords not stored in browser by default
- Points IPv6 DNS requests to root servers instead of Google's servers
- Use Qwant as the default search engine provider (note: Qwant is a well-known private search engine - if interested, view more private search recommendations)
In addition to these tweaks, the overall defaults for this browser are fairly privacy friendly out-of-the-box.
Limited Telemetry/Phoning Home
One of Iridium's claims is that it doesn't phone home.
In my usage, I found this claim to be credible. I didn't notice any other background connections from Iridium outside of the periodic connection to cache.iridiumbrowser.de as referenced earlier in this review.
Simply put... The lack of updates for Iridium makes it a big security issue.
To keep things clear, Iridium's lack of updates does not come from its removal of "automatic updates." The lack of updates stems from the developers simply not updating and implementing the newer versions of Chromium's source code.
This is critical seeing as many browser exploits are geared towards Chromium - it's the most popular browser engine used today and therefore is the primary focus of many malicious actors.
The regular security updates to Chromium fix known security issues. When these updates are not applied, your browser remains open to these security issues that would otherwise be preemptively solved by implementing the most recent update(s).
The potential severity of some security issues completely outweigh any privacy/security benefits that Iridium supplies to the user over a non-privacy-friendly browser such as Google Chrome or Microsoft Edge.
The lack of updates to Iridium are evidenced on the Iridium browser's website:
And on Iridium's GitHub:
For reference, at the time of this review the latest Chromium update is 91.0.4472.101
As shown on the official Iridium browser website, the most update to date version of Iridium is based on Chromium ver 88.0.4324.182 and apparently only available for openSUSE.
However, as you can see that for other operating systems such as Windows or Fedora, the latest version of Chromium used is ver 85.0.4183.83! Plainly speaking, that's about 7 or 8 months worth of missed updates.
Even if the developers update Iridium to the most recent Chromium version after the publication of this review, a question still remains - will they be able to complete timely updates in the future? That's the crux of the issue here.
Spotty Extension Support[/size] Iridium has very "meh" extension support. This can be a problem when trying to install any kind of trusted extension - especially trusted privacy extensions. While Iridium has many good privacy/security tweaks, the lack of extension support really harms its flexibility/hardening capabilities outside of the all the settings within the browser itself. Fortunately, I found that you can install _some_ extensions like **LocalCDN** manually: ![iridium and extensions](iridiumext.png?lightbox&cropResize=450,330) I was able to accomplish this by following our [write-up on installing extensions manually on Ungoogled Chromium](/manually-install-extensions-ungoogled-chromium) - but it works for many Chromium based browsers such as Iridium. Method 2 gives the best chances for success. However, you should be aware that Iridium just doesn't play well with extensions all around - functionality of installed _may_ suffer while using this browser. ## Final thoughts Iridium's biggest pitfall is that it doesn't even remotely keep up with recent Chromium updates. This makes it a **huge** security liability - any privacy benefits gained from using this browser go out the window due to the substantial lack of updates. Because of this, it's extremely hard for me to recommend this browser for **anyone.** Fortunately, there are other Chromium browsers that regular keep up with the updates (especially the security patches) pushed by the Google-led Chromium Project. For users that want an experience very similar to what Iridium offers, but that features even _more_ de-googling, more/added privacy and security tweaks, and keeps up with Chromium updates there is the Ungoogled Chromium Project For users looking for a more user-friendly and better privacy out-of-the-box solution (albeit with some important caveats), there is the Brave browser. For power users looking for a browser that offers a lot of practical functionality but is still fairly privacy-friendly, there is the Vivaldi browser. These are just a few examples; you can easily find other privacy-friendly Chromium browsers over at the avoidthehack! Privacy Browser Comparison Tool. This concludes avoidthehack's Iridium browser review. As always, stay safe out there!