1 Month with the Midori Web Browser
Updated March 5, 2014.
This site is no longer being maintained so anything below could still be accurate, or very outdated.
I have no personal affinity for a specific internet browser. I indulge in all the major choices and I am annoyed by their shortcomings all the same. It makes bookmark management a nuisance but is variety not a spice of life? In the spirit of trying new things, I installed Midori on a machine running Ubuntu 13.10 with the goal of displacing as much of my web browsing to there as possible for the next 4 weeks.
Before committing to the apt-get, I knew almost nothing about Midori and my expectations were generally tepid. But to my surprise, though I spent a month with the browser, Midori only needed 2 days to knock me into shock and awe. Around every new corner was something impressive and unexpected. Sure, there were hiccups along the way but my overall browsing experience was quite glorious.
Midori is a FOSS project supported by not much more than a few handfuls of people and a relatively small user base. Born from the Linux world, it shares the "...XFCE philosophy of making the most out of available resources” and you can have Midori on any Linux distro you’d like, and Windows 7 & 8.
Midori is a WebkitGTK+*** core with a GTK+ interface which behaves like a chimera of Chromium, Firefox and Safari. You should feel right at home with toolbar and menubar customizations, familiar right-click menu entries, Speed Dial, easy bookmark management and various settings for tab behavior, including pinning and a vertical tab column. Midori gives you an element inspector so you can see everything on a page from HTML to locally storage items; you can create multiple browser profiles and desktop launcher shortcuts for specific websites.
Midori was started in 2003 but as we end 2013, it’s a throwback to the days when browsers were not suites of services which amount to mini operating systems all their own. Midori is a web browser and you won’t find vast add-on stores, inseparable OS integration, advanced debugging features or perfect mobile device solutions.
To put it another way, Firefox is a thick and hearty 10.2 million lines of code (at the time of this writing) while Chromium, in all its complexity, is 7.1 million. Midori is a scant 56,882 lines of mainly C and then Vala, including extensions. Its use is slightly more confined but dramatically more focused and there’s no denying Midori does a lot with very little. Here are some of the more prominent cliffnotes.
What Midori Has
- Launch speed on par with Chromium.
- Browsing speed competitive with the current top browsers.
- HTML5 media codecs through GStreamer.
- Process isolation for Adobe Flash and other Netscape plugins (with nspluginwrapper).
- Support for HTTPS connections using TLS 1.2 and forward secrecy with 256 bit DHE_RSA.
- Support for HTTP Strict Transport Security.
- Spell checker.
- Cross-site scripting protection.
- An ad blocking extension which uses any list for Adblock Plus & friends.
- Private browsing mode.
- Integration for mobile device connectivity via a GTK+ 3 API.
- RSS feed handler.
- DNS prefetching.
- Userscripts extension (think Greasemonkey).
- Option to restrict HTTP header referrers.
- Control+Shift+Delete for private data management (clear cookies, cache, history, etc.).
- Optional user-defined user agent string.
- Custom keyboard shortcuts.
- Priority for TLS using AES-128 with SHA1 over AES-256 and SHA2 (not a good thing).
What Midori Does Not Have
- Finer process isolation like Chromium based browsers.
- Refined CPU use.
- TLS cipher suites using elliptical curve cryptography, AES-GCM or SHA3.
- No phone-home properties or metrics reporting (a good thing).
- Unique identifiers (a good thing).
- Click-to-play plugins.
- Universal cookie blocking for all sites.
- TLS certificate warnings.
- A way to disable RC4 cipher suites.
- DRM support for HTML5 (can be both a good and...let's say, not so good thing).
- Do Not Track request (really doesn't matter).
- Addons or extensions beyond what’s already provided, plus some userscripts.
Midori in Numbers
The Debian 7 and Ubuntu 13.10 repositories currently serve a stale Midori 0.4.3 so I went straight to Midori’s official stable repository for version 0.5.6. I suggest you do the same because there are many bug fixes and feature additions like WebGL support and extension improvements, plus with the official PPA, you’ll always have the most updated version of the browser. Midori weighs in at just under 42 MB of used disk space and 5 packages for browser and dependencies.
I ran Midori through some benchmarks against Chromium 31 and Firefox 26, all the current stable releases in the repositories. I ran each test once and just listed the final result without error variance or much concern for making a watertight dataset (we all know benchmarks are indicators, not absolute truths, right?).
The tests were a roundup of Webkit Sunspider, Mozilla Kraken, Futuremark Peacekeeper, Righware Browsermark, Impact HTML5 and WebVizBench. Then I compared the memory and CPU use of the three browsers with Top and Gnome System Monitor. The hardware was a laptop with an Intel i5-2467M CPU, 8 GB of RAM, a 5400 RPM HDD and only Intel graphics; this on a 1.5 Mbps internet connection.
Midori ships with Flash disabled by default so I enabled it to be on even ground with Chromium and Firefox. Otherwise, all three browsers were using 100% default settings and there were no external restraints like AppArmor, GRSecurity or an mms.config file.
Going by the graphs above, Midori’s performance is more evenly matched with Firefox than Chromium but our underdog impressively holds its own against two of the most advanced browsers available. Next up are the resources tests. Similar to how Tom’s Hardware does in their Web Browser Grand Prix, I opened up one tab in each browser and took a memory reading (that 1 tab was midori-browser.org). Then I opened 25 more tabs (one at at time), one for each of Alexa’s top 25 ranked news sites.
Here I hit a snag, Adobe Flash (version 188.8.131.522) proved once again to be among the woes of browsing existence, and to the extent that Firefox would not even load cnn.com without completely locking up. Even in Chromium, Flash crashed like crazy, leaving me with partially loaded pages and zombie processes so I finally disabled it. The results below for memory and CPU are with the solace of zero Flash interference but again, the benchmarks shown above are with Flash enabled.
Midori’s memory use landed about one-third of the way between Chromium and Firefox which is nothing to be ashamed of. Midori also loaded all tabs on the first try whereas Firefox and Chromium both had 2 tabs (Forbes and Times of India, respectively and then ABC News for both) which just spun the throbber animation waiting for scripts from Doubleclick and Facebook. Stopping the page load and refreshing the tab eventually gave me the full site.
Concerning CPU use though, Midori did not satisfy. When pushed past 10-12 open tabs, Top reported Midori hogging between 108 and 123 percent CPU availability. In contrast, Firefox fluctuated between 10 and 34 percent and Chromium sipped daintily from the Intel fountain, taking only 2-9 percent. Remarkably, this high CPU use did not affect Midori’s stability or responsiveness and CPU reduced to sane numbers when the amount of open tabs dipped under that dozen or so cutoff number.
Midori in Real Life
Day to day use of Midori feels pretty much the same as with Chromium and Firefox. Since Midori runs from all one process, I was initially concerned that one tab would, for whatever reason, eventually crash and wipe out the entire browsing session but this didn’t happen. Midori showed its stability, even with Flash. Startup times I did not measure but I found Midori slightly but noticeably faster than Firefox and ‘felt nearly even’ with Chromium.
I did encounter the high CPU use a few times in normal browsing but it’s more dependent on the site content of your many open pages, not strictly the amount of tabs. There were sessions where I had 15+ tabs and CPU was in the area of 18-20 percent and playing Flash or HTML5 video resulted in about the same.
I did not encounter any page rendering issues with Midori. Every time I thought I may have found one, I loaded the same page in Chromium only to find it was a CSS problem with the website, not a wrongdoing of the browser. Midori reliably showed me pages as accurately as I expected to see them in Chromium (Webkit is closer to Chromium’s Blink than Firefox’s Gecko). I also had several people try out their social network pages in Midori. Though it was only a brief rummaging around as opposed to testing every feature available, the Facebook, Twitter, vKontakte and Spotify users I granted privilege to enter my trial all reported their profiles behaved normally.
Managing bookmarks in Midori is rather similar to the other browsers with the exception of being able to create folders for bookmarks; you only get one long list of sites. I thought Midori could use a "Copy" context menu entry when you right-click on a bookmark to copy the URL to the clipboard. Midori can import bookmark lists as .html or .xbel files and exports as .xbel. Both Chromium and Firefox have a Restore Previous Session menu selection which opens multiple tabs at once so you don’t need to pick through the history after a browser crash, logout or reboot. Midori can do this but only as a new tab option which must be pre-set in the program preferences, it’s not something you can select from a menu whenever you want it. On the subject of browser history, Midori’s history searching was great, accurately finding what I wanted from many hundreds of stored pages, something Chromium needs much improvement with.
I was happy to see that Midori let me specify the search engine’s URL exactly as Chromium does without needing to tinker in XML files like with Firefox. You can add any number of search engines and have them available with a keyword or key-letter you choose. Another pleasantry is that Midori has a right-click option to duplicate a tab, something I wish Firefox has.
The Private Midori
Midori’s settings and preferences sound an undertone of classical user choice and privacy, and all with fresh out of the box settings. By default, Midori does not accept 3rd party cookies, DuckDuckGo is the search provider and referrers are stripped down to only the top-level-domain, though of course these things can be changed if you want. Then there’s HSTS, always enabled and you can add sites to a file in ~/.midori/hsts for your user or /etc/xdg/midori/hsts for everyone.
If you stumble onto a website which wants your geolocation info (via GeoClue), you will be asked to allow or deny that site your whereabouts. You'll also be asked if sites can save local databases. Midori is capable of secure connections by TLS 1.2 and forward secrecy so you should have no issues using Midori for login services. Midori uses Webkit’s XSS auditor for cross-site scripting protection and the browser isn’t capable of sending or receiving pings.
Midori does not prefetch page data but it does support DNS prefetching. It’s disabled by default but can be enabled in ~/.config/midori/config. Here’s the result of running Tobias Klein’s Checksec script against Midori’s binary:
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/midori
Further with the retro feel, Midori does not indefinitely store cookies and browsing history. Just as with Firefox and Internet Explorer in times past, Midori lets you specify a duration after which browsing history and cookies will not live beyond. Choices range from 1 hour to 1 year and various points between.
Peering into the aether with Wireshark showed me that Midori does not phone home to anywhere when left unattended. Rather than OCSP checklists, Midori uses the system’s ca-certificates package for SSL certificate validation. Midori’s bundled extensions are updated with the browser itself while Flash, Java and so on still receive their updates through your distro’s repositories.
Midori unfortunately has no way to universally block cookies on all websites. Version 0.5.6 with its two cookie management extensions give you superb cookie control but why stop there? Yes, disallowing all cookies breaks some sites. Add an exception, problem solved. Friends don’t let friends accept cookies from any and every website on the internet.
Midori does not have a Do Not Track request option either but Evidon, the creators of the Ghostery extension for Chrome and Firefox, run monthly reports estimating the effectiveness of various tracker blocking methods. Do Not Track alone consistently appears at the lower end of the scale for tracking protection (which should come as no surprise considering how DNT is entirely optional for advertisers). Using Midori’s Advertisement Blocker extension will far surpass a DNT cookie so if you care about blocking ad tracking, that’s the way to go.
Plugins & Extensions
So what of these extensions I’ve been mentioning? Midori has no add-ons or web stores like the big browsers do. Instead, you get 21 extensions baked in to the program which add some very appreciated benefits. The Advertisement Blocker will work with any Adblock Plus-format blocklist. It’s basic but functional and blocks ads from loading in the page rather than merely omitting them from view.
Further blurring the lines between plugins and extensions, under the Extensions tab is where you also find your Flash, Java and media player plugins for Divx, Quicktime and such things. Anything under the Extensions tab can be independently enabled or disabled but unfortunately there’s no click-to-play feature and no way to whitelist or blacklist plugins by site.
As for the remaining extensions, there’s a form filler, RSS reader, a few download managers, custom keyboard shortcuts, mouse gestures and other things which cater to variety and personal preference. Then there’s an extension for user scripts and CSS styles which give you even more customization. See http://userscripts.org.
What I Didn’t Like
Not all was sunshine and kittens during my Month o’ Midori. Several things did impede upon my happiness and you can check out Midori’s open bugs on Launchpad. Fortunately I found nothing to be an outright showstopper and most of the weird phenomena I encountered were either trivial or not noticeable in casual browsing.
Midori in Windows
I went for the installer over the portable version but my Midori experience on Windows 7 was nothing like in Ubuntu. Midori’s font rendering was not as smooth, not easy to read compared to Chrome. To the right are screenshots of Chrome and Midori in Windows 7 and then Midori in Ubuntu, all on the same computer, all with default font settings.
Launching Midori in Windows for the first time oddly tries to open a tab with a DuckDuckGo search for itself. DDG is the default but it’s weird that this triggers a search query, and this tab locked the browser up. After enough failed attempts, I closed Midori through the Task Manager, restarted and did a Control+W to stop the tab from loading. Midori in Windows also took noticeably longer to load pages than Chrome.
Midori generally stalled often too, but do keep in mind that I only spent about an hour total with Midori in Windows. It runs at a medium integrity level so consider locking Midori down further with EMET.
Higher Resource Usage
Back in Ubuntu, Midori’s CPU use continued to occasionally be rough around the edges compared to Chromium and Firefox. Sometimes with a light tab load (3-10) and even while minimized, Midori was constantly using about 4-6 percent CPU. In contrast, Chromium and Firefox reliably used 0-0.7 when minimized to the background. Other times, with a light tab load of different sites, Midori properly released CPU cycles and went to sleep. The recurring theme seemed to be that Midori’s CPU use is very sensitive to page content.
The Ad Blocker
The Advertisement Blocker extension is no substitute for Chrome or Firefox ad blockers. In Midori, you can add or remove entire blocklists but that is all; you can not add site exceptions of any kind. This resulted in difficulty managing images in WordPress and of course you can’t enable ads on sites you want to support through advertising revenue. The blocklists also never updated. They're downloaded when you switch the extension on but they're never refreshed beyond that point.
But regardless of with or without that Annoyance list, Startpage.com consistently behaved in a way that showed Midori’s on before request method of blocking didn’t always work properly. If I searched for something using Startpage, using only the default supplied Easylist and EasyPrivacy, the results page showed the paid recommended results at the top for about a second before quickly removing them. This was regardless whether I had Startpage in Midori as a search engine or if I searched from startpage.com. Also, sometimes Youtube would play advertisements in Flash videos for a few seconds before cutting them off and jumping to the the main video.
TLS Certificate Handling
One thing I really didn't like is how Midori handles untrusted TLS certificates. Basically, it does not. There's no warning page like with the other major browsers, Midori just lets you right in and the only thing different is a very small 16 pixel icon in the left side of the address bar. Clicking on the icon will say the certificate is self-signed, outdated or non-verifiable, but it's too easy to not notice the icon change. Also Midori tells you nothing more about the certificate itself, no hashing, no CA info, only that the connection is verified and encrypted.
Managing Multiple Browser Profiles
First, you can’t name them so you’re stuck with multiple users on the computer identifying their Midori profile through a random string like 2390afr9iu3409matai9034qko3irf. You could probably set desktop shortcuts for Midori to launch into a specific profile, then name that shortcut for each user.
Second, Midori’s file hierarchy gets weird if you start introducing multiple profiles. The primary profile is located in ~/.config/midori but additional profiles spawn in ~/.local/share/midori/profiles, including all the extensions, preferences and everything else; it’s a near clone of the main profile’s filesystem in ~/.config. This made profiling Midori with AppArmor for multiple browser profiles a pain in the ass and I imagine it would add unnecessary complexity to the code base as well. I think it would be better to continue with the Chromium/Firefox influence here and keep all profiles in one location with their own subdirectories.
General Issues and Breakage
Unless you use the nspluginwrapper, private browsing sessions are the only thing for which Midori starts a separate running process (it’s a separate .desktop file). Problem was, those processes never fully died after the private window was closed. PS reported they were “defunct” and they only disappeared when the non-private browser window was also closed. This didn't seem to affect the main window’s stability and you can launch up another private session with no problems (which, when closed, will add another zombie process), but it’s an issue nonetheless.
The data download speed in the Transfers window always showed as “0 bytes/s” during downloads. Midori’s spell-checking is enabled by default but it didn’t work for me. When I right-clicked on a misspelled word, there was no list of correct spelling suggestions. I had to change the spelling myself (I know, first world problems). Control+Alt+S is supposed to be the key combination to open the search engine manager. Instead, this caused Midori’s window to roll up to only the title bar. The only way I could access the search manager was through the Tools menu.
There were some broken icons no matter which icon set I was using (Humanity, Faenza, Gnome), one for the HTTP connection image (the leftmost icon in the address bar), one for the NoJS shortcut in the Statusbar Features extension and a few more in the Preferences window. Oh, and Midori crashed twice while trying to publish this article. Methinks Midori doesn’t like WordPress, but then...neither do I.
Level Up Your Midori-Fu
For you, dear readers, I made an AppArmor profile for Midori using version 0.5.6. It’s delicately restrictive while still letting the browser do what it must, but it’s just to get the ball rolling. You’ll need to fine-tune this for your preferences and setup (including earlier Midori releases) but 95% of the work is already done for you. See the README here for more on that.
Midori uses OpenSearch URLs for search engine entries and adding your own is exceedingly easy. More on that here. Midori’s cache size defaults to 100 MB but can be changed in the Preferences. If you want to put that cache in RAM to speed up access to it, the best way to do so is to mount the cache location in fstab. Why fstab over the export XDG_CACHE_HOME method? Because the XDG option moves your entire user account’s cache to tmpfs and not everything in ~/.cache is meant to be flushed on shutdown. Midori’s web content cache is located at ~/.cache/midori/web and the local storage databases are kept int ~/.local/share/webkit/databases. For further info on fstab mount option magic, see tSc’s very own fstab guide.
Midori holds hidden nectar in the config files located at ~/.config/midori/ so don’t forget to browse through there. Some extra things you can do include enabling DNS prefetching, disabling the weird window flicker when you open a new tab in the background and changing the position and amount of speed dial tiles.
Midori, Je t’aime Bien Encore!
Thirty days later, I found few things with which to truly fault Midori with my needs. Yes, using the browser in Windows 7 wasn’t enjoyable, it felt a bit like transplanting the head of a penguin onto the body of a walrus. Superficial tastes aside, it doesn’t actually look bad and to remind, I spent vastly less time on Midori in Win 7 than Ubuntu. Yet even from that small taste, I still found performance and stability were lacking.
But Midori’s roots are in Linux. It's there where the browser is most mature and that’s where my focus is and has been from the beginning. Thus in Ubuntu, I found Midori’s biggest issues boiled down to irregular CPU use, some random though rare segfaults and one thing which needs to be addressed is fully updating the TLS cipher suites. The few other quirks like the spell checker should be relatively easy fixes and the rest of my issues come more from personal preference and nitpicking than forum for the good of many.
So my verdict? Despite its shortcomings, Midori is still an excellent application. If your browsing and extension needs are on the simpler side, then Midori could be a comfortable primary browser. Otherwise it’s a very capable supplement to one of the bigger names. Thus if you’re on Linux, do not hesitate to try Midori’s latest release. It’s all-around pleasing to use and wonderfully exemplifies how you don’t need enormous amounts of resources and revenue to create exceptional software.