Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
Secure from what exactly? You need to have a threat model here. For most personal use cases I'd argue that protection from adtech tracking is more important than e.g. sandboxing. Most people run into adtech continuously, but few people browse shady exploit-ridden sites.
In that case, Firefox us the clear winner. It supports manifest v2 for better adblocking, and it is the only mobile browser with extension support allowing you to use adblocking on mobile as well.
Secure from what exactly? You need to have a threat model here.
Which is funny, because developers use "secure" like this all the time as a way of scaring users into compliance for any changes they implement. If they voiced aloud what the actual threat was, they'd have to admit that often its the user's freedom they're afraid of. The user may do something stupid, therefore their ability to do it is dangerous for everyone.
They'd remove the front door on your home and call it more secure, all because some people don't lock it.
they wouldnt remove your frontdoor, they would install their own lock to it and charge you for privilege of using it
See Update 1 for answers and clarification.
Don't waste time on pandering to proof of ability when actions speak louder than words. The release of your research is personally something I'm looking forward to regardless of your history or experience. I will interpret your research and evaluation with my own bias and sceptical stance. I'd rather question you afterwards if your article left questions unanswered or unclear.
Jumping the gun now and questioning you before we start just wastes both our time.
Good luck with your research!
Beyond technicalities, there are social and political issues. Is it secure for the long term of humankind to use a browser which is one of the tentacles of one of the biggest conpanies in the world, which monopolizes the internet and relies on selling private people's data?
Ultimately, in terms of security, you're likely to find that both are similarly good.
What makes Firefox desirable over Chrome is that it's not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.
The other thing that may act as a deciding factor is the "MacOS doesn't have viruses" effect. Wherein that because firefox has such a small userbase in comparison to chromium, it's far more profitable to find exploits in chromium.
Chrome excites arbitrary code from google.com (this wasn’t something widely known until recently and appears to effect all the chromium downstream browsers). This sort of back door and the design approach that made google do this means you can never really trust Chrome. The same issue with Firefox would be a bug, in chrome it’s a feature.
Chrome excites arbitrary code from google.com (this wasn’t something widely known until recently and appears to effect all the chromium downstream browsers).
I hadn't heard about that. Can you link me to some info about it?
What makes Firefox desirable over Chrome is that it’s not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.
This is a separate issue of being able to trust developers, which is not being covered here. Projects like ungoogled-chromium exist, after all. I will be inspecting the software as a whole, and not any future interference that may happen.
It isn't just about ungoogling things though. Having a monoculture in the browser space means that if Google makes a push to favor ads, say by removing certain extension support from their browser engine that everyone uses, then the entire internet suffers. It is effectively a monopoly.
Mozilla tries really hard sometimes to be unappealing, but there is value in not just letting Google have full control over the internet.
It would be no suprise if chromium is more secure but Firefox is more private.
Leaking privacy isn't secure.
first off, I have serious doubts that any one dude - or even a group of those for that matter - can ascertain the security of such a complex system; a browser is essentially an operating system, with all the layers and complexities that entails.
even if you're somewhat successful in such an endeavor, I don't really care if it potentially is. chromium comes from those shitmakers and I'm not willingly using anything they had their nasty fingers in. they threw one shovel of shit too many on the heap and they are now forever on my ignore list. if that means that I don't get to access certain domains, sites, and/or apps - so be it, I'll make do without.
See Update 1 for answers and clarification.
When you start studying a topic like this, you need to define some terms clearly. For example, if hackers grab your passwords, is that a breach in privacy, security or both? If Google is stalking you and knows your every move, desire and plan, what does that violate?
Once you have clear definitions for these things, it would be more helpful to see how different browsers compare on this scale.
I agree, and this is no easy task. For now, I am hoping I can gather information and let some of the pieces fall together before I can begin making hard decisions.
You are probably already aware of this, but it is worth noting that categorisation needn't have hard boundaries, e.g. Lack of Privacy may not translate to lack of Security for everyone, but for example, a whistleblower, that can literally mean getting Boing'd
OOTB Firefox is a security and privacy concern.
But it allows for nearly unlimited tweaking, modding, blob removal, etc. Which many serious threat model browsers are based on. Eg Tor.
If the Tor browser is less secure than chromium, there are potentially devastating consequences for some very at risk people.
Will you be analyzing forks such as tor and mull?
Will you be analyzing forks such as tor and mull?
Yes.
Are you a single person or a group of people? Do you have any credentials that you'd like to share that might give some context to your research?
Where is the quote in your bio from?
See Update 1 for answers and clarification.
Thank you. That answers my question. I figured you wanted to remain anonymous, but I liked your answer and I'll be interested in what you find.
I was trying to word my initial post in a way to prevent you from becoming defensive, perhaps I failed. Though, I do feel quoting yourself is a bit... gauche, no? Especially since you are remaining anonymous.
"You can't download more ram if you don't see the ad"
AFAIK, the main difference is that Firefox's process isolation on Linux specifically is incomplete. They're working on fixing that.
This is allegedly also true for Firefox on Android, which I will be investigating in this topic.
Yup, makes sense, since Android is also Linux
I'd enjoy and update log personally.
Fantastic questions! Thank you for asking.
Do you have your current list of sources?
The answer to this is a bit complicated: I had a list of sources, but many of them were not primary sources, and so I am currently in the process of recollecting sources and better categorizing them. I'm currently collecting as many different types of sources as I can, and I will find out what is actually useful later.
You mentioned you want more, but where are you looking to start? For example are you looking at the CVE database?
CVE databases will be some of the primary sources I will use in the article, and I may even try to get in touch with the individuals who documented some of the CVEs. I can't make any promises about that, though.
Are you looking at competitions like Pwn2Own? Or detailed project group like Google Project Zero?
I am not familiar with these yet, so I will look into them.
Is it fair to compare Chromium, which is not an end user product, to Firefox which is? Do you plan to look at or compare forks of the software?
For the sake of clarity in this post I used "Chromium" and "Firefox" to simplify what I am doing for users who aren't as aware of the fine details. I will be comparing a wide variety of projects, such as Chromium, Vanadium, Brave, ungoogled-chromium, whatever hardened Chromium Secureblue uses, etc. to a variety of Gecko-based projects such as Firefox, the Tor Browser, Mullvad Browser, and other varieties I may be unfamiliar with. These will be compared on their various platforms, such as Windows, macOS, various Linux distros (where available), iOS, Android, and special cases such as Qubes, Tails, and Firejail. Essentially, I want to compare what the most and least secure varieties of each browser pose, and make observations from there.
As an example both Google Chrome and Mozilla Firefox enable “Google Safe Browsing” by default, however the fork “ungoogled-chromium” does not include “Google Safe Browsing” (and they provide their reasoning).
As far as I currently know (and please note I am still in the early research stages), Google Safe Browsing is a feature that primarily affects privacy and is more of a failsafe. For one, it warns you about malicious websites. This is a failsafe for users who are not aware of which websites are malicious. This isn't directly a security protection, but rather a security "suggestion" for non-advanced users. It also sends data to Google to report websites, which mainly affects privacy. I'm pulling most of this from my head, and so I may be off base with this. Either way, it will not be the main focus of this, as it doesn't matter if Google Safe Browsing is safe or not if it can simply be disabled. I plan to mainly focus on sandboxing issues with Firefox and any related topics that sprout up from that.
Re Google Safe Browsing
I would argue it's a security feature with potential privacy concerns, however I would agree it is more of a failsafe or suggestion.
However it being disabled by default or not included at compile time versus enabled by default may also be relevant when it comes to security. As a hypothetical a high severity bug with Google Safe Browsing could arguably make a browser less secure. However even as a failsafe/suggestion, the small security benefit may make the overall browser more secure, e.g. filtering known bad websites that attack known vulnerabilities.
I'm also just using Safe Browsing as an example here, it may or may not be worth focusing on since a browser is basically an operating system.
You mentioned sandboxing, which I think is perhaps a more reasonable scope.
Anyone got a source on GrapheneOS recommending Brave?
I don't use chromium on Linux, because the times I tried it, I see that it is not easy to close it (its service is in the background with an icon in the tray) and I see that it consumes CPU, as if you are doing some activity, type of cryptocurrency mined or similar. I suppose it will be easy to check, but I prefer not to waste time on it and I use Firefox. I'm lately trying Librewolf
I personally don't trust Google and Chrome enough to use it and I don't like the Manifest V3 stuff, but I am interested to stay in the loop. Please post updates!
A practical approach would be looking at CVEs for both, but more CVEs doesn't necessarily mean something was more insecure before.
Commenting and bookmarking for future updates. Thanks for your work!
Same here
I feel like no matter what you publish people care more about how they feel than the actual facts.
I feel like
I don't know if this was intentional or not, but I found it humorous.
In my drafts of the article I have made sure to include sections specifically pointing out that this is not a be-all-end-all, and it doesn't tell you what to do or what you can and can't use. In the end, people are free to use whatever they want. I am simply here to document and clarify some perceived issues.
Excellent!
I was grepping chromium's code looking for anything like Firefox 's webcompat plugin a few days ago. Lmk if you need any support finding evidence in source code.
Lmk if you need any support finding evidence in source code.
Thank you! I may ask for your help eventually