chxseh
commented
4 years ago I personally don't agree. Any chromium browser won't be as secure as FF. If we're trying to show the best of the best we should only show the best options.
Closed net-zero-day closed 4 years ago
chxseh
commented
4 years ago I personally don't agree. Any chromium browser won't be as secure as FF. If we're trying to show the best of the best we should only show the best options.
beerisgood
commented
4 years ago Any chromium browser won't be as secure as FF
That's just wrong. Chromium based browser are the most secure ones. https://madaidans-insecurities.github.io/firefox-chromium.html
chxseh
commented
4 years ago I stand corrected. Edited my original comment.
misaka00251
commented
4 years ago The big issue is, they don't have many developers so the binary releases always lag behind.
Icecat also have the same issue, but it's offtopic here :<
atomGit
commented
4 years ago That's just wrong. Chromium based browser are the most secure ones.
i'm no Mozilla fanboy, but i just looked at the article Firefox and Chromium Security and much of it seems to be based on old information going back to 2015 and there are contradictions in the links the author provides at the bottom
regarding Firefox sandboxing, this is way over my head, but here's the current(?) status for whatever that's worth
the article links to 3 posts by the same guy - Thomas H. Ptacek - i don't know who he is and he may well be a security super sleuth, however there seems to be contradictions in what he says, all on the same day...
Nov-2015 ...
If you are in any way at risk, you should be using Chrome, no matter how much Firefox has improved.
Nov-2015...
Even among security people, the conversation about why Chrome is materially more secure than Firefox is complicated.
We would all benefit from a detailed breakdown of the differences between Chrome and Firefox, like Google commissioned for Edge and Chrome.
Itโs even more socially complicated because Firefox is catching up, and employs security engineers everyone respects.
another page the article links to is W^X JIT-code enabled in Firefox
this issue is from 2015 and is marked as resolved on bugzilla
another page is > Use your fingerprint to lock/unlock devices. Fingerprints have a different an... | Hacker News
here, user 'dguido', whoever that is, just makes a few unsourced claims and when asked for references, doesn't respond
nitrohorse
commented
4 years ago here, user 'dguido', whoever that is, just makes a few unsourced claims and when asked for references, doesn't respond
Just for reference, thatโs Dan Guido, CEO of Trail of Bits and behind Algo VPN.
ph00lt0
commented
4 years ago Maybe add as worth to mention, but this browser does nothing to protect your privacy like many others do. The fact that it does not spy on you itself does not qualify it directly being good. It still allows websites to track you everywhere.
atomGit
commented
4 years ago this browser does nothing to protect your privacy
are you referring to Firefox or Chromium?
CristianAUnisa
commented
4 years ago I rarely write there but, as a lurker, I'd like to say that the Firefox - Chromium discussion I'm reading there and many other times on /r/ptio has become a mess and it's even tiring to search and find a trustable source about it. I often read about how Firefox is bad but how's it possible that Firefox is still recommended on the ptio website? What's even more confusing is the Tor Browser situation: it's based on Firefox ESR and, again, I read opposite opinions on it. The link provided by @atomGit cites this article: https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908 But how can someone be not confused when even Snowden recommended it? So, for a normal person with an "unimportant" security profile, what's the right choice? What's the balance between security and privacy?
ph00lt0
commented
4 years ago this browser does nothing to protect your privacy
are you referring to Firefox or Chromium?
Chromium. Firefox has all sorts of methods in place to prevent fingerprinting and block trackers by default. They are not perfect but generally a way better start then what chromium has to offer.
ph00lt0
commented
4 years ago I rarely write there but, as a lurker, I'd like to say that the Firefox - Chromium discussion I'm reading there and many other times on /r/ptio has become a mess and it's even tiring to search and find a trustable source about it. I often read about how Firefox is bad but how's it possible that Firefox is still recommended on the ptio website? What's even more confusing is the Tor Browser situation: it's based on Firefox ESR and, again, I read opposite opinions on it. The link provided by @atomGit cites this article: https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908 But how can someone be not confused when even Snowden recommended it? So, for a normal person with an "unimportant" security profile, what's the right choice? What's the balance between security and privacy?
Nothing wrong with Firefox. PTIO provides an article on the website with some slight modifications to your user profile to 'harden' your privacy settings and fully disable telemetry from Mozilla. Not sure what is so confusing about that?
CristianAUnisa
commented
4 years ago I rarely write there but, as a lurker, I'd like to say that the Firefox - Chromium discussion I'm reading there and many other times on /r/ptio has become a mess and it's even tiring to search and find a trustable source about it. I often read about how Firefox is bad but how's it possible that Firefox is still recommended on the ptio website? What's even more confusing is the Tor Browser situation: it's based on Firefox ESR and, again, I read opposite opinions on it. The link provided by @atomGit cites this article: https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908 But how can someone be not confused when even Snowden recommended it? So, for a normal person with an "unimportant" security profile, what's the right choice? What's the balance between security and privacy?
Nothing wrong with Firefox. PTIO provides an article on the website with some slight modifications to your user profile to 'harden' your privacy settings and fully disable telemetry from Mozilla. Not sure what is so confusing about that?
I find confusing to read many opposite opinions by security and privacy experts. The link posted up there (https://madaidans-insecurities.github.io/firefox-chromium.html) has some valid sources and by searching "firefox" on /r/ptio you can find many discussions based on Firefox security issues suggesting not to use it but I think they confuse people even more; Firefox is the suggested browser on ptio website, Tor Browser is based on it and Snowden endorses it. I hope I was able to convey my doubts.
ph00lt0
commented
4 years ago @Asbesbopispa I see your point here. Although I think that these points are valid, I also believe they are very unlikely to impact your security. There will always be cons and pros for certain software. Tor browser is very secure because it disables JavaScript (by NoScript extension) and blocks third party content. I believe with the right settings a Firefox based environment is very safe to use. Chrome has of course it's google safe browsing that blocks malicious requests however this might have a big impact on your privacy. Afaik in ungoogled-chromium this is also removed. This basically means nothing is in place to protect you on that part either. Then yes, chromium might by the core is more secure but in day to day life the difference will probably not have impact. Given that PTIO focuses on privacy the choice would be easy but I think either way you can be confident using Firefox. I would certainly suggest to install something like uMatrix, that could prevent a lot of harm and if you are really feared, install NoScript.
CristianAUnisa
commented
4 years ago @ph00lt0 thank you for your answer. I'm already using uMatrix and I really appreciate it. I'm using Firefox on my PC and Bromite on my phone; I'd like to use ungoogled-chromium as a second choice (because Mozilla sometimes fucks up) but it takes too much time to build on my computer and I need it to work :/ I'd like to see it as "Worth mentioning" too though, because it could be a good alternative to Firefox; the lack of auto-updates and the lack of a simple procedure to install extensions are important enough for not placing it in a card like FF and Tor.
atomGit
commented
4 years ago @ph00lt0 said...
Firefox has all sorts of methods in place to prevent fingerprinting and block trackers by default.
well, yeah, but one needs to enable (at the very least) FPI (privacy.firstparty.isolate) and RFP (privacy.resistFingerprinting) to maximize protection - neither are enabled by default as of v78
and then said ...
Tor browser is very secure because it disables JavaScript (by NoScript extension) and blocks third party content. I believe with the right settings a Firefox based environment is very safe to use.
i tend to agree, though again, i'm not an expert - also, Firefox was running the Tor uplift project which brought some of the privacy/security benefits of the Tor browser to Firefox - i believe that activity has died down somewhat, but it's my understanding that it isn't entirely dead
i also completely agree with the suggestion of using uBlock Origin and/or uMatrix - i use the former only for static filtering (filter lists) and the latter for dynamic filtering (JS, frames, XHR, etc.) - if anyone wants to read about my personal advice and settings, you can find that here
as for Ungoogled Chromium being listed on PTIO, i personally have serious reservations being that Chromium is a Google project - open-source, yes, but it's still under Google's roof and there's no way i want anything to do with that massively unethical bunch of data-slurping clowns, not that Moz hasn't pulled their share of stupid shit over the years, but at least they're not Google and, AFAIK, not in bed with the NSA
AnaemicStar
commented
4 years ago I don't think ungoogled-chromium would be suited to the average user having looked at their README page.
CristianAUnisa
commented
4 years ago as for Ungoogled Chromium being listed on PTIO, i personally have serious reservations being that Chromium is a Google project - open-source, yes, but it's still under Google's roof and there's no way i want anything to do with that massively unethical bunch of data-slurping clowns, not that Moz hasn't pulled their share of stupid shit over the years, but at least they're not Google and, AFAIK, not in bed with the NSA
@atomGit I get what you're saying but there's already Bromite there. While I wouldn't use Chrome (obviously) and not even Chromium, Ungoogled Chromium seems like to deserve at least a spot in a "Worth mentioning" section, not its own card because it's not for the average user as @AnaemicStar wrote. Otherwise, we should still find an alternative to Firefox that could be used by the average user too as a backup option. Mozilla sometimes does some weird stuff, like forgetting about the expiring certificate which caused all the extensions to be disabled.
dngray
commented
4 years ago Closing: poor distribution mechanism: https://github.com/Eloston/ungoogled-chromium/tree/master#downloads
https://ungoogled-software.github.io/ungoogled-chromium-binaries/
At the time of writing the Windows version is 81.0.4044.138-1.1 whilst other versions are 83.0.4103.116-1, 83.0.4103.97-1.1, 83.0.4103.97-1.1 and 80.0.3987.132-1. This is also not available in any official related channels (official distributions).
madaidan
commented
4 years ago @atomGit
i'm no Mozilla fanboy, but i just looked at the article Firefox and Chromium Security and much of it seems to be based on old information going back to 2015
It's not old. The information is still perfectly valid. The only reason some of it dates back that far is because Mozilla is so slow in fixing these issues which further strengthens my point. All of the issues still exist regardless of a timestamp.
and there are contradictions in the links the author provides at the bottom
There aren't and besides, the links at the bottom aren't that important. They're merely additional.
regarding Firefox sandboxing, this is way over my head, but here's the current(?) status for whatever that's worth
It doesn't contradict what I've said. Again, it strengthens my point.
the article links to 3 posts by the same guy - Thomas H. Ptacek
There are only 2 posts.
i don't know who he is and he may well be a security super sleuth,
however there seems to be contradictions in what he says, all on the same day...
There are no contradictions in those posts at all.
another page the article links to is W^X JIT-code enabled in Firefox
this issue is from 2015 and is marked as resolved on bugzilla
You aren't making sense. I think you've read something else. I linked specifically the comment from PaXTeam explaining why "W^X" JIT is DOA.
gary-host-laptop
commented
3 years ago Just in case I recently noticed that ungoogled Chromium is available through Flathub now, while this is a step forwards to having to install binariesanually I don't think there's an autoupdater for other platforms.
bingoxo
commented
3 years ago Just in case I recently noticed that ungoogled Chromium is available through Flathub now, while this is a step forwards to having to install binariesanually I don't think there's an autoupdater for other platforms.
stnert
commented
3 years ago Since you are against Ungoogled, why do you point out Bromite for Android? It makes no sense, since it is Chromium-based. l
Basic Information
Name: ungoogled-chromium Category: browser URL: https://github.com/Eloston/ungoogled-chromium
Description
ungoogled-chromium is Google Chromium, sans dependency on Google web services. ungoogled-chromium retains the default Chromium experience as closely as possible.
Why I am making the suggestion
Privacy-friendly alternative to google chrome
My connection with the software
I have no connection to the software