Coronavirus information & resources
Treating effects of COVID-19 vax
Vaccines - What You Need To Know

Ouch: Firefox security

Firefox and Chromium | Madaidan's Insecurities

12bytes: Note that Firefox sandboxing was strengthened in version 99.

Firefox is sometimes recommended as a supposedly more secure browser because of its parent company's privacy practices. This article explains why this notion is not true and enumerates a number of security weaknesses in Firefox's security model when compared to Chromium. In particular, it covers the less granular process model, weaker sandboxing and lack of modern exploit mitigations. It is important to decouple privacy from security — this article does not attempt to compare the privacy practices of each browser but rather their resistance to exploitation.

12bytes: I don't think there's much of an argument regarding privacy. Google loses, plain and simple, and it is my understanding that no amount of Google Chrome (or Chromium) tweaking can circumvent some of the risks in the privacy department. The security problems are worrying however, especially for us Linux users, though it must be considered that the exploits mentioned seem to depend on having JavaScript enabled globally which is perhaps the biggest no-no both privacy and security wise, regardless of what browser one chooses. It is also unknown how browser configuration may play into the exploits mentioned in the article. For example, does enabling network partitioning/dFPI mitigate any of this?

I tend to doubt the situation with browser development concerning security, regardless of the brand, will get any better. I think the problem here is the web itself and the pace at which it is developing, or devolving, depending on your POV. Things were so much simpler in the days of HTML and CSS, however Big Tech, being the collection of ethic-less woke idiots it is at the upper levels, has bloated the web with often unneeded and unwanted technologies and JavaScript and 3rd party fonts and dependencies on Content Delivery Networks and libraries and frameworks and the problem keeps getting bigger and bigger. Many of us see the problem of turning the web into a collection of trendy so-called "apps", but corporations simply don't care and the web developers that work for them seem to be largely poorly educated cookie cut-outs with a degree and a lust for shiny things.

Certainly there needs to be more real competition in the browser market beyond configuration files and forks but the problem, because of what the web has become, is that a web browser has to deal with whatever garbage is thrown at it and this requires a massively complex beast with 10's of millions of lines of code, much of it potentially exploitable. I don't think such an undertaking is doable with a small team, hence why i do not recommend Waterfox, Pale Moon, etc.. As such i think it's entirely possible that all future browsers will be delivered by large corporations which, like Mozilla, don't seem to give much of a crap about privacy at the corporate level. While the story is perhaps significantly different at the developer level, for now, i think we can all see a potential train wreck at the end of the tunnel.

As for me, i'm willing to roll the dice and stick with Firefox (and the 'arkenfox' user.js and my custom tweaks) for the time being, regardless of my disdain for the woke clowns which have infected Mozilla.

more...

6 thoughts on “Ouch: Firefox security”

  1. I agree that current browsers are bloated and expensive to make to the point that there can only be corporate competition. On the other hand, they do provide actual value and are no longer limited to mostly static content that is HTML and CSS, but are full fledged platforms to build cross platform apps on. Games are being compiled to JS and are running in the browser. There’s even a unique feature that’s not available via other tech – applications are available by typing in a URL, they don’t need installing and can launch quicker due to being able to conditionally lazy load more code as needed.

    If these big bloated browsers are to be replaced, there needed to be a good alternative for cross platform apps. Probably including a cross platform decentralized app store, something like flatpak.

    1. > … they do provide actual value and are no longer limited to mostly static content that is HTML and CSS, but are full fledged platforms …

      the problem is all the security and privacy issues that come with that

        1. there are other stripped down browsers which are probably more secure, but also less functional – for example there are very minimal browsers that run in a terminal – but there is nothing that i know of which is both usable as a daily driver and more secure

          Firefox with the ‘arkenfox’ user.js is the best solution that i personally know of

          there is also LibreWolf which is a Firefox fork based on the latest version and which is more privacy-centric out of the box, but the project is run by a small team and though security is mentioned as one of their focuses, i highly doubt they address any of the deeper mechanics of Firefox such as those mentioned in the article

          it looks to me like they just apply a bunch of patches to Firefox release to remove some components and change some prefs, plus use a modified (and perhaps somewhat relaxed) version of the ‘arkenfox’ js

          again, due the complexity of the web, i think any new browser is going to have to be developed by a very large and capable team with allot of resources and that kind of implies a corporation

          1. Librewolf looks interesting. It isn’t a viable option for most people to keep updating manual config options like you do.

            > again, due the complexity of the web, i think any new browser is going to have to be developed by a very large and capable team with allot of resources and that kind of implies a corporation

            Unless someone builds an alternative browser that wouldn’t use HTML/CSS/JS. There’s one already https://gemini.circumlunar.space . I think it’s too lightweight to the point that it wouldn’t be useful for most cases, but it’s a good example to present the idea.

Leave a Reply

Your email address will not be published. Required fields are marked *