undefined | Better HN

0 pointsnikcub10y ago0 comments

Chromium for security - for privacy it isn't great because aside from the WebRTC issue[0] it also doesn't respect proxy settings. You need to run it in a VM in an isolating proxy setup to avoid the privacy issues.

For privacy the Tor browser - but even then only in a VM because of the prevalence of exploits. Regular Firefox will just get you fingerprinted in any case.

> unstable Chrome/Chromium releases

The build site I linked to lets you switch between trunk/stable

[0] if you know what you're doing you can change the WebRTC route settings with this extension https://chrome.google.com/webstore/detail/webrtc-leak-preven...

0 comments

3 comments · 1 top-level

wallace_f10y ago· 2 in thread

For my own edification, can you elaborate on where/how Chromium beats Firefox on security.

nikcubOP10y ago

The main difference is architectural. Chrome is sandboxed while Firefox isn't. There is an effort to re-architect Firefox now:

https://wiki.mozilla.org/Security/Sandbox

The second difference and a large advantage Google has is the security team they've put together to find and fix bugs. Google between project zero and engineering are probably the best team in the world. Firefox don't really have an equivalent.

Then there is the legacy code that Firefox is built on and the problems that had lead to. In Chrome a successful exploit requires the combination of 5-6 diff bugs/exploits to bypass all the controls and sandboxes, while in FF many straight forward bugs become exploits.

This is most reflected in two places: First the pwn2own contest where FF does poorly[0] and second in the price of 0day between Firefox and Chrome. The Chrome exploit price has never been less than $100k and at the moment $1M+ is being turned down, while OTOH Firefox started at $5-10k and at the moment is $25-30k and are common (common in a browser exploit sense).

The idea situation would be a Chromium fork that is built with the Firefox UI / extensions / settings / profiles etc. built on top of it. I've wanted to build this project for a long time and have a privacy/security specific browser but have never had the chance to do it. I hope at some point somebody does - it's really complicated today to recommend both a secure and private browser.

[0] http://www.extremetech.com/computing/178587-firefox-is-still...

wallace_f10y ago

Thanks

j / k navigate · click thread line to collapse