I used to be optimistic about Brave, but I no longer consider it to be a good project. It has had some serious issues with security and the intent behind it is starting to seem nefarious. Monetizing other people's content was always sketchy and their DRM is going far beyond EME.
Conversation
Replying to
Firefox has serious security issues, and I don't recommend using it. The sandbox is far weaker than Chromium and it doesn't provide site isolation which is a necessity in 2019. On Android, Firefox doesn't provide a browser sandbox at all, which is just completely unacceptable.
1
1
8
Replying to
Brave is a better choice than Firefox. I'm not saying that Brave is a bad choice as a browser in technical terms but that the project has the wrong motivation behind it. It's at odds with privacy and it's now clear they value the attention nonsense more than they do privacy.
1
1
4
Replying to
I largely feel the same way about Mozilla's approach with Firefox. Apple seems far more interested than Mozilla in delivering actual privacy rather than the appearance of it, although Apple recently started using it as part of their branding / marketing which is what taints this.
2
1
3
Replying to
I don't really have a browser recommendation right now. I liked that Brave took the solid Chromium base and seemed to be on the path towards turning it into a privacy-focused browser but it's clear to me now focus is elsewhere and privacy isn't going to win when they conflict.
1
5
Replying to
Is there a reason why Tor Browser uses Firefox as base is it because Firefox was better in old days? And whats your opinion on hardened Firefox? Does enabling first-party isolation (is this sandbox?) matter? Thanks in advance.
2
2
First party isolation is a privacy sandbox, not a security one.
Site isolation is an experimental feature in Nightly: ghacks.net/2019/06/24/fir
I think Tor prefers us because it's easier to strip out features that are at odds with their goals and upstream patches.
2
Note that Tor also nails down a pile of JavaScript things that are typical exploit vectors. For Tor users de-anonymization is a large security risk, and it's not something a security sandbox necessarily protects against.
Their threat model is different from regular users.
1
Replying to
It's part of what's needed to make it work well though. Firefox has a decent baseline implementation of a content sandbox on Windows but it's not a proper implementation elsewhere like on Linux and it's missing on Android (the context where I had recommended Brave in the past).
Site isolation is needed for mitigating issues like the remaining Spectre problems too, not just preventing an attacker from getting all of the data after a code execution exploit. Trying to manually handle every possible case in the JS VM and native code is very unrealistic.
2
There's llvm.org/docs/Speculati for native code but it's quite expensive and not being used in practice, especially for a project like Firefox. Even that's not totally complete but it's the only realistic way to approach it in a complete way. It doesn't cover the JS VM though.
Replying to
What's your concern about the Linux sandbox? My main one is the X socket problem (maybe less so on Wayland), so I'm curious in case it's something else.
Current Firefox for Android can't get isolatedProcess, though Fenix will.
1
1
Replying to
It's just not as finished and the way it's integrated into the platform stack doesn't lend itself as well to sandboxing. The lack of support for a GPU process, etc. On Android, other than using isolatedProcess and a comparable seccomp-bpf layer, I care about attack surface too.
2
Show replies