I largely feel the same way about Mozilla's approach with Firefox. Apple seems far more interested than Mozilla in delivering actual privacy rather than the appearance of it, although Apple recently started using it as part of their branding / marketing which is what taints this.
Conversation
Replying to
I don't really have a browser recommendation right now. I liked that Brave took the solid Chromium base and seemed to be on the path towards turning it into a privacy-focused browser but it's clear to me now focus is elsewhere and privacy isn't going to win when they conflict.
1
5
Replying to
Is there a reason why Tor Browser uses Firefox as base is it because Firefox was better in old days? And whats your opinion on hardened Firefox? Does enabling first-party isolation (is this sandbox?) matter? Thanks in advance.
2
2
First party isolation is a privacy sandbox, not a security one.
Site isolation is an experimental feature in Nightly: ghacks.net/2019/06/24/fir
I think Tor prefers us because it's easier to strip out features that are at odds with their goals and upstream patches.
2
Note that Tor also nails down a pile of JavaScript things that are typical exploit vectors. For Tor users de-anonymization is a large security risk, and it's not something a security sandbox necessarily protects against.
Their threat model is different from regular users.
1
Replying to
It's part of what's needed to make it work well though. Firefox has a decent baseline implementation of a content sandbox on Windows but it's not a proper implementation elsewhere like on Linux and it's missing on Android (the context where I had recommended Brave in the past).
2
Replying to
What's your concern about the Linux sandbox? My main one is the X socket problem (maybe less so on Wayland), so I'm curious in case it's something else.
Current Firefox for Android can't get isolatedProcess, though Fenix will.
1
1
Replying to
It's just not as finished and the way it's integrated into the platform stack doesn't lend itself as well to sandboxing. The lack of support for a GPU process, etc. On Android, other than using isolatedProcess and a comparable seccomp-bpf layer, I care about attack surface too.
2
Ideally, browsers would be simpler and far more compatible so that it wasn't even really a thing to write code specifically for Firefox or Chromium. Firefox would then be able to realistically offer an implementation of the standard WebView API compatible with existing apps.
1
I don't think it would be hard to implement the standard API in terms of the app layer but it wouldn't be compatible with many apps written with the assumption that they are targeting Chromium. There are so many both subtle and substantial differences between browser engines.
So, realistically, there has to be a Chromium-based WebView implementation used by many applications. It's part of the standard attack surface. Using any other browser engine for the web browser means having 2 browser engines being heavily used. I can't really see this changing.
1
I can see Firefox eventually catching up in the security areas where it's lagging behind, but there's so much usage of Chromium elsewhere. On Android, a major positive is that this is generally via the automatically updated WebView with a stable app API.
1
Show replies