Is there a reason why Tor Browser uses Firefox as base is it because Firefox was better in old days? And whats your opinion on hardened Firefox? Does enabling first-party isolation (is this sandbox?) matter? Thanks in advance.
Conversation
First party isolation is a privacy sandbox, not a security one.
Site isolation is an experimental feature in Nightly: ghacks.net/2019/06/24/fir
I think Tor prefers us because it's easier to strip out features that are at odds with their goals and upstream patches.
2
Note that Tor also nails down a pile of JavaScript things that are typical exploit vectors. For Tor users de-anonymization is a large security risk, and it's not something a security sandbox necessarily protects against.
Their threat model is different from regular users.
1
Replying to
It's part of what's needed to make it work well though. Firefox has a decent baseline implementation of a content sandbox on Windows but it's not a proper implementation elsewhere like on Linux and it's missing on Android (the context where I had recommended Brave in the past).
2
Replying to
What's your concern about the Linux sandbox? My main one is the X socket problem (maybe less so on Wayland), so I'm curious in case it's something else.
Current Firefox for Android can't get isolatedProcess, though Fenix will.
1
1
Replying to
It's just not as finished and the way it's integrated into the platform stack doesn't lend itself as well to sandboxing. The lack of support for a GPU process, etc. On Android, other than using isolatedProcess and a comparable seccomp-bpf layer, I care about attack surface too.
2
Ideally, browsers would be simpler and far more compatible so that it wasn't even really a thing to write code specifically for Firefox or Chromium. Firefox would then be able to realistically offer an implementation of the standard WebView API compatible with existing apps.
1
I don't think it would be hard to implement the standard API in terms of the app layer but it wouldn't be compatible with many apps written with the assumption that they are targeting Chromium. There are so many both subtle and substantial differences between browser engines.
1
So, realistically, there has to be a Chromium-based WebView implementation used by many applications. It's part of the standard attack surface. Using any other browser engine for the web browser means having 2 browser engines being heavily used. I can't really see this changing.
1
I can see Firefox eventually catching up in the security areas where it's lagging behind, but there's so much usage of Chromium elsewhere. On Android, a major positive is that this is generally via the automatically updated WebView with a stable app API.
1
I would like to have the option of including Firefox as the default browser in the engine, as both the user-facing browser and WebView, but I don't think that's realistic due to lack of browser compatibility. Sticking to web standards doesn't avoid all the distinctions either.
I wouldn't actually want that in the near future, but it would be nice to have options open in the future. For now, I definitely think a Chromium base is a much better choice, but I wouldn't have contributed so heavily to Rust if I didn't think that was a long-term game changer.
1
I can't consider shipping 2 browser engines though. It's just not at all sensible based on the security goals of my work. So, even if I thought some far future version of Firefox or another browser engine (seems unlikely) was a better option, it would be worse to expose both.
1
Show replies