• henfredemars@lemdro.id
    link
    fedilink
    English
    arrow-up
    23
    ·
    edit-2
    1 year ago

    Great, now implement modern exploit mitigations and sandboxing like Chrome uses. Firefox is objectively less resistant to exploitation. Some Firefox security has improved since the article was written, such as some sandboxing on Windows, but it’s definitely not as mature.

    I’m not writing that Firefox is insecure. Security is very important to Firefox! However, Chrome has had more work done in the realm of browser hardening.

    • Ace T'Ken@lemmy.ca
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      That is fair, but Chrome is undeniably more open to corporate exploitation. See things like the dramatically reduced utility of ad blockers on Chromium browsers.

      I guess it depends on who you see as the greater threat at present.

    • SALT@lemmy.my.idOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I think it’s already on par with Chromium, most attack won’t work with sandboxing that introduced to firefox, and mostly now each site/iframe have it’s own process, so it’s on par with chrome, imho

      • henfredemars@lemdro.id
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        1 year ago

        As a security researcher, running each site in its own process isn’t enough. Chrome has a much stronger multiprocessing model on most platforms. For example, Chrome on Android sandboxes between processes whereas Firefox simply relies on the built-in Android sandbox, which provides limited protection between these processes. It’s much easier to break out of the sandbox in Firefox because it’s easier to move laterally, for one. Those processes have to communicate with each other at some point.

        But, don’t believe me just because I claim any sort of credential on the Internet. It’s such a difference in security that GrapheneOS strongly discourages using Firefox for its weak implementation in addition to the link I provided above. From the link:

        Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole.

        I love Firefox. I use it anyway. It’s not insecure. But it’s absolutely not as secure because it lacks modern exploit mitigations. Running process per site is an improvement but it’s still less secure than the architecture used in Chrome.

        EDIT: Sound less entitled.

        • SALT@lemmy.my.idOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I can’t speak for Android, it’s long way to go for sure, but on desktop, it’s great. And for Fedora PhoneUI / Phosh seems already working because it’s linux ootb.

          in short android not included I suppose. They have custom multiple process sandbox, but last time I enable it, it broke everything in nightly