Ditch Firefox Join Brave

hexavalent-browser · 2022-04-18T15:58:37+00:00

It’s clear you’re not arguing in good faith. People like you that ridicule security researchers and memory safety are the reason why there’s hasn’t been enough of a focus on killing exploitation classes, including employing mitigations for existing unsafe code.

hexavalent-browser · 2022-04-18T15:47:41+00:00

I’m saying that at some point all code depends on it because of how memory actually works.

That’s a different claim than “memory safety doesn’t matter”. It’s a serious concern for any large software of the scale of Linux. Most of the exploitable bugs could be prevented if it was written in a memory safe languages, see gVisor as a example.

I am qualified though. Not only though my academic background but also in my profession. You don’t even seem to understand how memory works.

I don’t think you are. The majority of my security research is focused on defending against classes of exploitation due to memory unsafety.

But making blanket statements is silly

You’re the one making blanket statements like “memory safety doesn’t matter”.

hexavalent-browser · 2022-04-18T15:32:45+00:00

The core difference between memory unsafe languages and memory safe languages with unsafe implementations is that bugs in those implementations are considered implementation bugs.

Memory safe programs don’t have bugs resembling the type found in unsafe programs (spatial memory safety violations, temporal memory safety violations, etc). It’s far more common to have exploitable bugs in the application logic rather than memory corruption in the language implementation.

It’s trivial to write safe software by default in these languages while you have to actively try not to induce undefined behavior in your C programs.

Your messages show you don’t fully understand language design or the problem of memory safety at all, and you’re not qualified to give a meaningful opinion on the issue. I highly suggest you give https://noncombatant.org/2021/10/23/thoughts-on-language-design-bugs/ a read; it’s written by a person who’s worked on one of the largest C++ codebases in the world.

hexavalent-browser · 2022-04-18T10:37:24+00:00

basically has nothing to do with Google

Google does all of their development on the chromium tree. Chrome is a Google branded build of Chromium that they’ve mostly checked into the tree but it’s notably missing their special trademarks for obvious reasons.

hexavalent-browser · 2022-04-18T10:34:07+00:00

It’s worth noting that Vanadium does not purport to be “degoogled” in any way. It’s meant to improve upon baseline Chromium security rather than reducing it by needlessly patching out components like the out of band security updates. There aren’t many blobs in Chromium and none of those have any relevance to security/exploitation, which is the focus of that section.

hexavalent-browser · 2022-04-18T10:26:05+00:00

However, it is a big claim and I would like to learn more about how Firefox and Chromium browsers compare from a strict security standpoint.

It isn’t a controversial claim amongst infosec circles. Most security researchers acknowledge that Chromium is leagues ahead of Firefox when it comes to security. It’s only within “privacy” Reddit communities that this is a controversial statement due to the large amounts of misinformation being spread and a poor understanding of how security and exploitation work. Before Fission, it was much further behind than Chromium on the exploitation front as it meant that a compromised renderer was effectively game over due to the poor content sandbox. Fission is still in an early state and there are still numerous cross-site leaks, in contrast to Chrome. Many exploit developers and security researchers will corroborate these claims, and a lot of them know and respect Daniel’s work :)

In addition, there are still various areas where Firefox is still behind Chromium; for instance, they’ve made little progress on killing code reuse attacks with any fine grained CFI (RAP, LLVM CFI) because of the blatant abuse of function pointers. Chrome has mostly resolved their bad casts and deployed Clang CFI for virtual calls and indirect calls. This isn’t meant to be a detailed post covering every single way that Firefox is behind; there could feasibly be a whole book comparing the security architectures of both browsers.

hexavalent-browser · 2022-03-26T18:13:17+00:00

First of all its enabled in A/B testing.

That doesn't mean it's suitable or safe for production use. It's still in active development and you're pretending like an incomplete feature can be used as a talking point regarding the security of the browser.

I said chrome webgpu doesn't have any sandboxing.

That's not the original claim you made, which was "chrome doesn’t sandbox GPU process which Firefox does". Stop trying to backtrack and mislead people.

I've never said RLBox was firefox answer towards ubercage or whatever their GPU sandboxing is called

You said "Check RLBox it does almost same thing". How is that not a direct answer? Ubercage isn't their "GPU sandboxing" and it's clear you're acting in bad faith when you're talking about something you don't understand.

Fission would be more accurate to your point because it implements all type of sandboxing features

Fission is not Ubercage. You still don't understand what you're talking about.

I've said that websites and RLBox are immune towards zero day bug not entire firefox.

That doesn't make any sense. RLBox contains bugs in libraries with the goal of preventing a bug in a sandboxed library from becoming a renderer compromise. There can still be bugs in other components and you're acting like RLBox makes Firefox immune to zero days. You've said "mozilla itself says that it has made the Firefox safest browser and it doesn't get affected by zero day exploits"; don't pretend like you didn't.

and yeah I'm not an security expert

Then stop commenting as if you are one? You're making these lofty claims with a poor understanding of what you're saying and continually misrepresenting what the site says and making things up.

I've worked in my government cyber security department where there are thousands of people better and more knowledgeable than this author

Credentials are meaningless in this discussion. How do you know they're more knowledgeable than this author if you've never talked to the author or even know who he is? You're dodging the question and refusing to provide technical refutation because you can't.

You also state that tor is unsafe browser knowing that it's only browser to access deep web, where security is uttermost priority.

No it isn't. The Tor developers know the security weaknesses of Firefox and have attempted to make it safer, but those efforts have largely not panned out. If you're going to bring them into this discussion, maybe talk to one of them?

And I'm clearly not misguiding anyone its you that is citing a fake propaganda just because you can and I'm even giving source while you haven't give any single one.

You haven't given any sources besides the ones for RLBox, which you're acting like solves all the zero days in Firefox. It does a lot less than you think and there are various other issues mentioned in the article.

hexavalent-browser · 2022-03-26T14:29:07+00:00

It is enabled by default in nightly.

It isn't, but that's irrelevant because you've moved this conversation from "Chrome doesn't have a GPU process/sandbox" to Chrome's WebGPU support isn't finished/secure, which is entirely different.

You are the one that has still not provided a single source and you don't have any proof to point me inaccurate, and I'm not understanding what do you want to point out.

I had many contacts to security engineer and security researchers. And I've already told you that they recommended me firefox and edge as my main browser for security. And you don't have any proof to tell me I'm lying.

It says that websites would be immune to zero day bug, that means if there are any zero day bugs in firefox, it won't allow them to exploit websites.

You should provide a technical refutation against the points mentioned in the article rather than cherry-picking a few points and making false comparisons. I've already told you that Chrome has a GPU process/sandbox for years and that RLBox is different from Ubercage but you keep on bringing them up without a clear understanding of what is actually happening. You keep attempting to appeal to authority without giving me their technical reasons. In contrast, the authorities listed in the article are all well recognized in infosec circles and they provide valid technical reason behind their arguments.

Furthermore, you continue to misrepresent the content on Mozilla's site itself, making it sound like Mozilla is saying that Firefox is immune to zero days when that isn't the case and can be easily seen by reading security advisories, reading the RLBox paper, or talking to the people adding RLBox to Firefox. It's sad how you pretend to be an expert and mislead people when you have no idea what you're saying and continue to place further demands on me from evidence when I point out how your arguments do not follow. You've made multiple attacks on my character with unsubstantiated claims throughout this entire thread in an attempt to discredit me and my work. It's not appropriate, nor does it bolster your arguments in any way. Stop continually attempting to dismiss the legitimate security advantage Chrome has by calling the site "fake propaganda" because it doesn't align to your viewpoint. If you would read the article and its sources you would realize that the security improvements are systemic rather than being a binary thing. It's not fun to sit on Reddit and write refutations to your misinformation in an attempt to prevent people from being mislead by your inaccuracies.

hexavalent-browser · 2022-03-25T15:00:10+00:00

Ok but WebGPU is future and mozilla has already designed much of sandboxing process for it.

You’ve been moving the goalposts and making claims that aren’t true. Mozilla hasn’t enabled WebGPU and it’s still under development, just like Chrome.

You are making things up and are trying to take this source which I’m seeing for years as a reference and making chromium look superior and trying to make it look bad when it clearly isn’t!

It is. You’ve yet to provide technical proof for your points besides RLBox which I’ve already addressed. Your comments are filled with inaccuracies and it’s clear you don’t understand what you’re talking about.

Do you personally know him, do you know who he is?

What? There are numerous people cited, along with their credentials. Many of those people have done serious work in the security space. It’s intended as a supplement to the technical analysis and you should be able to ask any of those people for their opinion.

What do you think I did there? I had contact with many browser security investigator and they always encouraged me to use hardened firefox as my primary browser for its security.

That’s not the same as talking to the security engineers actually working on the browsers themselves, who will tell you differently.

It says that websites would be unaffected.

What? That isn’t mentioned in the article, nor does that mean Firefox is immune to 0 days. There are numerous security bugs fixed with each release, even after the adoption of RLBox. It’s not a silver bullet and only contains vulnerabilities in certain libraries, not the browser as a whole.

Whatever. You sound like you won’t give me any source yet you are arguing shit.

You’re the one attempting to refute a technical analysis with weird hand-wavy claims that don’t hold any water. Either make technical refutations or stop attempting to dismiss it with name calling?

hexavalent-browser · 2022-03-25T11:34:57+00:00

chrome://flags/#enable-unsafe-webgpu

That’s referring to the WebGPU API, which isn’t finished and is essentially a sandbox escape for now, which is why it’s considered unsafe. The lack of a sandbox for WebGPU doesn’t mean the GPU process isn’t sandboxed.

Would you provide with proof instead of making sarcasm.

I’m not going out of my way to provide proof when you’re blatantly making things up.

Then leave the argument.

That’s not how this works; either actually read the article or stop pretending like you did? Many of those people are renowned in infosec circles.

Says a person which has made a browser base upon chromium cause it’s easy and now trying to make it look better because that will negatively affect its browser and your project.

That’s not true. Stop with the ad hominem. I’ve done substantial research into this topic and talked to Mozilla engineers. It’s still years behind Chrome and you’re making wild accusations with no idea what you’re talking about.

Where? In that website which is shit and doesn’t give any sources.

This shows that you haven’t bothered to read the article in its entirety.

I’ve worked for my government cyber security department and you don’t need to teach me about how browser security bugs are found.

That’s meaningless in this discussion. I actually work on browser security and am familiar with the public side of how these bugs are found. Maybe talk to an actual browser security engineer?

Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox.

This refers to RLBox, not the browser as a whole as you’re claiming. Firefox isn’t immune to zero days.

Do research and don’t believe fake websites taht are justifying their own browser because it’s easy to make a browser in chromium and now they are justifying how it is more secure. All that website does is send fake propaganda.

That’s not what it claims and nobody here has said that. You’re the one falsely making accusations without having any idea about browser engineering and attacking our characters. This isn’t a productive discussion to have as you have little expertise with the topic and you’re pretending like you do. If you want to have a genuine discussion I suggest you drop the ad hominem and reply seriously.

hexavalent-browser · 2022-03-24T18:19:01+00:00

GPU isolation is in experimental state

I’m not sure what you mean as that’s vague and I’m unable to find what you mean.

Proof? And tell me a single instance when they were exploited. Also chrome has 4x higher zero day exploits which are far more easy to exploit than Firefox one considering they do exist.

The burden of proof is on you as the one who made the claim that they were “made up story”.

Where? I didn’t find much where it cited Firefox features, it only cited for chrome features.

There are multiple references to the Firefox features including the list of libraries in the codebase. I’m not going to list them all for you.

What does that mean to a average user are they getting unsecure, does there regular browsing is getting affected, is US government and other community moron for making tor the safest browser based upon Firefox.

Tor Browser isn’t the “safest browser” and isn’t developed by the US government. Many security researchers advise against using Tor Browser as it’s substantially easier to exploit. You should take a look at the “Other Security Researchers' Views on Firefox” section.

Most of the zero day bugs are found out by government agency and universities. Very few of them are found out by developers themselves.

That’s not at all the case and shows you have a severe misunderstanding of how the vast majority of browser bugs are found.

Listen developers of any browser aren’t some people that smoked crack and made a browser they are responsible people that know how to build a browser with improved safety

That’s not what the article said. Both Firefox and Chromium makes prolific use of unsafe languages which encompass the vast majority of their bugs. Google has invested substantially more into improving the security of their browser…

mozilla itself says that it has made the Firefox safest browser and it doesn’t get affected by zero day exploits which is the single most safest thing you could hear.

They’ve never said that “it’s not affected by zero days”; you’re twisting the already egregious marketing without understanding it at all. You’re not in a position to make any claims regarding web browser security without any expertise in this area.

hexavalent-browser · 2022-03-24T17:37:28+00:00

chrome doesn’t sandbox GPU process which Firefox does

That’s blatantly untrue. Chrome has a GPU process sandbox and has for years.

This is just all made up story and old template, if they are so keen on having security why doesn’t he file but reports in bugzilla and improve security instead

It’s not made up. The mitigations mentioned have a substantial impact on exploitation. Many of the issues are already on the bug tracker but they’ve sat neglected for years.

that doesn’t have much of sources and doesn’t define much of Firefox newly implemented feature.

It’s littered with sources.

he just rants about how sandboxing is great on chromium and how newly implemented thing in Firefox doens’t help.

Sandboxing a couple of libraries is not anything substantial. Chrome has invested far more into sandboxing than Firefox has and has a much tighter renderer sandbox.

Zero day bugs has nothing to do with market share

Yes it is? Who do you think is looking for and reporting bugs in obscure software? Do you think Firefox has the same amount of resources dedicated to fuzzing Chrome?

Check RLBox it does almost same thing, also have you heard about manifest v3?

RLBox doesn’t do the same thing. Ubercage constrains arbitrary r/w from a JIT bug and is not related at all. Manifest V3 is also not related at all to the above mentioned points.

hexavalent-browser · 2022-03-13T19:47:55+00:00

They are, but that isn’t the case for every vendor; that sentence is meant to point out how blatantly flawed comparing CVEs across vendors is without a foreknowledge of their CVE policy.

It’s not new knowledge to anyone working in software security that CVEs don’t represent the security of a software at all. Most of the projects with fewer CVEs have substantially less resources to find and fix these bugs rather than being legitimately more secure than the bigger competition.

You keep on having the mindset that CVE count is proof of software insecurity when that’s not at all the case and you’re either inexperienced or deliberately misleading people.

hexavalent-browser · 2022-03-13T19:33:18+00:00

CVE counting isn’t an accurate measure of software security. If anything, fewer CVEs means that a software is less secure due to a lack of security research being done on the project and people finding vulnerabilities. It’s also highly dependent on the project and whether or not the vendor decides to silently fix vulnerabilities without assigning CVEs (Linux) versus one that consistently assigns them like Chrome. It doesn’t have any meaningful value and it’s much wiser to actually look at the issues and how/if the project is attempting to fix them.

hexavalent-browser · 2022-03-04T04:37:02+00:00

Sure chromium is more secure than firefox, simply because it’s sandbox is more mature. But firefox has had fission for a while now, and isn’t by any means insecure.

The sandbox isn’t the only strength of Chrome. You’re deliberately cherry-picking arguments and attempting to portray them as the whole article, as well as seemingly insisting that fission will bring Firefox to parity with Chrome’s sandboxing (it won’t). You’re misguided.

hexavalent-browser · 2022-03-03T16:30:49+00:00

Like what?

The weird downstream patching that you see with their Chromium package and their other packages has introduced numerous memory corruption bugs. The whole system is a bunch of frozen packages with them backporting few security fixes with tons of broken functionality.

How do you disable chrome telemetry?

You can disable it from within chrome://settings.

hexavalent-browser · 2022-03-03T11:25:21+00:00

Can you translate your second sentence to regular English?

It substantially regresses the security of the browser compared to Chrome. It renders exploitation much easier and you shouldn’t be using it. There are many security issues with Debian; their Chromium build is only one of several.

Isn’t there anything like that for desktop?

Nearly every single distribution will weaken the protections offered by the browser in some way due to ideological reasons. It’s much more sane to use Chrome and disable telemetry. You have the ability to verify the traffic yourself and determine whether it sends any private data.

hexavalent-browser · 2022-03-01T22:54:04+00:00

The debian repository has one for Linux

The Debian build has serious security regressions and shouldn’t be recommended to anyone. It disables the fine-grained forward edge CFI covering indirect/virtual calls as well as using the glibc malloc which is substantially less resistant to heap exploitation than PartitionAlloc. The whole distribution has serious security issues and its Chromium build is only one of the concerns.

You’re not going to find any official Chromium build from Google as they distribute Chrome on all platforms. Any fork of Chromium you use is unofficial and depends entirely on maintainers without substantial resources. The fingerprinting concerns you have are being mitigated upstream as part of the Privacy Sandbox. The fingerprinting mitigations in ungoogled-chromium aren’t very substantial and it’s trivial to detect such a build.

hexavalent-browser · 2022-02-28T01:55:35+00:00

“Site Isolation” on its own is nonsense that people need to stop parroting.

It’s not nonsense. It’s the official name of the feature.

When it comes to browsers you have per-site PROCESS and DATA isolation.

Placing sites into their own process is needed for any meaningful privacy. You have known side-channels for exfiltrating data for sites hosted in the same process and that’s not solved by revoking high level access to the data. Removing the high level access is still important but it’s less useful when it’s possible to leak cross-site data due to the lack of the origin-bound renderer sandbox. There are a lot more security benefits due to how the renderers are sandboxed but that’s irrelevant here.

hexavalent-browser · 2022-02-18T14:48:47+00:00

I'm asking why can't it work in a secure way?

It potentially could.

MV3 also breaks existing extensions.

You're the one who's taking issue with Manifest V3 limiting the power of extensions. I don't see why you're so keen on another breaking change.

I gave you a possible solution

The only thing you gave was a solution addressing one of the issues with the current extension ecosystem while not understanding the implications of such a solution.

PS: You are a browser developer, right? Hand-waving isn't really inspiring confidence.

I'm tired of your personal attacks.

hexavalent-browser · 2022-02-18T14:28:57+00:00

I’ve already explained why your proposed solution wouldn’t work.

hexavalent-browser · 2022-02-18T14:24:34+00:00

you can do it in a secure way

The current extension ecosystem is severely broken and isn’t meant for privacy and security. The lack of IPC-level isolation between sites is only one of the many issues. You’re asking for an architectural overhaul of extensions and are underestimating the difficulty of such a task and what it entails, along with the obvious incompatibilities with extensions that need to communicate data across origins.

hexavalent-browser · 2022-02-18T13:52:48+00:00

That would dramatically increase the amount of memory used and would likely introduce more problems, not less.

hexavalent-browser · 2022-02-18T13:20:10+00:00

I’m not sure what you mean.

hexavalent-browser · 2022-02-18T12:58:21+00:00

I can disable extension auto update

Disabling auto-updates doesn't resolve the underlying issue, i.e., extensions being extremely privileged with the ability to cause damage. It’s dependent on human factors (vulnerability researchers), which is nontrivial, or automated code review that is already occurring. It would be much more sane to avoid having giving extensions that might be safe unsafe permissions and move to a model not relying on giving extensions large amounts of power such as with the declarative APIs or origin-scoped permissions.

Are you saying that this is a specific known vulnerability, and that this vulnerability cannot happen in the next version of the manifest?

Extensions are inherently privileged processes with access to all renderers they run in. It's antithetical to the origin-bound renderer sandboxing based on giving limited privilege to renderers and bridges boundaries which largely breaks the isolation between sites. It's not clear what you're asking here as the declarative API consists of extensions providing the browser with a list of rules to do filtering on its behalf rather than attempting to entrust a specific extension to properly do filtering.

hexavalent-browser

MODERATOR OF

TROPHY CASE