So we know Firefox is insecure, but how insecure? How does it compare to Vivaldi, Ungoogled Chromium, WebkitGTK (not Blink but still), and QtWebEngine security-wise?
We’re always comparing these browsers (and this goes for other things like mobile operating systems and app stores) to the most secure option available but not to every feasible option available. A lot of us are content with Firefox. To me a browser’s security doesn’t have to be perfect. It just has to be good enough.
I read that hardening guide again after a long time, and a question came to mind. I’ve been using NextDNS in Brave forever and YogaDNS because of VPN. So, as your text states, only domains are exposed when you use the browser’s DNS.
I remembered that by using the operating system’s DNS (Yoga), all paths are also exposed. Is this a threat or an opportunity? I use Brave’s own adblock + NextDNS, so is it just a matter of whether I trust Brave, NextDNS, and YogaDNS, which I already trust? Thanks.
“DNS/Network is arguably the most secure but the least effective (since it can only filter by domain, and not paths, e.g. all of google.com and not just google.com/tracking ) of any method. With most content blocking you have to add trust in multiple entities and add extra attack surface. With DNS filtering, you are placing your trust in something you already have to trust (DNS resolution). I would still suggest the usage of some DNS filtering in your browser, even if you have another content-blocking solution. It also has no performance impact and can resist some forms of censorship and tracking by encrypting not only DNS traffic but also the Client Hello (via ECH). Non-DNS network filtering has the same effectiveness with the added benefit of IP blocking, depending on the implementation. It should be noted that CNAME tracking can be fully mitigated through DNS filtering.”
I don’t like Brave, and I also don’t like that it connects to all these domains without my permission:
promo-services-staging.brave.com
redis.promo-services-staging.brave.com
redis.promo-services.brave.com
rewards.grant.aws-internal.brave.com
rust-pkg-brave-core.s3.brave.com
And this is just a small sample of domains it connects to, but there are many more.
I read somewhere that their servers are compromised with spyware. Maybe it’s true, I don’t know.
This is on you for not configuring Brave correctly. Several of the connections (e.g. Brave rewards) aren’t even active on a fresh install, i.e. you deliberately switched them on yourself.
Looking at my own Brave desktop connections from the last 24h I see just 7 domains and most of them are updater related, safebrowsing, account sync.
It’s possible, but I don’t use any services offered by Brave, nor do I sync anything to the cloud.
It’s not just possible, it’s 1000% certain.
@RoyalOughtness I am wondering if installing Trivalent outside of SecureBlue and losing SELinux confinement is still overall a better option then the other PG browser recommendations? Since users are not getting SELinux confinement outside of SecureBlue anyway, wouldn’t Trivalent still be the best option?
