If we take any 2 similar software like Ubuntu / Fedora or Chrome/ Firefox usually one is considered more technically secure than the other. I read in the blog Madaidan Insecurities that Chrome is a lot more secure than Firefox technically. If hacking is done through exploiting vulnerabilities what does it matter if one is more technically secure than the other if both are kept up to date?
My logic led me to think that this would matter in the sense that zero days for Firefox would be easier to find since it is less secure than Chrome but the reality is that Chrome has a lot more zero days than Firefox. Maybe this is due to the market share of both i am not sure.
So in the end how do i benefit if i use something that is technically more secure vs something that is less secure but kept up to date?
This is an interesting chain of thought and one that I think about fairly often. I think as Jonah has often pointed out in the past: there’s not any real evidence that Firefox users have been exploited en masse to the point where we think Firefox is a dangerous piece of software to use. Even if the number of Firefox users have dropped to the ~150 million it is now - more people than the populations of whole countries by the way - not to mention the hundreds of millions of people that have used Firefox historically, and there have not been any serious incidents that have caused tons more people to go woah this isn’t a thing we should be using at all. So to me this seems like more of a case of theoretical security; yes, Chrome is technically more secure for a few different reasons, but at the end of the day, a user is more likely (by orders of magnitude probably) to be subject to malware due to them clicking on a dangerous link regardless of whether they’re using Chrome or Firefox.
To add to this, if you’re specifically being targeted by someone, they’re just going to use zero days anyway, so other factors are going to be more important than if you go with firefox or chrome specifically (e.g., what OS they’re running on, how exploitable that is and so on)
Security is ultimately about increasing cost: either time or money.
Offerings that are more robust with many layers are more resilient and do cost more.
Yes, Chromium has many security issues, but it also has active forks by dozens of companies many with their own security teams (eg. Microsoft) so it is inevitable that issues are much more likely to be found. This is a good thing.
Whereas Firefox’s biggest consumer is likely Tor Project and they’re only a handful of people.
So Firefox has both less (robust) security features and far fewer people actually probing at it.
Is an up-to-date instance of Firefox likely safe for the majority of people? Yes, and it has clear other benefits such as proper filtering via uBlock Origin and can be tuned for modest fingerprinting resistance.
Does this mean the situation shouldn’t be improved? No, it would be nice to see a stripped down verion of Brave without any of the services/crypto/llm/etc. features.
As for other projects like distros the security aspect shifts from security features and more so towards the curation and update frequency of the packages that they provide/maintain.
As while you could bodge say SELinux onto Ubuntu if you really wanted, you’d still be stuck with many packages that are pinned and only receiving backports far longer than you would on eg. Fedora or Arch.