Hello,
The ESR version of Firefox is installed by default on Linux (Debian),
from a security point of view, which version is better to use : the ESR version of Firefox or the classic version of the browser ?
Similarly, I’d like to know whether it’s better to avoid the flatpak version of Firefox (and all browsers in general).
Thanks,
For Flatpak, see this thread instead Don’t link to Brave’s Flatpak (Desktop Browsers)
I don’t see why they use the ESR version, but I guess it’s slightly better to use the normal version because you will get new privacy and security features. The ESR still gets all security patches.
Firefox Rapid Release seems to be more secure than Firefox Extended Support Release (ESR), at least when it comes to receiving updates.
Quoting the (2014) archived proposal for creating Firefox ESR:
Over time the ESR will be less secure than the regular release of Firefox, as new functionality will not be added at the same pace as Firefox, and only high-risk/impact security patches will be backported. It is important that organizations deploying this software understand and accept this.
This is affirmed in up-to-date Firefox support documentation:
Maintenance of each ESR through point releases is limited to high-risk/high-impact security vulnerabilities, and in rare cases may also include off-schedule releases that address live security vulnerabilities.
It’s worth noting that the Tor Browser and Mullvad Browser base off Firefox ESR which might mean that it’s “good enough”. More realistically it’s because they don’t have the resources to keep up with the pace of Firefox Rapid Release and accept they might not have all security patches.
Also worth noting they backport some non-ESR patches. e.g. https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43451
Also worth noting that some security and privacy patches originate from Tor Project, and make their way from Tor/Mullvad Browser to regular Firefox releases before making their way to Firefox ESR.
I use different browsers for different purposes.
Does Firefox ESR seem suitable for connecting only to personal accounts?
Mullvad Browser would be preferable but if you want something where you can stay logged in, I don’t see why you shouldn’t use Firefox Rapid Release. You can utilize Firefox Multi-Account Containers and/or Firefox profiles to isolate one “purpose” from another. If you’re still uninterested in using Firefox Rapid Release or Mullvad Browser, then yes, Firefox ESR should be fine (security-wise) for using trusted websites.