This is literally a more hardened version of Firefox that also implemented things that are normally present in Vanadium like the Toggle for JavaScript JIT
And as seen above. It also has Fission (per-site isolation) on
As a Firefox alternative I endorse this alongside chromium based like Vanadium and Brave.
I cannot preface this enough, if the threat model is high enough it needs perfect security, then yes go for chromium based only
Edit: the creators of IronFox has put in the limitations and it is advised to read especially for specific threat models, I agree with them and for many lighter threat models, IronFox is really good.
This isn’t a perfect one and if you need perfect security, go use chromium based, but this is destined to be a decent alternative to the chromium of the likes.
Stop repeating this nonsense. Read the whole discussion about it. It has no site isolation! Also this is only one of the many problems with FF security on Android.
You love to make assumptions without researching don’t you?
Well if you wanna keep doubting, do it but you will only be more wrong I bet (to be clear there are valid points but this is not one)
I preface again, if your threat models calls for ultimate security, then I agree here that Chromium based browsers are better for this situation and avoid using IronFox
I think that @sha123 is trying to point out that even though fission has been enabled, it is currently not comparable to chromiums site isolation and that there is a reason its still disabled by firefox by default on android.
You have proven exactly nothing, only that he enabled a very early version of Fission.
This is not proper site isolation in its current state!
And if you just read the whole discussion around it you would have realized that:
No, not only not comparable, there is no proper site isolation in its current state. Pls change the title of the above thread because people just stop at reading the title without the discussion and draw wrong conclusions.
hi @celenity , love the project!
Do you know if the Matrix room is still up? I just found out about the project and wanted to join the room to keep myself up to date with the development.
All @Anonymous57 did was ask what the current consensus is on IronFox, in a thread dedicated to… IronFox???
Did you forget how to mute/unsubscribe to threads? Is there a reason you’re this aggressive against our project? I don’t know why you can’t just stick to objective, constructive criticism.
PG recommended Mull until its discontinuation. If you don’t think PG should recommend any Firefox-based browser, that’s fine, but I think that’s another matter entirely that isn’t directly related to IronFox.
There’s nothing wrong with people discussing IronFox and whether it should be recommended based on PG’s past precedent. If you have a problem with that, Discourse has a guide for new users here, you should take a look at it and learn how to disable notifications for topics that you don’t want to see people talk about.
Correct. We tested builds with it a while back, and found they were unfortunately too unstable for the time being. We’d obviously love to support it in the future though.
I have nothing against your project. I am against recommending any FF-based browser on Android, including Ironfox. It is not your fault that Mozilla has treated Android security like it did. You do what you can to make the best out of it. Nevertheless security shortcomings are significant (again, not your fault), should be clearly mentioned and discussed before a recommendation can even be considered. You might also want to change your documentation because it makes it seem like site isolation is actually properly enforced, which it is not.
I 100% agree. To confirm, I’m not saying that the security shortcomings shouldn’t be talked about; they definitely should be.
So my issue wasn’t really with you pointing that out, it was moreso just that you responded the way you did to someone who was just asking about the current consensus.
That’s probably fair. I don’t think it does nothing like you previously stated, but I do acknowledge it’s not comparable to Chromium’s, so I can edit that to make it clearer.
IronFox (and Phoenix) must not be recommended at all.
They’re wrongly applying an egregious amount of per-site overrides, fundamentally breaking the given crowd aspect of either FPP or RFP on their own.
This results in users of IronFox having uniquely evident fingerprints.
Additionally the criteria for these exceptions is completely arbirtary and undefined.
It also breaks the given understanding of how fp resistance should work.
They’re basically pulling a KickSecure: taking something insecure (Debian) and putting 1 trillion million changes on top to make it “secure” to fool users.
For the curious (i was), here’s the devs reasoning for what AstraKitten pointed out:
IMO, this seems like a reasonable approach for the threat model they’re aiming to protect against, i.e. naive finger printers, per their own Limitations and FAQ pages.
While this does result in not maintaining the same finger print as firefox users with RFP enabled, the overrides seem relatively minor and make it so you’re NOT stuck needing to choose between RFP+breakage or no protection at all.
This was a good reminder for me to actually review a projects github/lab/codeberg tho, I wasn’t aware of this.
