Revise statements on Gecko browsers (Android) to make security shortcomings clear

I think there is some good discussion going on here, I hope that it can stay constructive and not turn adversarial as these topics sometimes can. I think there have been some valid points brought up from all sides. If this was a simple black & white case, we wouldn’t be discussing it here now and it wouldn’t come up so often. Like most things (maybe more than most things) there are many shades of grey here, nuance and context are important. The more we all acknowledge that, the greater the likelihood that this conversation stays constructive.

Broadly, what @jonah wrote here resonates with me:

Focusing too much on details like this which cause unnecessary anxiety and inconvenience for people is distracting us from the real problems and bigger threats. This is not a Privacy Guides-specific problem, but a major problem with the cybersecurity sector as a whole.

I’d say it isn’t just cybersecurity, it is a problem in tech more generally or even STEM more generally. I know it is something I am often guilty of (most of us are at times). It is a problem somewhat akin to missing the forest for the trees, in this case it is like fixating on the technical superiority/inferiority of one or two specific trees to the point of losing site of the forest. Those specific trees absolutely deserve attention, but not to the point that every discussion of the forest.

You make it sound like there is only the choice between Chrome, Edge and Firefox.

I don’t believe that is the point @Jonah intended to make. It is not framing Firefox as the only alternative to Chrome/Edge, so much as acknowledging where the majority of Privacy Guides target audience starts out, advocating meeting people where they are and providing advice that is most useful/helpful in that context. To some degree, PrivacyGuides, GOS, and Madaiden’s (somewhat dated) blog are speaking to very different audiences, with different focuses/priorities, and different levels of technical knowledge.

The point that I think was being made, is that overfocusing on technical minutae–while interesting and valid in the right context–can be a disservice to the broader PG audience, as it distracts from the much more impactful and approachable ‘low hanging fruit’ that will have a larger impact on privacy and security overall. And equally importantly or more importantly can lead to feelings of overwhelmedness, indecisiveness, and be de-motivating, to less technical users.

With all that said, I want to be clear that I’m not trying to be dismissive of some of the quite specific points being made about differences in sandboxing/security. I think they are very deserving of discussion and I think this forum is a great place to discuss them. And I do hope that Firefox/Gecko continues to close the gap, particularly on mobile.

Official recommendation of PG is yes at the moment, but is getting discussed here. I would be very cautious with using something which security aspects and some security researchers speak against. There are Chromium browsers, like Brave or Vanadium, which provide good privacy and security, so why significantly sacrifice on the latter by using a Gecko-based browser?

There will always be someone who does not like something and would weigh this higher than recommendations or technical aspect. Some people will use PaleMoon, others won’t update their system out of fear of backdoors, others will root their Android system and grant access to shady apps. Should we give a recommendation to everyone who does not like something? I think we should give recommendations based on technical facts, not based on ideological reasons or popularity.

This is an unfair comparison and doesn’t help this conversation.

The concern related to Chromium-based browsers and their monopoly isn’t purely an ideological one. We have seen what happens when a single company has a monopoly on web browsing. Do we really want to repeat that history? Google’s role in developing new web standards is already too dominant, and it can have significant negative consequences that are very much technical in nature. A good example is the consequences that Manifest v3 will bring, such as content blockers being significantly less powerful, and it will be much easier for Google to break their functionality on sites they want as the filter lists will only get updated when the extension updates.

True.
In this case the decision was made to add Mull to the page, why open it again?
I’m fine with Mull being added, for reasons already mentioned. I’m not using it anymore for reasons also already mentioned (I’m on GrapheneOS).
If someone gets exploited because of refusing to use a Chromium Browser, who’s problem is that? Not yours and not mine.
I mean guys, what’s the goal of this thread? If it gets changed again, someone else will show up… And again and again…
Or like it in this thread, someone asking me to remove a tracking parameter out of link I posted. I didn’t even know it was there. But in the reality, you are responsible for protecting yourself not someone else. In this case a mod did the job for him…
My threat model does not include enumerating badness:
https://madaidans-insecurities.github.io/browser-tracking.html
For me I am sharing information.
To make it short(er)
While on this journey everyone is responsible for the decisions he makes. He is responsible for protecting him self by defining his threat model, working it out and following it.
If it doesn’t work he es responsible for that as well.
In this sence, don’t make other people’s problems yours and definitely don’t let other people make their problems yours.
Good day for all y’all

Forking it and modifying it to a browser vendor’s liking would be easier than maintaining a complete browser engine like Mozilla does. Even Microsoft gave up competing with Chromium.

Weakening ad blockers was not the goal of Google. They could easily ban ad blockers from Chromium through other means if they wanted too. MV2 extensions were massively overprivileged and I don’t want to know how many users got malware through extensions or through previously good extensions which got sold to bad actors.

Have you read my previous comments? I explained why.

Of course it’s not my problem if someone doesn’t use a Chromium browser, but that’s not what this discussion is about. This thread is about security aspects of the recommendation of Mull on PG, and possible changes/deletion.

@jonah has written an excellent comment about this on the Techlore forum which refutes this point. Don’t you think it is naive to believe everything that Google, the world’s biggest advertising company, is saying about their intentions regarding Manifest v3, which just happens to heavily restrict what content blockers can do?

Well, be careful of MV3, slowly they will revive the “security-concerned” features one-by-one while still restricting blockers easily

You can no longer load and execute remotely hosted files according to Chrome Web Store policy.

vs

Manifest Version 3 (MV3) restricts the ability for extensions to use remotely-hosted code since it is a major security risk (stores cannot review or audit code that isn’t in the extension package). This is directly at odds with user script managers, which fundamentally require the execution of arbitrary code (the user scripts themselves). This created a feature gap between MV2 and MV3.

Objective

Allow extensions to inject user scripts programmatically into web content given a target context.

I really don’t care about the whole MV3 thing, because extensions never have been a good way to deal with missing browser features anyway. They have many downsides, including security, and features should be built-into the browser like on Brave.

Can we just stick to the security of FF and Chromium on Android in this thread? Extensions on Chromium are not available on Android anyway, so further talking about MV3 does not help. Unfortunately there have barely been any good security arguments in this discussion so far.

I’m not the one who started it. You guys were discussing about it and I’m not allowed to reply?

So what do you propose to change it to?
What I was getting at:
In reality it’s not just Chromium, it’s only Google Chrome, Microsoft Edge, Vanadium and Brave on mobile with Chromium Base.
Exclude Vivaldi (Reason can be found in this Forum), Opera, Duckduckgo, Probably Chromite etc.
It’s also so, of you make it too technical people won’t understand and thier mind will snap shut.
So I believe, in addition to everyone being responsible for themselves, to keep it as simple as possible.
For privacy guides.
As far as I have come to understand this page it’s a guide for the “general population that is interested in privacy”, which I am a part of, so what can we offer them?
The reality also is, the general population doesn’t give a s.it about privacy. Since “they” already have all my data anyway.
A few privacy aware people will end up here sooner or later and even less will pursue it further than this, or get lost in FUD
For example, not few open source apps are insecure but people feel safe using them, because it’s not a Google app.
Example would be Silence SMS app.
So, while this post might not seem to be on topic, for me it is:
So before privacy aware Mobile Users go and install Firefox, Fennec or even worse Tor just give them Mull.
“Warn” them before you do it, suggest them how to set it up and wish them well.
And get on with it.
Edit:
If I were on standard Android I’d have it installed, next to Brave. But since I’m not I’m trusting the Devs of the OS I use (keep it simple)

Sure you can reply
But bear in mind the topic.
Also I think the post was not alone about you.

See:

Only exception might be Tor Browser (preferably with security slider to safest and a warning about the security shortcomings), because there is no alternative if you want to stick to the Tor Browser crowd.

Regarding browser recommendations, I am happy to just recommend Brave (and Vanadium for GrapheneOS). Cromite and Mulch come to mind as possible fallback browser candidates, but this should be discussed separately.

Cromite won’t be added until its maintainer allows us to. Mulch could possibly, but that discussion hasn’t really been picked up by anyone yet.

I’d like to just remind that Cromite is the only fully FOSS Chromium browser and that Fennec F-Droid and my Mull are the only fully FOSS Firefox browsers on Android.

If you only recommend eg. Brave, then you are only recommending non-FOSS options.

Additionally with regards to security, only Vanadium and Mulch enable CFI and MTE. Brave and others do not.

edit: removed brave 64-bit thing

Is there an open Brave issue about that already or should we ask them?

@jonah
edit:
Actually, I just re-tested and I can’t repro anymore.
So maybe already fixed.

Before opening this thread, I was using Firefox fully, both on my desktop (Ubuntu) and on GOS, and had been for years. I was really unaware of this problem, but after reading the various links shared, I quickly replaced Firefox with Brave on mobile. I learned a lot, thanks for the links.

For someone who wants to invest even a little in privacy and security, there are sacrifices to be made in terms of convenience, options and possibilities, and sometimes you even have to pay the price.

By switching from Android to GOS I’ll gain in security and privacy but lose in options and personalization.
By switching from Microsoft to Linux, I’ll have to search for information and learn a little how to use the terminal.
By switching from Gmail/Outook to Proton Mail/Tuta I’ll have to pay for more options.
If I switch from GDrive/OneDrive to Proton Drive, I’ll have to pay for more space (15 GB free with Google and MS, and 5 GB for Proton).

These are just a few examples among many, but it’s like alchemy, you can’t have everything, and there are sacrifices to be made, which anyone interested in this must understand.
If Gecko represents a real problem in terms of security and privacy on Android, then I think it would be wiser to remove Mull from the recommendations.

I don’t like Chronium either because Google, and for me FF, is the only alternative to its monopoly, and if for my security and privacy it makes more sense to install a browser on Chronium rather than Gecko on mobile then I’ll do it.
On Linux I’ve stayed with FF, so I’ve made the sacrifice of losing convenience by no longer having my favorites, history, link sharing etc. with my mobile.

Translated with DeepL.com (free version)

Hi all,
I reworked the first post for more clarity. Since reworking the original post is a bit critical, I hope it is okay for the moderators, since I tried to leave the general statement intact. Otherwise feel free to contact me.

Android Gecko browsers shouldn’t be recommended. Most people will never be targeted, but everyone visits countless sites every day, and any of those sites might have a zero-day vulnerability deployed on it either by the site owners or malicious actors that compromised that site. Browser security is one of the most important things for regular people. Telling people to only visit the sites that they know is nonsense, and even then, even those known sites can’t be trusted because they could be compromised by an external attacker or by their owners.

This. And many websites load content from many different third-party sources, which all could potentially be malicious (e.g. malvertising).