Revise statements on Gecko browsers (Android) to make security shortcomings clear

Awesome

And this is one of the reasons why the browser should have a great content blocker. Gecko-based browsers on Android are the only ones where you can install uBlock Origin and enable its medium mode, which blocks all potential third-party trackers, iframes, and scrips by default, adding a significant amount of security to the browser.

Tbf, users who use Gecko-browsers at least have an option to get better protection with uBO’s default-deny (3rd-party scripts and frames) mode against websites’ compromises recently [1] [2] [3].

Even when I want to, there’s no options for me to do that on chromium browsers (or I haven’t found it yet?). And that’s the most common attack in case of websites’ compromises. On the contrary, I still can’t find which attacks did affect just Gecko browsers and not Chromium with websites’ compromises that exploit exactly this concern (aka, it’s boiled down to jonah’s comment above).

1: Sign1 Malware: Analysis, Campaign History & Indicators of Compromise
2: Web3 Crypto Malware: Angel Drainer - Overview, Variants & Stats
3: oltacidergisi.com - popup · uBlockOrigin/uAssets · Discussion #23094 · GitHub

@moonwriting and @eqrlzo8t
I had used uBO’s medium and hard mode in the past. On many websites, some functionality breaks. And your only option is to try-fail-repeat whitelist the third-parties until you find out what’s needed for an acceptable experience. How do you know which of these are malicious and which not? You don’t. Which brings us back to having a strong security of the browser itself, independent of user behavior. Aside from that, extensions increase attack surface and weaken some security aspects.

I’m using hard mode on desktop and medium mode on mobile, with blocking all javascript at first (not the blocking js but the forcing websites to honor their noscript tag first), and I feel quite comfortable with that. Many sites work totally fine with their noscript tag (for example news sites). Contrary to what I think at first, there’s not that many 3rd-party sites that need to noop globally and mostly are familiar sites: google, captcha, cloudflare, CDNs…). Over time, there’s less and less time I need to noop more and I can effectively ignore all of other craps, including potential new malware domains.

That being said, I have neutral opinion about this. It’s fine for me if gecko browsers are removed or kept. What I mean is users are having options to protect against that threat. If someone is using what PG recommends (after removing gecko browsers) and wants to use default-deny and asks about that, I don’t know what answers I should give them. That’s a legitimate and an enhanced protection need, no one can deny that. Chromium and DNS’s blocking are exactly falling into badness enumeration because of that nature.

Sure extensions have a risk of increasing attack surfaces and weaken security aspects. But ironically, before we can dig and dive to find any real examples of those attacks against uBO, the threats of malicious 3rd-party injected into the websites that are blocked by uBO become more and more relevant.

I don’t understand what you mean. Since codebases are vastly different, the same exploit almost always works only in one of the two browser families, but not the other.

I mean all of the threats we are discussing here are on high level theory, it would be better for everyone to understand how the attacks towards Gecko work in real example, real websites or real exploits.

Picking out one or two exploits does not help in evaluating browser security as a whole. You can only evaluate that based on a technical analysis of the browser’s security model and mechanisms.

Yeah sure. I haven’t denied any security evaluations here. As I said, I feel fine for any way of dealing with this. It’s just the reality of the threats are different to anyone, and it’s just pointless if they are using a supposedly good security browser but could not protect themselves when real incidents appeared. Security field always needs to examine any of “one or two exploits” to study further more. If everyone just ignores those “one and two” and studies something on heaven, it would be useless on earth (and actually “one or two exploits” already affected thousands of websites, and thousands of scams/phishing 3rd-party frames are born everyday too, and the chromium’s protections against these are just minimal, sorry).

If you don’t understand high-level concepts of browser security, you will have a very hard time understanding exploit chains in modern browsers. It’s a lot harder to understand the latter und you will mainly learn about some edge cases, memory or logic issues an attacker abused and chained together. It really does not help that much in evaluating browser security and will just make things more overwhelming than they already are.

I’m against this proposal and find its harmful for a website that educates people how important privacy is. There’s a lot of talk about how insecure Firefox on Android is, yet not a single PoC that shows that those “insecurities” having any impact. You know, PoC||GTFO as they say.

Dropping Firefox from recommendation is going to extremum. Yes, you get more security features but less privacy due to using a browser from a world’s largest adware corporation.
(at the same time using Tor Browser in the most hostile environment possible (literally darknet) is fine). Firefox is the only browser that at least tries to respect user’s privacy and choice. This is the only browser with fully featured uBlock (or working at all soon). This is the only browser where you can reduce your fingerprint beyond every other browser (ever heard of ankerfox for chromium?).

Just to show you how bizzare this proposal is, imaging replacing all the Linux recommendations as a desktop OS with ChromeOS just because it’s more secure (there was no xz backdoor on ChromeOS, there’s a better security architecture and process isolation, literally no way to run untrusted binaries except for VM).

Yes, I get you, there’s no per-site isolation, but that’s not enough reason to brand it as “very lacking security”. This is just a single layer of defence, the lack of which haven’t had real world impact. Not to mention Mozilla is still working on Fission which should put security-sensitive people to rest.

I understand that. Everything was being discussed in general, and I did not have any opposes to that, then someone was starting to slip real threats of compromised websites situations to users, and the discussion was switched to that and seemed like starting to endorse chromium due to that. I was simply giving how those real threats work, and gecko has an option to protect that. Others was talking about websites load content from many different third-party sources, and suddenly I am not allowed to give how users can protect against third-party frames with gecko, not chromium? Suddenly it becomes too specific because of that, not privileged enough for other security experts to bat an eye on, and I become non-knowledgeable of high-level concepts person?

Well, this is definitely not the only way to do this. Usually, it is quite straightforward to figure out which domains you need to noop to get the site to work, and if you’re in doubt, you can always look up that domain with your favorite search engine to see if it is malicious.

Also, if you’re not visiting sketchy sites, it probably would be rare to encounter malware-infected sites regularly. Regardless, in these situations, uBlock Origin’s medium mode would protect you by default, while with something like Vanadium or Brave, I have to hope that the different block lists have included these domains.

I definitely see the merit in this argument, and the case against Firefox’s security on Android has been a major interest of mine for a long time. There doesn’t seem to be any denying that Chromium-based browsers are vastly superior in terms of security; and it seems pretty important, as browsers are our main gateways to the Internet at large.

The question that rolls around in my head a lot is: what happens when we turn enough people away from Firefox on Android that it doesn’t become feasible for the company to maintain a mobile version of the browser? What will happen when we allow Chromium to become the only way to browse the Internet, a piece of software that’s in the hands of one of the world’s greatest threats to personal digital privacy? Chromium is already a monopoly, but as long as alternatives exist, users at least have the option to jump ship and use something that does provide privacy, albeit at the sacrifice of world-class security.

I guess the question boils down to whether we’re willing to take the risk of inferior security versus giving up just about the only other real option we have to browsing the Internet on our mobile devices. Which threat do you feel is greater in the long-term? MV3 is one of the main arguments that I see in favour of not giving in to Google’s monopoly, and many people say it won’t be as bad as it’s been made out to be, but what will happen when Google decides to really clamp down on our browsing habits in the future and we have no option at all but to adhere to new standards? Would companies like Brave be able to undo major, fundamental anti-privacy changes made to Chromium if Google were to implement them? How much of our digital privacy is Google allowing us to make tweaks to browsers like Brave and Vanadium rather than totally closing us off completely because it’s affecting their ad model? A lot of the time I feel that we rely too much on Google providing us with certain freedoms and technologies, but that reliance could turn into a disaster should they ever decide to change things up, like if their profit margins dip too low. Alternatives like Firefox exist so this doesn’t have to be a reality for those that don’t want to completely rely on major corporations.

Obviously this is more of a “what if” scenario, and one that’s more focused on a potential future rather that what the reality of the situation is right now, and right now the argument against Firefox and it’s lack of important security features is sound - at the same time, a future where Google has control of all of our online traffic seems a lot scarier overall than the potential threats we face when we use Firefox to browse the net. We also know that companies like Google are excellent at implementing slow but gradual changes over periods of time that ultimately end up chipping away at our privacy and digital freedom, and one day they’ll have complete and utter control of the way that we use the Internet, and if no real alternatives exist, what do we do?

The only reason Firefox is still around is due to the number of people that are still using it, but we know that the usage numbers have dropped significantly over the last few years, and will likely continue to do so. Is it within our best interests to make recommendations that facilitate safer browsing right now but those same recommendations may hurt or outright destroy our digital privacy in the future because we pushed users away from the alternatives? It seems like it’s almost the antithesis of what a project like Privacy Guides is attempting to achieve, especially if we are looking to safeguard our privacy both now and in the future - and it already feels like we’re on the losing side here.

I feel that Firefox should remain a recommended option, but with the appropriate caveats attached, and allow users to at least have the choice of using a browser that isn’t developed by a single, monolithic company. Google already controls so much, and I already give them plenty of my data by using many of the services that they offer, but Firefox remains one of the few ways that I’m able to access the online world in a somewhat sovereign way, and it would be pretty dystopian if that got taken away. This is obviously a philosophical argument against a technical one, but I do feel that it has real implications for the way that we use the Internet, especially in coming years. Personally, I’m willing to make the sacrifice of some security if it means keeping Firefox’s numbers up and giving them an incentive to continue providing an alternative browsing option on mobile.

You don’t get less privacy with some Chromium browsers like Brave.

I provided lot’s of information. You don’t seem to understand how browser security evaluation works.

Sounds like you are a true browser security expert /s

Firefox by-default has plenty of telemetry, sends search queries to Google and other invasive nonsense.

If you read the sources I linked you would understand that while it is a major concern, it’s not the only one.

Of course it had real-world impact.

Android is by far the most used OS in the world, yet Mozilla never put enough effort into Firefox to compete with Chromium. Thus, I don’t think a few more or less users will change that.

That’s true - but would Firefox receive the same amount of money if they had a fraction of the user base they have now?

Being all snarky rarely helps, especially when it goes agains forum guidelines. I understand you may not interested in a healthy discussion, but let me leave some notes on your response.

And yet I have a unique fingerprint on Brave.

Um, nothing except for possible attack vectors and opinions of some over conscious security folks? You also make a lot of assumptions about someone you see for the first time.

Somehow that should invalidate my point?

I’m not aware of instances where Mozilla records everything you do in a private browsing mode.

I did, -ftrivial-auto-var-init or native allocators is nowhere near a major issue, leaving aside the ridiculous “not enough Rust” claim which applies to Chromium itself.

Um, “trust me, bro”? Also, before posting sandbox escapes in Firefox which are most definitely happened in the past, consider that every code is suspectable to bugs, including Chrome, like the famous WebP vulnerability, this one or this one (from the same Pwn2Own contest you mentioned when talking about sandbox escape in Firefox but conveniently omited that Chrome had it’s own).

This discussion about Firefox and its security reminds me of the long discussions in my country’s judiciary, as well as in the Linux world in general.

I’m an ordinary user who found the site by chance.

I want to ask a few questions and get simple answers that anyone can understand:

1. Which browser engine is more secure by default, disregarding bugs that can appear at any time: a) Firefox or b) Chromium?

2. What are the dangers of the lack of “per-site process isolation”? What kind of malicious attacks can be abused by this lack of a feature?

Question 2 refers to a time, a few years ago, when it was relatively easy for one site to hijack another, or another’s data, and I suffered from this on a famous news blog\site in my country.

In my country this is no longer news with the advance of security in browsers, especially Google Chrome, because most users use it. As Firefox has never had a sizable user base here, no one paid any attention to whether or not it was possible to exploit it, considering that it was a flaw in the site but also something allowed by the browser.

Anyway, about ideologies and facts:

1. install Firefox and Brave and compare which of the two offers better security and privacy protections by default, whether on Desktop or Mobile.

2. An average user clicks on ads on facebook, instagram and other social networks or instant messengers, does a search on celebrities or the topic of the moment and clicks on random sites, does academic research and looks for other sites, looks for a job or new ways of working and also finds other sites, and so on.

2.1 Question: In this situation, which browser protects my security and privacy the most, Brave or Firefox by default?

2.2 Even without ad blockers, which of the browser engines would protect me more when surfing the internet?

Please, when answering my questions, consider that not all people concerned about privacy have the time or knowledge or even the ability to distinguish between which privacy sites are good or not, but they may have the ability to see indications that one site is better than another, and may thus blindly follow their lead.

Is talking about threat modeling important? Yes.

In practice, in the real world, this modeling is done by security and privacy enthusiasts.

If I share this site with my grandparents, family and friends, they want to know the recommendations for what they can replace, and why.

I can see that the forum serves enthusiasts, but who does the recommendations site and knowledge base serve? What kind of people?

Enthusiasts? Ordinary people?

My 70 year old grandfather, my 80 year old neighbor, my 15 year old cousin, these people log onto the site and are able to make a decision based on the recommendations, without having to make a colossal effort and go down Alice in Wonderland’s rabbit hole?

As someone who found this site by chance during a simple privacy search, I personally would recommend keeping everything as simple as possible, for everyone, and using simple thinking.

Is that safe? Is it exploitable by default or through a bug? If I install it and don’t touch anything, will I be fine?

Starting from that and then moving on to the next.

I’ll change my browser settings, for example. But my cousin, my grandfather and other people won’t.

“But, hey, it only takes 5 minutes to change all those settings”

Hey, really? It’s a pain in the ass to do that, even if it only takes a little time.

“Privacy is a conscious practice, if you’re not willing to give of yourself, that’s your problem”

Yes, it’s a conscious practice and changing apps is already a huge achievement, changing app defaults already changes usage patterns and requires learning, even just by switching from Google Chrome to Brave on Android, for example.

Some people don’t even know that there is such a thing as an “extension store” in Google Chrome, let alone Firefox, to install uBlock Origin, for example.

Besides, if you have to make such an effort to be private, what’s the point of creating private apps by default?

Brave and ProtonMail are excellent examples of “get it and use it” that I can recommend to anyone.
TutaMail would be another, if it didn’t block search for emails older than X days.

Mullvad Browser limits the search for websites in English. Can you imagine what a problem it would be for a Chinese, Arabic or other user with characters other than Latin to use this browser?

I’d also like to remind you of something:
STANDARDS ARE IMPORTANT.

Everyone knows Google Chrome because of Google’s advertising power, but another reason is that it comes as standard on practically every Western Android phone.

Now, speaking from my day-to-day experience, I’m able to teach about privacy just by replacing Google Chrome with Brave and thereby capturing the person’s attention, because in a few steps they’ve gotten rid of a very annoying nuisance, the ads, and with that they’ve gotten less mental and visual fatigue.

I demonstrated in practice the existence of “another world”.

You can do the same by installing uBlock Origin in Google Chrome or Firefox, of course.

But on these two it won’t have as big an impact as installing Brave for one simple reason:
The importance of the IMPACT that STANDARD features have on people.

Finally, I’ll ask one last question:
Does Firefox by default offer the security features I need to enter unknown sites with the best security available in today’s internet browsers?

Yes or no?

Translated with DeepL.com (free version)

Watch out for the rabbit hole and remember the site’s target audience, or the change you want to bring about in the world through this site.

To wrap it in general, some here just want to discuss about the security within the browser/OS and their processes of sandboxing, isolation or memory safety, etc… and nothing else.

In that case, just gently remind any topics of “real cases/API/tools” as not appropriate here. Don’t catch any comments that slowly slipped into those topics (but bias towards chromium), and started to endorse that comment and chromium because of those “real cases”, while pretending to ignore the most common attacks that represent those topics. Apparently other people will refute immediately due to the nature of which threats are more likely to occur towards real users.

If you just want high-level discussions, stick to it fairly, don’t play 2-sides.