Thx Jonah for reworking it. It’s definitely better than before. Although I would prefer Mull to be deleted as a recommendation. Unfortunately the text box still just talks about site isolation, only in the foot note it mentions isolatedProcess but does not explain what this means. The major problems are missing sandboxing, which is even more important than site isolation, being behind on exploit mitigations and lack of site isolation. Providing links to the GrapheneOS website and Madaidan’s blog would be helpful for further explanation.
Btw. the much more common technical terms are site isolation and state partitioning, not per-site process isolation and per-site data isolation. I have not seen the latter aside from a few privacy communities. I would recommend to stick to the industry standard terms to avoid confusion.
Bruh, some here act like they didn’t take the smallest chance to slip the “real cases” here then outright not allowed others to talk about it
To wrap it in general, some here just want to discuss about the security within the browser/OS and their processes of sandboxing, isolation or memory safety, etc… and nothing else.
In that case, just gently remind any topics of “real cases/API/tools” as not appropriate here. Don’t catch any comments that slowly slipped into those topics (but bias towards chromium), and started to endorse that comment and chromium because of those “real cases”, while pretending to ignore the most common attacks that represent those topics. Apparently other people will refute immediately due to the nature of which threats are more likely to occur towards real users.
If you just want high-level discussions, stick to it fairly, don’t play 2-sides.
I mean, I would prefer it if Firefox had processes-per-origin without the isolatedProcess flag, than if they had their current setup but with the isolatedProcess flag.
I changed the terms for now, but I’m mixed on it. I think the reason people say “per-site process isolation” is to distinguish it from something like electrolysis which creates isolated processes but not on a per-origin basis.
I have 0 interest in a common technical term if it is not clear to non-technical users, but maybe “site isolation” in this case is fine as we link to the fission page as well.
Taken out of the Reddit Post: Firefox and the Tor browser don’t implement a sandbox on Android and use one process. Even with their attempt at a sandbox on other OSes, sites aren’t ever cleanly separated into different processes. They only aim at protecting the OS from the browser, like the app sandbox. They provide far weaker privacy since everything can be so easily leaked via side channels. Chromium’s site isolation is one of the rare privacy features which is actually meaningful and accomplishes more than theater. It can be enabled for Android and will be the default soon at least on GrapheneOS. https://www.reddit.com/r/GrapheneOS/comments/bg03np/browsers
What it says in Process Internals of my browser (actually every chrome://process-internals)
In this case I would just suggest, to make it simple: Site per Process, cleanly seperates Sites into seperate processes to avoid letting other sites steal data via side channels. It also makes exploitation far harder.
The “problem” is, on Vanadium and Mulch every site is isolated. Not sure about Chromite. In Brave you can check for your self, it’s logged in sites and I think cross origins but not sure on the latter.
It’s in “” because formulating will be someone else’s problem
Yeah, the reason I like “per-site process isolation” is that it is a self-descriptive term. If you just hear something like “site isolation” you’d be forgiven for thinking that means the same thing as state partitioning, because state partitioning, well, isolates sites’ storage from one another
As far as I can see, this isn’t even true, which anyone can see for themselves at about:processes. The only person saying this is the GOS developer, but madaidan’s blog is more correct in this regard.
So I’ve read this entire thread but I’m definitely no cyber security expert nor do I have a great deal of knowledge with all the technical things that go into web browsers and their security so forgive me if this is a dumb question. From what I gathered it sounds like the problem with Mull or Firefox in general on Android is that if you visit a malicious website it can then collect your data and info (username, passwords, credit card numbers, etc…) from another website if you enter in that information. My question is is Mull safe to use if i just browse sites but never input any info into it and it’s set to clear everything on exit? I liked using Mull for daily browsing (not a big fan of Brave) and Vanadium for logging into sites but this whole Mull being recommended and unrecommended has becoming confusing so I’ve just been sticking to Vanadium for now.
Depends on what the malicious website is doing. The difficulty of getting your browser exploited is significantly lower on FF browsers compared to Chromium.
If you don’t put sensitive data inside your browser and don’t deem what you do inside the browser sensitive, that’s definitely a plus. Clear on exit also, but only protects data from future exploitation.
Be aware, that your OS is also less protected, not just browser data, because the untrusted_app sandbox was not designed for running code from 100s or 1.000s of untrusted parties a day. The isolatedProcess sandbox was designed with that scenario in mind and is much stricter.
GOS dev wrote this on Reddit 5 years ago. That statement is not up-to-date anymore. Using multiple processes need to be properly confined to be a meaningful security measure.
Just to put into perspective how far Firefox is behind in terms of sandboxing and site isolation:
Isolated process sandbox was introduced in Android 4.3 in 2013. Firefox has not implemented it until today, 11 years later.
Site isolation has been enabled in Chromium (Android) since Chromium 77 in 2019. Firefox has not implemented it until today, 5 years later.
Brave uses uBo under the hood and has fingerpint resistance. I just tested Kiwi Browser (chromium) on Android with uBo and it has a unique fingerpint due to WebGL and HTML5. A content blocker only solves trackers, not your fingerprintability.
I had used Firefox+uBO on desktop for many years, have used Brave afterwards (desktop and mobile) and Brave’s adblocker blocks ads about as good as uBO. Just if you want to do dynamic filtering, like medium mode, uBO still has more features. What Brave’s ad blocker does better is dealing with cookie banners.
Brave does not use uBO under the hood, but supports uBO syntax. The really nice part about Brave’s ad blocker is that it uses the networking stack directly and is written in Rust, which circumvents the security shortcomings of the mv2 extension system.
There is no way for you to know based on visiting a test site. People should really stop using these fingerprinting websites. But yeah, since it is a really seldomly browser with barely any mitigations it’s not great in terms of fingerprinting and you could even end up being unique depending on your configuration.
