There's no questioning that Chrome's sandbox implementation is ahead of Firefox: they've been shipping it for several years, whereas Firefox only got its first one out in Firefox 50 (for content! They had a Flash sandbox and DRM/media decoder sandbox for longer), with the more strict ones being in the Nightly/Dev Edition branches. It's possible the real Firefox is not vulnerable to this exploit because of that, but we'll have to see.
None of this would have helped Tor/TBB, because it's based on an older Firefox branch, with no sandbox at all. This means most vulnerabilities are exploitable and lead to a total compromise. There's relatively few of those and they get fixed very quickly, but if you use Tor you are likely specifically targeted so any hole is very serious.
Parent sounds so bad because he seems to grade security by seeing how many CVE's the developer publishes, ignores the fact that browser exploits are often done by exploiting attack surface outside the browser (because all browsers are - relatively speaking to other software - secure), and conflating Chrome vs Chromium.
This particular bug is bad (it's a 0day - a security exploit found by bad guys before Mozilla or security researchers found it) but a lot of the buzz here is because such problems are rather rare these days, and because it's targeting Tor.
> Parent sounds so bad because he seems to grade security by seeing how many CVE's the developer publishes, ignores the fact that browser exploits are often done by exploiting attack surface outside the browser (because all browsers are - relatively speaking to other software - secure), and conflating Chrome vs Chromium.
By counting CVEs alone, Chrome would be the least secure since it has more CVEs than any other browser thanks to Google's bug bounty and fuzzing, most of them harmless.
What I counted were real-world browser exploits which is an excellent measure of security.
> such problems are rather rare these days
In Chrome, yes. They happen rather often with Firefox.
> conflating Chrome vs Chromium
Their security features are identical. It's the same code.
In Chrome, yes. They happen rather often with Firefox.
Shrug, I disagree. The fuss made here illustrates it: 0-days are rare enough that "rather often" is a serious mischaracterisation.
Their security features are identical. It's the same code.
You said: "And it being open source means that I can use without worrying about backdoors or data leakage." Which has nothing to do with security. Inspecting Chromium tells you nothing about what Chrome does, and using Chromium means you miss features that Chrome has (H264, Netflix, ...)
> The fuss made here illustrates it: 0-days are rare enough that "rather often" is a serious mischaracterisation.
A RCE in a browser is literally the worst possible case and Firefox had multiple of them, most trivially exploitable with JavaScript. This simply doesn't happen with Chrome.
> Chromium means you miss features that Chrome has (H264, Netflix, ...)
Google made an effort to open-source everything, including their PDFium PDF reader.
The only remaining bits are the Pepper flash player and the Encrypted Media Extensions. Both are closed source in Firefox as well. You can use them with Chromium just fine and both are sandboxed. They cannot be distributed with Chromium for licensing reasons, but nothing prevents you from downloading the Chrome package and extracting those two files. Many Linux distros have scripts which automate this.
I specifically pointed out H264 support (and you ignored it) because it's an annoyance when using Chromium. And yes, that's due to licensing reasons as well.
None of this would have helped Tor/TBB, because it's based on an older Firefox branch, with no sandbox at all. This means most vulnerabilities are exploitable and lead to a total compromise. There's relatively few of those and they get fixed very quickly, but if you use Tor you are likely specifically targeted so any hole is very serious.
Parent sounds so bad because he seems to grade security by seeing how many CVE's the developer publishes, ignores the fact that browser exploits are often done by exploiting attack surface outside the browser (because all browsers are - relatively speaking to other software - secure), and conflating Chrome vs Chromium.
This particular bug is bad (it's a 0day - a security exploit found by bad guys before Mozilla or security researchers found it) but a lot of the buzz here is because such problems are rather rare these days, and because it's targeting Tor.