I will make a controversial comment:

My experience is that security is a function of simplicity and individuals having a complete understanding of the code and implications of changes.

Implications:

- A smaller team will generally lead to more secure software than a larger team.

- Many security layers are counterproductive.

In studies, bugs per KLOC are relatively consistent. A 100-line program can be fully auditable. One with a JIT in a virtual machine in a sandbox looks, on paper, more secure. In practice:

- There are many more places to introduce bugs.

- Beyond some level of complexity, it's impossible to understand the security model holistically.

- Bugs often cut across layers

- Layers are often used as an excuse ("We'll leave this, since that other layer will catch it).

Layers can be okay if they're well-understood, analyzed, and well-documented (e.g. postfix). However, the vast majority of the time, they're not. People pointing to bigger workforce or sandboxes in Chrome aren't selling me. It only takes one idiot.... And for sandboxes? I've never seen a clean block diagram of the Chrome security model.

To be clear: I'm not arguing which browser is more secure -- simply that the arguments in this thread don't sell me.

> My experience is that security is a function of simplicity

I don't think this is controversial at all. For example: I keep using uMatrix to block (by default) or allow scripts, frames and XHR because it's orders of magnitudes simpler to use than the way the same developer added that functionality to uBlock Origin. I still use uBO to block ads and hide unwanted elements from the DOM. It's the difference between writing [pick your favorite high level language] and machine code. If all I had was uBO I would let those scripts run.

not sure why you say it's a "controversial comment"...

What you say is well documented and you made a reasonable comment!

The bigger the software, the more likely it is to be exploited...

> Many security layers are counterproductive

Where is this part documented? I've read that security is best done as a layered approach

I was about to ask for the same thing. All best practices within the security domain point towards multiple layers of security, simply to have some fallback if one mechanism is compromised.

> Where is this part documented?

i don't have any example over this part. Maybe the OP has...

Still, a layered approach is great "on paper" (and probably the best actual solution we have atm), but it is only great in practice if it's well coded and the op is right that in lots of cases there are numerous flaws.

yes, you have failsafes on the layer bellow, but then again... it's just another "challenge" to find the flaw...

If we have a simple and effective code (à lá unix: do one thing, do it well), that has the possibility of becoming more effective that "flawed layers".

yeah... we can have multiple - simple - layers... but again... that will also raise the possibility of unforeseen flaws...

all in all: it's always a double-edged sword...

you're right and the op is right XP

(unless the layered approach is actually really really well coded!!! That's the ideal... but not many can do it!!! - i surely can't ahahah)

This is actually completely contrary to documented best practices. Best practices involve a lot of layers and processes. Defense-in-depth is best practice.

My experience is that only helps if each layer is carefully designed and analyzed at a level impractical for most real-world systems.

In most cases, unless you're designing Unix from the ground up, the better approach is KISS.

Let's not talk about privacy (because there is no point in talking about it: Firefox is eons more private than Chrome - or any of it's based browsers - can ever be)

About security: Chrome has a biggest workforce, yes. but let's think about this a bit...

First, let's not forget that chrome is also a bigger target.

let's imagine this: Consider that 90% of the users worldwide use chromium-based browsers, and you are an hacker who wants to steal peoples data or access their computers.

Would you bother targeting 10% of the users. Or would you just go after those 90%???

now add another detail into that thinking:

people who use Firefox are mostly techies, people who know about computers, gnu/linux users, developers, more security-conscientious users, people who actually know and care about the tech that goes bellow, people that knows what's happening in the IT world, and people that simple don't go with the flock without studding it's path first... now... would you really bother targeting those when you have 90% of people - where probably 85% don't know anything about computers or just don't give a #$%& about it???

Would you go easy bait, or would you try to outsmart those who might be at the same level you are???

(sure, there is always exceptions!!!)

but then again... maybe that's just me...

This is exactly it. I used Linux on PowerPC for the same reason: Literally nobody was targeting it, especially compared to Windows on x86. Even now, why would anyone waste their time targeting desktop Linux on x86. Basically unheard of, because it's pointless (Except in targeted attacks.)

Thing is, targeting Linux on x86 will target high value users. Either servers, developers, sysadmins and the like. Yes you will hit less people, but the value of each hit is magnitude higher. It’s the same reasons apps first target iOS rather than android: apple users have an easier wallet.

I covered that in my post. Those users are targeted specifically. There have been news stories about it recently. People don't develop general malware for x86 Linux that also happens to catch those users though. That was the point. If someone with resources is targeting you, you don't stand a chance regardless of what you do.

What architecture do you think servers use? Some graphs I found with a quick google ( https://www.itcandor.com/server-q219/ ) suggest >85% market share of x86, what else would they use? ARM is still not very widely used in servers, I think.

> Servers: mostly are not on x86.

Let's agree that we disagree. I'll just say that I work for a cloud provider and non-x86 servers are anecdotal :) but their media presence is not, as it's the new hot thing and that's free advertising.

> developers, sysadmins: tend to have the hardest configs and thus making it a lot more difficult to hack.

yet those people have a cognitive bias of "i'm too smart to fall". and those people will have some practices that are so detrimental to security it's laughable. how many developers will shutdown their laptop every day after work? compare this to the common practice of "just go to sleep" which will prevent browser updates, system updates, kernel updates, you name it. take a firefox that is months old with an unpatched ubuntu and you get the idea ground for a browser escape combined with an lpe. and even without lpe you'll grab many many credentials.

imho those still are harder to trick, but not because the config is hardened, but because there is a config at all. for example a phishing that imitates a floating browser window with a fake login page would not work on me. not because i'm smart, not because my config is hardened or whatnot, but because good luck to the scam for finding the specific window decorations I have on my linux system. oh, and the fact that I use a tiling wm and thus floating windows don't exist. it's a side effect of nerds being nerds.

> So, afaik, most of the hacks on this areas are more due to human flaws than the systems per se.

This is not incompatible. "normies" will get tricked in downloading invoice.pdf.exe, but that's windows only. The payout for invoice.pdf.sh or whatever may be very high, but you need your rat or stealer or whatever to know linux.

> unless ... they are targeting the servers managed by those devs and sysadms

That was the precise reason I talked about devs and sysadmins. Infrastructure credentials, aws keys, you name it.

And as a dev/sysadmin, you don't need targeted attacks to get pwned. A malicious package on npm/gems/cargo is all it takes. It's a spray and pray strategy, but if you catch even a handful of people this way it might be the jackpot.

Most servers use Linux so that’s probably a more valuable target than Windows.

What hardware are you on?

I find this to be a bit of a weak argument. What you make makes sense, but of for some reason a glaring security hole is noticed, people are going to take advantage of it.

naturally! There are always exceptions and there will always be people that will bother targeting those 10%.

Even more: if they could create something that targets both platforms that will be even better...

The question will always be of Work Vs Gain. Will your work result in gain. Does it justify targeting those 10%? (if it's an "easy thing to do" then we'll all get targeted)

> Firefox is eons more private than Chrome - or any of it's based browsers - can ever be

Some progress is made though...

Brave: https://brave.com

Thorium: https://github.com/Alex313031/thorium

Yes,

Specially Brave (within the Chromium-spectrum only) is probably one of the best choices (if we ignore some details, of course...)

Still, i actually have more faith in servo: https://servo.org

> i actually have more faith in servo: https://servo.org

Together with RedoxOS, COSMIC EPIC, and coreutils in Rust -- the future holds such great potential :)

RedoxOS, yes... I like that!!! :)

But i still prefer Genode/Sculpt + seL4 (https://genode.org)

they are doing amazing work there!!! If only they had a nice GUI (say... LXQt, for example)

Significantly more than just a nice GUI would be needed for general use, but it's certainly a fascinating proof of concept.

Going off the top comment’s simplicity is security paradigm, it’s hard to pitch Brave as a secure browser given its non-core complexity. (This would be as true if it were running a protein-folding simulation in the background as it is with its crypto bits.)

yeah... that's the "details" i talk about we have to ignore.

They take privacy and security seriously but then they have all this "extras" (ads, cryptocoins, rewards and a bunch of other things i don't like...)

All in all, i would say it's probably the best within the Chromium-based browsers, but i still don't use it!

> Firefox is eons more private than Chrome

cough* safe browsing cough*. /s

Enabled by default.

My understanding of safe browsing is that a local database is maintained and lookups happen against that. Eg: no information about the sites you're visiting is leaked.

Is this not the case / am I misunderstanding something?

Ref: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-...

Your understanding is not (entirely) up to date. At some point they switched to downloading only a list of (partial) hashes. If an URL matches a partial hash then the browser asks Google for a lists of URLs for that hash. This does can let google get some information about what websites you visit. And those requests as well as the updates of the initial hash lists still ping Google with all the tracking posibilities that entails.

> Let's not talk about privacy (because there is no point in talking about it: Firefox is eons more private than Chrome - or any of it's based browsers - can ever be)

Firefox with its default settings is both less private and less secure than Brave. On iOS, Firefox has refused for years to implement an adblocker.

It’s best to say nothing if you don’t know what you’re talking about.

Brave with its default settings is both less private and less secure than LibreWolf.

> On iOS, Firefox has refused for years to implement an adblocker.

Blame Apple.

Mozilla deserves some of the blame for misleading users into thinking that Firefox is available on iOS when all they really provide is a Safari reskin.

The average user doesn't care about the underlying browser engine. Why should Mozilla add that to their advertising when no other browser maker on iOS is?

Err.. most other browsers on iOS do have an adblocker built in. It’s solely Mozilla dumping their users out in the cold.

These days ads are an attack vector. I’d never let my parents browse the web without a blocker.

The two most popular browsers on iOS do not support ad blocking, unless there's something I'm not aware of. I've never seen an ad blocker in iOS Safari or Chrome. Firefox on iOS has tracking protection which can block some ads if you believe the description of the setting.

Not real adblocking. If you care about your parents, get them a better device.

Not really. That's all Apple. Mozilla wants to try and provide the UI and experience and are doing so as best they can to satisfy their users requesting it.

> Blame Apple.

Blame Mozilla. Most iOS browsers have built-in adblocking.

No. Exit the RDF please. Apple and only Apple prevent you having choice over what browser engine to install.

Yes. Like, you are a laughably wrong. I can literally see the Brave “shield” icon staring right back at me right there in the bottom right of the screen.

I guess you must be in the EU and on iOS 17.4 or later. I forgot the Apple were forced to allow other browser engines to be installed in the EU recently.

But aside from that recent exception, no one ever had anything except Safari on iOS, even if they thought otherwise.

Nope. Been adblocking on iOS in Brave since iOS.. 14? Maybe 13 or 15.

You should really do your research.

You've been hiding ads, sure.

You haven't been blocking them, because iOS with Safari didn't allow that.

Hiding, and blocking, are not the same thing. The former is far less secure than the latter.

As for blocking ads on iOS with Brave, well, it really doesn't work that well[0]. Why? Because iOS doesn't let you block ads, unless you are in the EU and on 17.4 or later.

You should exit the RDF and really do at least a bare minimum of research.

[0] https://community.brave.com/t/is-brave-even-blocking-ads-on-...

I.. what?

You really should read links you post.

Brave even has an option where you can choose to do:

- “aggressive” blocking (will refuse to connect to ad domains)

-“standard” blocking (will connect but block, to prevent breakage)

I will stop responding now because I’ve corrected you multiple times and you refuse to listen.

Jesus christ lol.

You're being fooled by marketing.

Just because Brave calls it blocking, doesn't mean it is blocking.

Again, just do some god-damn research. Really, the bare minimum. It isn't news to anyone educated on this stuff that Apple has never* allowed proper ad blocking until recently in the EU.

But, believe whatever you want. I get being too scared to leave that ever so comfy RDF you found yourself in.

Well, I tried.

yeap... i really don't know what i'm talking about, how would I...

I also don't like to go with the flock...

and... how cares about the defaults? You have the options you should care to configure things for yourself. if you don't know how you should search and instruct yourself to do it.

About iOS... Have you even considered that Apple has forced their rendering engine ( https://gprivate.com/6btxx ) and that alone makes it impossible to have an adblocker - yeah... apple is THAT great!!! (in fact, their products are the best of the best. You should keep using them...)

but then again... i don't know what i'm talking about, do I!!!

(also... you should learn how to be polite to others!!!)

You are misleading people into making insecure choices. Go check Brave on iOS right now and tell me that it doesn’t have adblocking.

Given that, telling you to be quiet is about as polite as it gets.

In term of time to patch 0-day, Firefox is very quick to fix them (usually hours committed, days to publish). Chrome is quick too, so it's not a competitive advantage.

Most of cyber-criminals however, will target Chrome because it's way more used.

In term of control the password manager of firefox don't need you to have an account. That is very important because, you want to use a password manager on the web and to be able to actually trust it. Google can close you account without previous notice.

Privacy aside, Google controlling so many parts of your life if you're all-in on the ecosystem is insane, and they can nuke it all at a whim with no recourse possible.

I was using Google Workspace for my family, then realised that if Google decided to nuke my account I would lose so much, and migrated away from Google's services to individual ones instead. Fastmail for mail, Tresorit/Dropbox for cloud storage, iCloud (with backup) for photos, etc.

Sure, you're still at risk if a company nukes an account but you'd not lose your whole online life.

Chrome sends every address that you enter into your address bar to google. I noticed this when I decided to look through my google history and it contained all my duck duck go searches. That was enough to put me off of it.

Isn't this the entire point of google history when you're logged in to a google account using chrome?

You might want to disable web history in google account settings. Its not a worrisome thing though, you're using an account, so syncing those is obvious.

crazy, i had no idea. why people still use chrome at this point?

The reason I was using duck duck go in those days was because I didn't want google knowing everything I searched for. It's caught up now, but it was a bit worse search in those days.

It depends on what you mean by safety.

Chrome is much more secure against browser exploits than Firefox. It is perhaps the most advanced piece of security software in the world.

Firefox is a lot more private than Chrome, given that Chrome is chock full of Google surveillance.

Ungoogled Chromium is the best of both worlds, but only if you manually build and update on a near-daily basis.

Note that most people’s advice on this topic is a non-expert, non-informed opinion. Browser choice is a pretty tribalistic, identity-tied thing. It’s like asking people “which is more secure, android or ios?”. (The answer is iOS by a mile, but most “security” types won’t give that answer because they don’t like it. Same goes with Chrome/Firefox.)

I use Firefox so I don't really have a meaningful experience with Chrome. What I can tell you is that any time I open the matrix of uMatrix (it's one click on the toolbar) I often see a zillion of sites and potential script and XHR requests. Only a few are really needed to display the content of page or even to make some complex UI work. In almost no case blocking the scripts for telemetry, error reporting, etc break the page.

So I wonder how much unnecessary information people using Chrome leak to those sites and the third parties that receive, log and possibly sell those data.

That's an important factor. Chrome now restricts "ad blockers", but those protect from more than ads.

I think chrome has better security model, sandboxing...

But Firefox seems to have much better security when it comes to reviewing extensions. Some popular extensions go through approval and source code review on every release.

Chrome Play store does not seems to have that. Google incentive even goes against something like UBlock. If extension gets sold, or developer account compromised, we may get widely distributed malware!

Firefox has extensive sandboxing. See https://wiki.mozilla.org/Security/Sandbox for some info, to although I'm not sure that page is up to date

then why can firefox do containers so well (which is why i use it) and chrome can't sandbox this?

Unrelated things.

Each page runs in separate memory space. Chrome had this from the begging for more than a decade, Firefox added very recently https://portswigger.net/daily-swig/firefox-debuts-improved-p...

Isn't Firefox still mostly C++ as well?

Yes. And Chrome has made efforts to support Rust.

Looking at the pwn2own recent competition results, both Chrome and Firefox have been exploited. Overall it looks like they are more or less on the same level security-wise.

Firefox security has improved significantly in the last decade, it was pretty terrible back then. "Electrolysis" and "Quantum" certainly helped.

Chrome is more secure in aspects like the Sandbox. Check f.e. https://madaidans-insecurities.github.io/firefox-chromium.ht...

People should be using an external sandbox for their browser anyway.

Practically, the number of people infected with 0-day drive bys vs the number of computers compromised by exploiting the user is insignificant. A browser that helps me concentrate is _MUCH_ safer.

There is no difference for 99.999% of people.

You are so unlikely to get exploited by a browser vulnerability (if you update) that it's not worth writing about. The people powerful/rich enough have or can acquire an exploit for both.

The choice of browsers is more about what features you want and whether you want a browser engine monopoly or not. Firefox has a few features I like not present in chromium and it's also not part of the monopoly so I use it.

For average user both are secure enough and privacy is more important concern.

I don't think 0-day will be wasted on targeting random nobody.

To be more secure, only way is to reduce surface area. Someone like journalist should disable JS/cookies, all plugins and extensions and preferably browse through a locked down VM. Don't know if there is any minimal browser that has actively removed features.

Larger teams actually mean slower changes, and more likelihood that the code is not great.

Integrations for Google accounts can be seen as a privacy violation. Google doesn’t need to know what other services I am using.

Google’s password manager still has my passwords saved after disabling the feature AND manually “deleting” each one individually. Do not trust them with your passwords.

I think it comes down to your threat model.

For the vast majority of people (ie, 99%) there's no difference between the major browsers and the overall security they provide.

For that 1% the difference may be noticeable but pale in comparison to other things like solid opsec, etc. For instance, it doesn't matter what browser you use if you are using SMS 2FA and get hit with a sim-swap because you're bragging on Twitter about how your Coinbase account is sitting at $2MM.

On the other hand, if you're international arms dealer your browser choice probably matters a lot more. Though, the three letter agencies already have your poster on their wall and you were pwned a year prior anyway. Even worse, if you're outside the US the drones have already been deployed.

The US isn't beyond blowing up hackers, look at Junaid Hussain[1].

[1]: https://en.wikipedia.org/wiki/Junaid_Hussain

I would probably say it's impossible to tell so both are equal in that security regard.

I would say other things like tracking for example poses a higher security risk and for that reason makes Firefox the safer choice. But you have other browsers that builds on their engines like Librewolf and similar that are even safer.

I don't know if it makes sense to ignore "Google as a company" for this question. You can employ as many people as you want but it won't make a difference if you don't incentivise responsible and secure engineering.

Also, doesn't Firefox also have a decent password management function?

Firefox is much more private, but Chrome is more secure, although I don’t know to what extent and whether there is a difference in practice.

The main consideration is chance of zero days. Anyone knows?

This is only an indirect measure, but:

1. CVE Chrome vulnerabilities: 3415 (https://www.cvedetails.com/product/15031/Google-Chrome.html)

2. CVE Firefox vulnerabilities: 2622 (https://www.cvedetails.com/product/3264/Mozilla-Firefox.html)

Another non-technical consideration is market-share. Firefox's share is low so exploiting a zero day on Chrome is much more profitable than on Firefox.

True, but I suppose this is at least partially compensated by the cost of such a 0-day. For sure, a 0-day on Chrome is a lot more expensive than one on Firefox

Last month, there was a significant buzz among those involved with Google Search (which includes almost the entire modern internet and all its developers). "Erfan Azimi," the owner of an SEO firm, suddenly began sharing leaked documents revealing how Google's ranking system works. It's more complicated than just the search itself; it involves various APIs around it. Nonetheless, these APIs reveal a lot. The leak happened when a Google developer wrote a program to convert API calls into his preferred programming language but accidentally published everything (if you're interested, I've included a link to the commit with all these descriptions [1]).

Multiple confirmations from reputable sources, including former and current Googlers, have verified the authenticity of this leak. It's not a hoax or a joke but a genuine breach of information that has piqued the interest of all SEO researchers. Here's a reliable summary of the findings:

– Google has allowlists of manually optimized sites, at least for certain topics, such as the 2020 elections or COVID-19.

– Domain names and subdomains are significant factors (despite Google's previous claims).

– There's a sandbox for new sites, which Google has always denied.

– Google directly uses data from EWOK (a system where paid users rate the quality of search results).

– User behavior on sites is actively used for ranking.

– Click data is collected not only from Google Analytics but also directly from the Chrome browser.

– Sites are categorized based on click volume, affecting their quality ranking and PageRank contribution.

– Google considers the overall brand size, including mentions across the internet, not just links.

– Content and links are secondary to clicks and site navigation behavior.

– SEO is almost irrelevant for most small companies and sites without a brand, user base, and reputation.

This is a monumental event in the world of Google Search, marking the most significant leak in the past 10-15 years. It suggests a potential discrepancy between Google's public statements and its actual search practices [3]. The strategy has shifted towards clickbait and bot farms, challenging the long-standing belief that 'content is king.' Unsurprisingly, Google has chosen to remain silent [4]. I recommend reading this article on iPullRank [5] for a more comprehensive understanding.

If you want to stop giving all your data to Google, consider using a non-chrome browser like Firefox.

[1] https://github.com/googleapis/elixir-google-api/commit/078b4...

[2] https://sparktoro.com/blog/an-anonymous-source-shared-thousa...

[3] https://www.seroundtable.com/google-chrome-search-usage-1561...

[4] https://www.theverge.com/2024/5/28/24166177/google-search-ra...

[5] https://ipullrank.com/google-algo-leak

i am not a security expert but i got a counterpoint for the "workforce" argument for why chrome might have better security - firefox is better the same way macs or linux desktops are "more secure" than windows.

imo having a much smaller market share disincentivize exploiters for searching ways to attack browsers like firefox. this is the same argument used for the aforementioned os. it is very optimistic to assume that either sides are able to fix all vulnerabilities, as both have been shown to have 0-days recently.

on the other hand, just like in linux, you need to trust the developers publishing extensions as i don't find moderation quite as competent as google's (even though theirs is also very lacklusture overall).

Worth checking out.

The Mullvad browser is a privacy focused version of Firefox (based on the TOR browser with the TOR part removed). It runs fine without the Mullvad VPN.

https://mullvad.net/en/browser

I think so, but maybe not much better. I use noscript so I thing that helps a lot.

But, I tend to thing on OpenBSD both chrome and Firefox is more secure than other systems because those are patched with pledge and unveil. So most of the system does not exist for them.

Not many people are capable of evaluating that. The bar is very, very high.

if it is safer, its more like a photo finish than 2x or 10x or 100x safer

Why would you pick Google? They support genocide in China.

Both browsers are very large, very old software. Both companies are big enough to support fast response to exploits. There’s really nothing technical you can point out that makes one more secure. Firefox scores better on privacy which tips the scales towards Firefox.

For Chrome, you have to deal with Google.

For Firefox, you have to worry about the next "pocket", or the next "Mr. Robot"...

Manifest v3 is looming as well.

Six of one, half a dozen of the other. /shrug

It’s not really equal though is it? One’s the biggest advertising company the world has ever seen that hoovers up personal data like there’s no tomorrow, and the other is a one-time stupid mistake that they rolled back and apologised for.

One’s the biggest advertising company the world has ever seen that hoovers up personal data like there’s no tomorrow. The other one is almost completely funded by said advertising company and has shown multiple times that they will put their profits over the users' wishes including but not limited to adding ads directly to the browser.

¯\_(ツ)_/¯

It's not profit. Mozilla puts 100% of its income back into the organization. There is no profit at Mozilla, only reinvestment.

The ones that do make these decisions profit from it. That the leadership keeps increasing their income to eat up Mozilla's profits instead of building up an endowment to eventually gain independence of Google is another issue and definitely not something to be proud of.

If you're willing to include Chrome forks then I'd say Brave is, despite the issues surrounding their love for crypto, more secure than Chrome, and it has much better anti-fingerprinting if you care about that.

Why would you say it's more secure?

My take, it’s obvious that Brave is more private than Chrome - with Google being the biggest advertising company in the world;

And since “private” and “secure” are correlated…