I am currently doing a deep dive into whether or not Chromium is more secure than Firefox, and I will make a very long and comprehensive Lemmy post outlining my findings with specific sources. I expected this to take a few days, maybe a week, but after finding out many of the claims for both sides give no real sources, I expect this to take a month or longer. I will be reaching out to multiple first-party sources (Mozilla, GrapheneOS, etc.) to get their detailed statements on the matter. I want to provide something that actually covers the full picture of the issue with up to date sources, to hopefully put this to rest for anyone who doesn’t want to do the research.

I’m making this post in case anyone wants to provide any extra resources they have about the issue. Do not fight about this issue in the comments, save that until after I am able to release my work. I’m tired of the constant back and forth about this with little to no direct sources. This means that my other project, Open Source Everything, will be put on pause. The FAQ section of that very project is what sparked this, because I realized the issue was far more complex than I outlined in there. (Don’t trust the information in the FAQ just yet: it is still in the works.)

As always, don’t just give blind support to this just because I am making promises, but if you feel your support is needed then by all means go for it.

If any of you want me to turn this post into an update log, let me know and I will.

DISCLAIMER: These update logs are NOT meant to be taken as a source. I am generalizing a lot of things here for simplicity and brevity, so do not try to pick it apart. Anything I say here is likely a summary of something that will be talked about in fine detail in the article, and so it may contain mistakes.

Update 1

I need to stop posting before bed, since I end up not being able to respond to drama quickly and it grows out of proportion. Anyways, I want to answer a few questions that keep popping up (maybe I’m obsessed with writing FAQs, I don’t know) and then talk about my research process.

Google Chrome is NOT the same as Chromium

This is something I already have a draft to write about in my article, because a lot of people mess up the distinction. Google Chrome is Google’s proprietary “en-Googled” browser. That browser obviously has numerous privacy issues. What I am referring to in the article is what Google Chrome was built off of: Chromium. Chromium is open source (or source available, or something like that. Please stop trying to remind me of the difference, “open source” gets the point across). Many browsers such as Brave were built on top of Chromium. Many users in the privacy community use Chromium-based browsers. Chromium is mainly maintained by Google, but I will not be focusing on that since I am taking a look at the actual software and not any future problems that may arise.

I’m summarizing things here, but I will go in depth in a section of my article about this, since a lot of people are still stuck on the mindset that Google is always evil. It is true that Google is bad with privacy, but they are good when it comes to security. They have to be, given that Chromium-based browsers and Android are the most used in their respective fields. Any privacy issues can be nullified with some projects like ungoogled-chromium or GrapheneOS which remove any privacy invasive Google components. Anything Google tries to sneak in doesn’t get past those projects, like a safety net, because they take very close inspection of the code.

Security vs. Privacy

Security and privacy are two distinct topics with some overlap. As I mentioned above, any privacy issues can be dealt with by using some variants of the software. Because of this, my article will focus primarily on how secure these browsers are. I do understand that security and privacy can go hand in hand: Without security there is little privacy, and without privacy there is little security. However, that is all out of the scope of what I am researching here. The reason a lot of projects such as GrapheneOS recommend against Firefox browsers (especially on Android) is because they claim Firefox has weak site isolation. That is the main point of research for my article. If I can prove that those claims are true, I can demonstrate why it is such an issue. If I can prove that those claims are false, I can try to see if Firefox is more private than Chromium, and is therefor a better option. There will be other related ideas that will crop up that will be covered in the article, that I will research about. The broad hypothesis is “Chromium is more secure than Firefox” and it is my job to find out why people say that and investigate it.

Also, many users talked about ad blocking and the recent removal of Manifest V2, which killed a lot of Chromium ad blockers. This is not the focus of the article, but let me remind you that using a browser such as Brave lets you block ads entirely. Brave is the only other browser recommended by the GrapheneOS project for its security, besides Vanadium. Yes, Brave has some bloat that can infringe on privacy, but those can be disabled. Don’t forget that Brave is open source, so you are free to make a fork of it and remove whatever you’d like. The point is this: Both Chromium and Firefox both still have ad blocking, so this is a non-issue.

Who am I?

@[email protected]

https://lemmy.ml/post/21367269/14283651

first off, I have serious doubts that any one dude - or even a group of those for that matter - can ascertain the security of such a complex system; a browser is essentially an operating system, with all the layers and complexities that entails.

even if you’re somewhat successful in such an endeavor, I don’t really care if it potentially is. chromium comes from those shitmakers and I’m not willingly using anything they had their nasty fingers in. they threw one shovel of shit too many on the heap and they are now forever on my ignore list. if that means that I don’t get to access certain domains, sites, and/or apps - so be it, I’ll make do without.

@[email protected]

https://lemmy.ml/post/21367269/14283932

Are you a single person or a group of people? Do you have any credentials that you’d like to share that might give some context to your research?

Where is the quote in your bio from?

I could leave some cryptic retrospective answer here, and I would love to, but as fun as that would be it may cause more harm than good. I am an independent, singular person. If I were in your shoes, I too would doubt that any one person could research the intricacies of the matter. However, I don’t need to look over every piece of code to make a conclusion. The main focus of the article, as I said, is site isolation. This is what most people reference when they talk about Chromium being “more secure” than Firefox. I already addressed the other argument about Chromium being “evil,” as there are other projects that aim to remove some of the damage that has been done. Readers of my article will need to let down their precedent of Chromium being as bad as Google, and realize that Google is bad for privacy but good for security.

If by “credentials” you mean actual identification, no. Even if I told you exactly who I was, you still would have no idea who I am. However, I can give you some of my background: I am advanced in the privacy field, proof of this can be seen with my other project. I used to work as a penetration tester for a low ranking government branch, focusing on network and website security. I am fluent in Python and C++, so I can understand a lot of the code that has been written. I hope that gives you context into who I am and what I do. I guess I could also mention I like to keep high standards, I’m a bit of a perfectionist. I want the article to be nothing short of extremely thorough and comprehensive.

The quote in my bio “Unjust laws only burden the just, as the lawless will not heed them.” is my own (hence why I put “- 8232” there). I have other quotes, but that one is my favorite.

How is the research going?

I didn’t quite know where to start, but eventually I settled for this: I have three notes. One is for questions I have (e.g. “What is site isolation?”) that I put answers under as I find them. This means I will never be trying to fill in the gaps without sources in the article. I’ll have a well informed knowledge of everything. The next note is for all the sources about the issue, categorized into “Primary,” “Secondary,” and “Unverified” (when there is no source listed for the claim). The last notebook is people. This one contains people and groups who know about the issue that I may get statements or help from for the article. That is all I have right now, because I needed some sleep. I plan to add a “To-Do” note, some various drafts, and a list of documents about the issue. I’ll keep this updated.

  • CarbonScored [any]@hexbear.net
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Let me save you a lot of time and effort:

    • No, it isn’t.

    Your findings will either be an incredibly lengthy wording of that, or they will simply be wrong. It’s not a complex question.

    • Kacarott@aussie.zone
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Ah yes, dismissing research before it even exists, based on personal belief. What a healthy attitude.

  • echolalia@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Are you a single person or a group of people? Do you have any credentials that you’d like to share that might give some context to your research?

    Where is the quote in your bio from?

      • echolalia@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        2 months ago

        Thank you. That answers my question. I figured you wanted to remain anonymous, but I liked your answer and I’ll be interested in what you find.

        I was trying to word my initial post in a way to prevent you from becoming defensive, perhaps I failed. Though, I do feel quoting yourself is a bit… gauche, no? Especially since you are remaining anonymous.

  • DaTingGoBrrr@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    I personally don’t trust Google and Chrome enough to use it and I don’t like the Manifest V3 stuff, but I am interested to stay in the loop. Please post updates!

  • dingdongitsabear@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    first off, I have serious doubts that any one dude - or even a group of those for that matter - can ascertain the security of such a complex system; a browser is essentially an operating system, with all the layers and complexities that entails.

    even if you’re somewhat successful in such an endeavor, I don’t really care if it potentially is. chromium comes from those shitmakers and I’m not willingly using anything they had their nasty fingers in. they threw one shovel of shit too many on the heap and they are now forever on my ignore list. if that means that I don’t get to access certain domains, sites, and/or apps - so be it, I’ll make do without.

  • masterofn001@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    OOTB Firefox is a security and privacy concern.

    But it allows for nearly unlimited tweaking, modding, blob removal, etc. Which many serious threat model browsers are based on. Eg Tor.

    If the Tor browser is less secure than chromium, there are potentially devastating consequences for some very at risk people.

    Will you be analyzing forks such as tor and mull?

  • Maestro@fedia.io
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Secure from what exactly? You need to have a threat model here. For most personal use cases I’d argue that protection from adtech tracking is more important than e.g. sandboxing. Most people run into adtech continuously, but few people browse shady exploit-ridden sites.

    In that case, Firefox us the clear winner. It supports manifest v2 for better adblocking, and it is the only mobile browser with extension support allowing you to use adblocking on mobile as well.

    • doctortran@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      2 months ago

      Secure from what exactly? You need to have a threat model here.

      Which is funny, because developers use “secure” like this all the time as a way of scaring users into compliance for any changes they implement. If they voiced aloud what the actual threat was, they’d have to admit that often its the user’s freedom they’re afraid of. The user may do something stupid, therefore their ability to do it is dangerous for everyone.

      They’d remove the front door on your home and call it more secure, all because some people don’t lock it.

      • reksas@sopuli.xyz
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        they wouldnt remove your frontdoor, they would install their own lock to it and charge you for privilege of using it

  • mvirts@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Excellent!

    I was grepping chromium’s code looking for anything like Firefox 's webcompat plugin a few days ago. Lmk if you need any support finding evidence in source code.

  • Godort@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Ultimately, in terms of security, you’re likely to find that both are similarly good.

    What makes Firefox desirable over Chrome is that it’s not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.

    The other thing that may act as a deciding factor is the “MacOS doesn’t have viruses” effect. Wherein that because firefox has such a small userbase in comparison to chromium, it’s far more profitable to find exploits in chromium.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      What makes Firefox desirable over Chrome is that it’s not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.

      This is a separate issue of being able to trust developers, which is not being covered here. Projects like ungoogled-chromium exist, after all. I will be inspecting the software as a whole, and not any future interference that may happen.

      • CarbonScored [any]@hexbear.net
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        2 months ago

        So you’re taking the best aspects of any fork you can find? Trust in the developers is an essential part of the question.

        If a piece of software passes every audit in the whole world, but is developed and maintained by the NSA, you’d be stupid to leave your data with it.

      • bisby@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        It isn’t just about ungoogling things though. Having a monoculture in the browser space means that if Google makes a push to favor ads, say by removing certain extension support from their browser engine that everyone uses, then the entire internet suffers. It is effectively a monopoly.

        Mozilla tries really hard sometimes to be unappealing, but there is value in not just letting Google have full control over the internet.

        • brrt@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          So you are saying this should make Firefox exempt from scrutiny when it comes to how its security compares to that of Chromium?

              • BluescreenOfDeath@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                2 months ago

                I don’t think anyone is advocating for turning a blind eye to Mozilla. I think the argument being made is that a monoculture for browsers is a concern that can outweigh some blunders Mozilla makes.

                I’m old enough to remember what a shit show ActiveX was for web security.

    • ForgotAboutDre@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Chrome excites arbitrary code from google.com (this wasn’t something widely known until recently and appears to effect all the chromium downstream browsers). This sort of back door and the design approach that made google do this means you can never really trust Chrome. The same issue with Firefox would be a bug, in chrome it’s a feature.

        • ForgotAboutDre@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          No it doesn’t, or at least it didn’t for years if that has changed recently.

          No one that knew about this was talking about it or doing anything about it.

          The reality of the situation is only three organisations are capable of producing fully fledged browsers. Google, Apple and Firefox. Every variant, spin and de-whatever is nothing compared to developing a browser. All the chrome derivatives had this in them, arbitrarily execution of code from google. Code that wasn’t included in the binary when you downloaded or updated it. The sort of thing a virus would do. The sort of tool you would use to compromise the security of a system.

          If you want a de-googled chrome the only option is safari, it’s chrome before google got its hands on it. If you want properly open and accessible browsers you need to use something else entirely like Firefox.

          De-googled chrome is a myth.

      • floofloof@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Chrome excites arbitrary code from google.com (this wasn’t something widely known until recently and appears to effect all the chromium downstream browsers).

        I hadn’t heard about that. Can you link me to some info about it?

    • 0x0@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      it’s not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.

      No but it’s largely funded by one, now has “ad technology” and i wouldn’t be surprised if it gets bought by Google sooner or later.

      A fork in the horizon…

  • DragonTail@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Why don’t you look at the Brave browser. It is more secure and flat does not support any kind if advertising. Yeah, youtube music with no interruptions, ad block warnings, or paid subscription to sell you pirated music.

  • preasket@lemy.lol
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    AFAIK, the main difference is that Firefox’s process isolation on Linux specifically is incomplete. They’re working on fixing that.

  • Kairos@lemmy.today
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Doesn’t chromium get security updates like every week? Firefox just got one but it was a while before that.

    • ecirmada@beehaw.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Yeah, but what does that mean? Is that what secure looks like? Is chrome targeted more; does Firefox have less vulnerabilities?

      I’d be interested in the definition of secure just as much as the outcome