I am currently doing a deep dive into whether or not Chromium is more secure than Firefox, and I will make a very long and comprehensive Lemmy post outlining my findings with specific sources. I expected this to take a few days, maybe a week, but after finding out many of the claims for both sides give no real sources, I expect this to take a month or longer. I will be reaching out to multiple first-party sources (Mozilla, GrapheneOS, etc.) to get their detailed statements on the matter. I want to provide something that actually covers the full picture of the issue with up to date sources, to hopefully put this to rest for anyone who doesn’t want to do the research.

I’m making this post in case anyone wants to provide any extra resources they have about the issue. Do not fight about this issue in the comments, save that until after I am able to release my work. I’m tired of the constant back and forth about this with little to no direct sources. This means that my other project, Open Source Everything, will be put on pause. The FAQ section of that very project is what sparked this, because I realized the issue was far more complex than I outlined in there. (Don’t trust the information in the FAQ just yet: it is still in the works.)

As always, don’t just give blind support to this just because I am making promises, but if you feel your support is needed then by all means go for it.

If any of you want me to turn this post into an update log, let me know and I will.

  • MimicJar@lemmy.world
    link
    fedilink
    arrow-up
    12
    ·
    3 months ago
    1. Do you have your current list of sources? You mentioned you want more, but where are you looking to start? For example are you looking at the CVE database? Are you looking at competitions like Pwn2Own? Or detailed project group like Google Project Zero?
    2. Is it fair to compare Chromium, which is not an end user product, to Firefox which is? Do you plan to look at or compare forks of the software? As an example both Google Chrome and Mozilla Firefox enable “Google Safe Browsing” by default, however the fork “ungoogled-chromium” does not include “Google Safe Browsing” (and they provide their reasoning).
    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      3 months ago

      Fantastic questions! Thank you for asking.

      Do you have your current list of sources?

      The answer to this is a bit complicated: I had a list of sources, but many of them were not primary sources, and so I am currently in the process of recollecting sources and better categorizing them. I’m currently collecting as many different types of sources as I can, and I will find out what is actually useful later.

      You mentioned you want more, but where are you looking to start? For example are you looking at the CVE database?

      CVE databases will be some of the primary sources I will use in the article, and I may even try to get in touch with the individuals who documented some of the CVEs. I can’t make any promises about that, though.

      Are you looking at competitions like Pwn2Own? Or detailed project group like Google Project Zero?

      I am not familiar with these yet, so I will look into them.

      Is it fair to compare Chromium, which is not an end user product, to Firefox which is? Do you plan to look at or compare forks of the software?

      For the sake of clarity in this post I used “Chromium” and “Firefox” to simplify what I am doing for users who aren’t as aware of the fine details. I will be comparing a wide variety of projects, such as Chromium, Vanadium, Brave, ungoogled-chromium, whatever hardened Chromium Secureblue uses, etc. to a variety of Gecko-based projects such as Firefox, the Tor Browser, Mullvad Browser, and other varieties I may be unfamiliar with. These will be compared on their various platforms, such as Windows, macOS, various Linux distros (where available), iOS, Android, and special cases such as Qubes, Tails, and Firejail. Essentially, I want to compare what the most and least secure varieties of each browser pose, and make observations from there.

      As an example both Google Chrome and Mozilla Firefox enable “Google Safe Browsing” by default, however the fork “ungoogled-chromium” does not include “Google Safe Browsing” (and they provide their reasoning).

      As far as I currently know (and please note I am still in the early research stages), Google Safe Browsing is a feature that primarily affects privacy and is more of a failsafe. For one, it warns you about malicious websites. This is a failsafe for users who are not aware of which websites are malicious. This isn’t directly a security protection, but rather a security “suggestion” for non-advanced users. It also sends data to Google to report websites, which mainly affects privacy. I’m pulling most of this from my head, and so I may be off base with this. Either way, it will not be the main focus of this, as it doesn’t matter if Google Safe Browsing is safe or not if it can simply be disabled. I plan to mainly focus on sandboxing issues with Firefox and any related topics that sprout up from that.

      • MimicJar@lemmy.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        3 months ago

        Re Google Safe Browsing

        I would argue it’s a security feature with potential privacy concerns, however I would agree it is more of a failsafe or suggestion.

        However it being disabled by default or not included at compile time versus enabled by default may also be relevant when it comes to security. As a hypothetical a high severity bug with Google Safe Browsing could arguably make a browser less secure. However even as a failsafe/suggestion, the small security benefit may make the overall browser more secure, e.g. filtering known bad websites that attack known vulnerabilities.

        I’m also just using Safe Browsing as an example here, it may or may not be worth focusing on since a browser is basically an operating system.

        You mentioned sandboxing, which I think is perhaps a more reasonable scope.