My main browser is Librewolf but I keep a chromium browser just in case. Previously used brave but their flatpak is shit. Ungoogled chromium seems ok but it looks like they don’t change much from upstream chromium. Any good chromium browsers which harden their browsers like librewolf does for more privacy?

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    54
    arrow-down
    2
    ·
    11 months ago

    I would stick to librewolf. Supporting Chromium is not good for freedom.

    Anyway, ungoogled chromium is probably the best answer. There also is Cromite which supports android and windows

    • dakd2@lemmy.world
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      11 months ago

      looks like Cromite bad beacuse it has AdBlock plus instead of uBlock origin and uses google as a default search engine and includes the chrome web store

          • sir_reginald@lemmy.world
            link
            fedilink
            arrow-up
            13
            ·
            11 months ago

            no, do not mistake yourself. they are not proprietary blobs. the whole browser is proprietary. they release a tarball with the chromium code + some changes. but the whole UI which are the main changes are proprietary (after all, like any Chromium browser, it’s mostly a re-skinned Chromium, they don’t make any changes to the engine).

            It’s a proprietary browser. They just release a bunch of code for marketing purposes. Don’t believe me? Try compiling it, and tell me if what you get is Vivaldi minus some blobs.

              • duplexsystem@lemmy.blahaj.zone
                link
                fedilink
                arrow-up
                8
                arrow-down
                1
                ·
                11 months ago

                “Note that, of the three layers above, only the UI layer is closed-source. Roughly 92% of the browser’s code is open source coming from Chromium, 3% is open source coming from us, which leaves only 5% for our UI closed-source code.”

                Straight from the horses mouth. So 92% of it is the same as every other chromium browser. 3% is their oss code and 5% is closed source. That 5% more than actual open source browsers.

                Which means the final product is closed source.

  • wincing_nucleus073@lemm.ee
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    11 months ago

    Cromite is the closest thing i can think of to Librewolf. Tons of hardening. but i dont think he ships a Linux version. just android and windows.

  • helpImTrappedOnline@lemmy.world
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    11 months ago

    I’ve been using Thorium recently with no issues. Before I was using Vivaldi.

    Edit, Firefox is my main browser. Thorium is used as an alt for the 2 websites that don’t work in Firefox.

    Edit 2; seems the developer of Thorium has made some err questionable choices. Not with the browser itself, but a mild furry nsfw easter egg, and a link to some site talking about their beliefs against a common medical procedure performed on baby boys. I have not seen either for myself as they have both been removed as the browser gained a sudden spike in popularity.

  • iloverocks@feddit.de
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    11 months ago

    I’m currently using thorium as an appimage and it is god enough. But to be honest if you want privacy use Firefox or a fork of it.

      • iloverocks@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        The point of useing it is that privacy invasive sites like twitch or skribbl.io would still work. Twitch technicality works fine on stock Firefox unless you don’t save your history, how dare you.

        Yea I don’t know a better one yet

        • Pantherina@feddit.de
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          11 months ago

          They will work on ungoogled chromium too though, I guess.

          In theory there is even the ability to store a chrome:flags override and use it like a user.js. So you could use upstream chromium and not rely on outdated stuff.

          • iloverocks@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            11 months ago

            I will try it out after work. Do you know a way to provent automatic openings instead of librewolf? I’m currently using Hyprland and was using the appimage so it doesn’t have any conflicts.

            • Pantherina@feddit.de
              link
              fedilink
              arrow-up
              1
              ·
              11 months ago

              Automatic openings? Like default Webbrowser? Also dont use Appimages, just dont.

              Depending on the Distro I recommend using Firefox or Brave, add their signed repo and call it a day.

              • iloverocks@feddit.de
                link
                fedilink
                arrow-up
                1
                ·
                11 months ago

                Exactly default browser. Yes I tryed native and flatpak packages but it would constantly open all other browser instead of librewolf. Even if I defined a other one in the mineapps file

                • Pantherina@feddit.de
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  11 months ago

                  No default browser works normally but no idea how to set that in Hyprland.

                  I highly advise against Appimages. Flatpak is only useful if you dont trust the app which is a valid opinion, but poorly then the browser cant sandbox websites on its own. So native packages are the best option for security it you trust the browser.

                  Perfect would be to have the browser isolated and also using its sandbox to isolate websites from each other. I dont know if this works though, on Android it does (not with Firefox poorly as they didnt implement it)

  • spez@sh.itjust.worksOP
    link
    fedilink
    English
    arrow-up
    5
    ·
    11 months ago

    Thanks to everyone for replying! I have decided to stick with brave for now since after an update to the flatpak the thing’s font is back to readable again.

  • hottari@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    11 months ago

    I use hardened Chrome with a lot of flags/features disabled and some privacy extensions. It’s good enough for me.

    • Pantherina@feddit.de
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      11 months ago

      Chrome or Chromium? Because that “hardening” is only the switches they allow you to use, so if its full of proprietary tracking software it is not hardened at all

      • hottari@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        5
        ·
        11 months ago

        Chrome. I know that might be hard to believe but the switches work. You can absolutely stop Google from prefetching their usual services. Plus I don’t login with a Google account on the browser, that makes a huge difference.

          • hottari@lemmy.ml
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            11 months ago

            There really isn’t much difference. I used Ungoogled-chromium before now. I use Chrome for selfish reasons. The flatpak for it(dev version) is auto updated with no human input required so I get fixes and security patches earlier and I kinda like that release.

              • hottari@lemmy.ml
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                11 months ago

                Chromium Browsers are more secure if you use the native package.

                This conclusion is relative for everyone as we all have different security needs. Plus there’s no easier, better supported way to sandbox Chrome on Linux other than using Flatpak’s permission model.

                It’s also ironic for you to be speaking about security when you are installing/updating your browser using random curl bash scripts.

                • Pantherina@feddit.de
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  11 months ago

                  You havent looked at the repo. And we are talking about different sandboxes here.

                  The browsers sandbox websites, this is broken if the entire browser is sandboxed as you need to remove that capability to do so.

                  My bash script pulls in the official brave repo and gpg key, fix the access permissions and that is it. Brave has no documentation on how to use their repo without dnf so this is needed.

                  The repo has gpg verification enabled and the system will update the browser.

                  Please dont spread misinformation if you havent even looked at the “random bash script” that does not handle the updatingô

  • RmDebArc_5@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    2
    ·
    11 months ago

    Thorium is good for privacy and speed but not security, Vivaldi isn’t that private, ungoogled chromium removes everything google. Brave also has packages available for manual installation if you want to give it another try

    • Pantherina@feddit.de
      link
      fedilink
      arrow-up
      2
      arrow-down
      4
      ·
      11 months ago

      How is Thorium privacy optimized?

      Its version is outdated and it has no focus on Privacy. Also important to see if privacy from Google or from the actual sites you visit i.e. fingerprint prevention.

      Brave is better here

      • RmDebArc_5@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        The repo shows all the patches. It uses some patches from ungoogled chromium for privacy. It isn’t my recommendation here, I just mentioned it because Brave didn’t work for OP

        • Pantherina@feddit.de
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          11 months ago

          OP mentioned that the Flatpak is shit, and Browser Flatpaks are not as secure too. Thanks for the Link!

  • Zerush@lemmy.ml
    link
    fedilink
    arrow-up
    5
    arrow-down
    4
    ·
    edit-2
    11 months ago

    I use Vivaldi, I don’t know a better Chromium for privacy nor because other features (made in the EU by a employee-owned cooperative, no extern investors, gutted Chromium base (no phones to Google), no tracking, no logging, inbuild ad- and trackerblocker with customizables filterlists, encrypted sync, feed reader, mail client, calendar, reader list, reader view, splitscreen, full customizable UI, command chains, etc…). Apart with your account an own blogging platform, mail service, included an Mastodon account in the Vivaldis own instance, which you can use with your account. https://vivaldi.com

    • sir_reginald@lemmy.world
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      11 months ago

      Vivaldi is not private. A good browser? It surely is. But it’s not private.

      It’s also proprietary software, which is unacceptable. And yeah, don’t repeat to me their marketing techniques. Yes, they release some partial source code. In practice, that’s the same as releasing nothing. Just a marketing trick.

      • Zerush@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        3
        ·
        11 months ago

        Yes and no, 5% of the script, corresponding to its unique UI is proprietary, but 100% auditable and even moddeable by the user (in the Forum they show you even how to do it, at own risk, logical). And its better so this way, making it OpenSource too, Chrome and Edge are the first in forking it, which will be the end of Vivaldi and any other Chromium. Anyway, with more than 100 browsers curretntly in the market, OpenSource or not isn’t the most important poiny, more important the ethics and transparency respect the user of the company. Respect privacy it is irrelevant, it depends only of the manufactor of the product, not if it OpenSource or not, all spying APIs of Google, Facebook, MS & cia are all OpenSource and included in a lot of the FOSS in the market (also in Firefox, eg the “save” browsing API is from Google, not really needed if you use an adblocker (uBO), which contains a similar function, this API send your browsing data to Google who host the list of phising sites but also logs your activity, If you can, desactivate it, in Vivaldi you can do it in the privacy settings)

        • Pantherina@feddit.de
          link
          fedilink
          arrow-up
          2
          arrow-down
          2
          ·
          edit-2
          11 months ago

          Opensource is a very important point. If its only the UI that is a different thing though.

          Save browsing in Firefox is anonymized and afaik even proxied. In FF you can also deactivate it but shouldnt. No personal data is sent and it is not identifiable. But you may really not need it.

          • Zerush@lemmy.ml
            link
            fedilink
            arrow-up
            3
            arrow-down
            2
            ·
            11 months ago

            FOSS nowadays isn’t the same anymore since BigBrothers entered this world, first Google and Microsoft, the latter even acquiring GitHub, FOSS is no longer the same as it was a few years ago. Many companies no longer focus on communities, developing their products tangentially to the user more in their own interests. In the world of browsers, there are already more than 100 on the market, forks of Gecko, Blink and Webkit, some exotic ones aside, like Otter, which is also fighting for its life to avoid passing to the more than 70 browsers that were abandoned and discontinued in this Browser war that exists, where everyone fights to survive against the great Mainstreams Chrome, EDGE, or the Chinese Opera.

            I have been using Vivaldi for more than 7 years and I have seen Google’s tricks to eliminate it, even leading to the point that the Vivaldi team removed the Vivaldi UA, disguising it as Chrome, against their own interests, so that the user not getting blocked by Google services and related pages with the argument “browser not compatible” which was absurd. Since then there has been a continuous war against Google’s attempts to control this browser, which has until now always resulted in Google coming to hit the teeth on a rock, (IdleAPI, FLoC, and other crap)

            Meanwhile Mozilla made a contract with Google, for using Google as main search, apart from sending Data of the accounts to Alphabet, googletagmanager and googleanalytics to survive. That is the value of FOSS today, not the user or the community, nor the ethics or transparency of the company.

            FOSS is important, yes, for devs who want to launch another fork more, but not so much for the normal user, for this it counts excellent support, an active community, a real interaction with the devs and the team, honesty and ethics of the company. But yes Vivaldis 5% of the script of its unique UI is proprietary, to avoid that Google, EDGE or Opera can fork it, same with Brave, it also isn’t fullOpenSource for similar reasons (see its TOS about copyrights) Other engines are easier to go OpenSource, because Chrome or EDGE can’t fork it for the own browsers. It’s not the same problem.

            Not all what is proprietary soft is crap nor all FOSS is the panacea, it’s by way not so simple, with ugly surprises when you walk with fixed ideas

  • Atemu@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    7
    ·
    11 months ago

    Why bother with such micro optimisations when the purpose is to be used extremely infrequently for compatibility reasons?

  • Pantherina@feddit.de
    link
    fedilink
    arrow-up
    2
    arrow-down
    5
    ·
    edit-2
    11 months ago

    Ironically for Browser you shouldnt use Flatpaks if you trust the browser and you care about security.

    https://madaidans-insecurities.github.io/firefox-chromium.html

    What Distro are you on? I use Firefox and Brave, both as RPM now. I actually switched for convenience (keepassxc extension works, plasma extension works etc) but they are actually more secure.

    Native Chromium is poorly way more secure than Firefox. When using the Browsers through Flatpak you need to remove the sandbox, so process isolation and memory stuff is gone, and replace the specific sandbox with bubblewrap.

    Bubblewrap is good, but doesnt support isolated Tabs.

    There are CSS exploits, but to my understanding just using Noscript in “block all by default” mode is best for security AND privacy.

    I would like to like Brave, as it is more secure, but it sucks a lot. Very bloated, tab management worse, missing extensions, damn Chromium webstore and the addon not working so no updates. It is not bad, and I want to write a hardening config soon, to remove and disable all that bloat permanently.

    I would not recommend Librewolf if you are advanced. For one it is a Flatpak, ironically (didnt know this a few weeks ago too) less secure. Also it lacks behind in updates a bit, not much, but this may become a problem.

    https://github.com/trytomakeyouprivate/Arkenfox-softening

    I am working on this tool, should work, that keeps your Arkenfox config up to date and sets a few switches to soften it. So you add that to Firefox and dont need Librewolf anymore.

    On Fedora all you need is libavcodec-freworld from rpmfusion to get everything working. But ublue.it images work best out of the box.

    Edit

    Why are you downvoting this? Doesnt it fit your opinion? I also dont like Chromium, but its more secure. I also didnt know that Flatpak browsers are less secure, but thats a fact.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        11 months ago

        I mean sandboxes are just pretty complex. Chromium relies on user namespaces for process isolation. Flatpak browsers are isolated but have no internal isolation of processes (one tab could attack another tab). At the same time the Flatpak sandbox itself relies on user namespaces, while the flatpakked browser cannot use the namespaces internally.

        Then there is the hardened kernel which disables user namespaces for security reasons, on the other hand people say running the Sandbox as suid means if there is a vulnerability processes get root access.

        Flatpak browsers put less trust in the code, but more in the maintainer that has to keep them as updated as possible.

        Its complex as fuck

    • Antiochus@lemmy.one
      link
      fedilink
      arrow-up
      1
      ·
      11 months ago

      Can you say more or provide a source on why you shouldn’t use a browser as a Flatpak? Is it just because the sandboxing is potentially weaker?

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        11 months ago

        The Chromium sandbox needs to be removed and something like Zypak needs to be used.

        This means that the internal Browser sandbox is weaker and tab isolation. I could not find the source for that yet.

        https://flatkill.org

        Even though pretty old and probably outdated, some points are for sure true. Some apps like Onionshare are horribly outdated, and unless every app has at least one packager responsible for it, best official and paid, its a total mess.

        Chromium on Flatpak stable for the first time - GNOME blog post

        Firefox Snap vs. Flatpak

        Flatpak Browser Sandbox Challenges

        These where not the sources I refer to, and it is pretty complex. Secureblue disables user namespaces and uses bubblewrap-suid for security, but after madaidans statement that would mean a hole in bubblewrap allows the app root privileges.

        • Antiochus@lemmy.one
          link
          fedilink
          arrow-up
          1
          ·
          11 months ago

          Thanks for the additional reading and information. Maybe it’s just me, but I feel like I hear about a security vulnerability in “processor microcode” or packages or other software basically every day. As a relatively non-technical user, it’s always very difficult to tell how much these things actually matter for normal users. Flatpaks are incredibly convenient because they “just work” and are easily compatible with immutable distributions. For better or worse, I suspect many people are not going to be dissuaded from using them by hypothetical/abstract security risks.

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            11 months ago

            Flatpaks are more and less secure. Their Sandbox improves 99% of apps security as other sandboxes are hard to setup and thus nearly nonexistent.

            Browsers have their own, so just dont use Flatpaks there.

            I am not sure about microcode, but processes running as root are maybe more critical, but it sounds like any process could have exploits if microcode is a problem. Also, RiscV or even ARM will be waaay better here, as their instruction set is not dozens of years old and extremely bloated.

            As we get our apps from secure repos, with projects keeping track of every Git commit etc, we just had no malware really.

            The only problem is that Flatpaks, like appimages, “just work” and dont have to evolve like the rest of the OS will. Their main goal is to work everywhere, and Devs always choose convenience over security.

            For example Portals are not implemented in most old big projects like Libreoffice, Gimp, Inkscape etc. Scribus is even X11 only. But developers will not remove the filesystem=host permission and replace it with “just all the media locations”. This will still be a problem, but at least apps could not read Kernel logs etc anymore.

            Also as they “just work” its easy to abandon them and dont update. The “outdated Runtime” Warning is a veeery good indicator of a project using old and probably insecure libraries. But afaik there is no automatic CVE patching in flatpak-builder which is a huge problem.