TheGodfather

I am referring to their positions in these threads, especially the comments of Gian-Carlo Pascutto (Mozilla):

That's not really what it says there. Some of their statements about both Chromium and Firefox are also incorrect. They're clearing aiming to promote Firefox and aren't doing so honestly.

On the Flatpak version, it is different. Flatpak itself uses namespaces, chroots and secomp-bpf-filter for its own lax sandbox, which encompasses the app as a whole. It uses a secomp-bpf-filter for generic container types on Linux which blocks namespace and chroot creation inside of a flatpak app, because these syscalls would otherwise lead to easy escapes of flatpak's own generic sandbox. But since these syscalls are blocked, FF also can only use secomp-bpf-filters for its own processes and not chroots and namespaces anymore to confine its processes as it does on the non-flatpak version. So the namespaces and chroots around each process got replaced by a more generic flatpak sandbox encompassing the whole app. This leads to a less tailored and thus weaker sandboxing architecture, which neither protects sites, nor stored browser data, nor the system as a whole better than the native version.

Firefox doesn't have complete site isolation in any form, whether or not Flatpak is involved. It's also a weaker sandbox. Flatpak weakens it further. You're mixing up several different things.

      GrapheneOS Firefox doesn't have complete site isolation in any form, whether or not Flatpak is involved. It's also a weaker sandbox. Flatpak weakens it further. You're mixing up several different things.

      Ok. I think this means Chromium is more secure generally?

      I'm quite unsure what to use on Debian now.

      • Chromium, this browser isn' t perfect and has enough flaws also
      • Firefox, weaker sandbox , the rest can be configured more privacy respecting

      Can we please have a Vandium for Debian Stable?

          mmmm It seems like a complicated way to try and accomplish something that isn't very clear.

          Vanadium does the job just fine for normal browsing, forums, news and shopping, I can't see what kind of extra protection you get by using multiple browsers. The browser is strongly sandboxed and Vanadium gets all the security and privacy enhancements offered by GOS by default.

          If you're using Tor for more privacy, I'd recommend at least the desktop version, even if it's far from perfect. The mobile version has the same major weaknesses as Firefox when it comes to security and privacy.

          Compartmentalization with different VMs or physical machines is useful for certain tasks, but using several browsers on the same system for different types of browsing is what I'd call a headache.

              Xtreix I thought I mentioned it helped me stay organised, its far from complicated.

                  mmmm Well, it's still an impractical way of doing it from my point of view and I'm not sure what it adds, but if it's good for you, I guess it's OK.

                  • mmmm replied to this.

                      Xtreix I wasn't asking your permission, but thanks for the validation.

                      Its easier if I tap 'news' on my home screen and get a browser which has all the news articles I was reading open in tabs, and all my favourite sites saved, but nothing else. Its like a dedicated news app but without all the data collection and with the versatility of a full browser.

                      Its better to tap on 'shopping' on my home screen - and find all the places I like right there, without a load of tabs of random stuff getting in the way.

                      In Vanadium I can open any link and do any browsing I want and I just delete all data everyday, and its fine because I dont have to worry about losing anything I was actually meaning to keep, or logging out when I didn't want to.
                      Etc etc.

                      And tor, I know the limitations. But I simply browse to what I want to find out or research and then close it down. I dont use it too much on my phone though, I have a Qubes machine for browsing tor properly.

                      Anyway, each to their own.

                        GrapheneOS Firefox doesn't have complete site isolation in any form, whether or not Flatpak is involved. It's also a weaker sandbox. Flatpak weakens it further. You're mixing up several different things.

                        Would you mind elaborating on this further please?

                        I thought that there was indeed site isolation on the desktop version of Firefox (or Mullvad Browser, which is what I use), and that this only applied to the mobile version? I know that there's a fixed number of site processes and that two sites can potentially share the same sandbox, is this what you're referring to with "weaker sandbox"?

                        How does Flatpak weaken security further? Do you mean the lack of nested user namespaces in the bubblewrap sandbox? If so, does this have a major impact?

                        Thanks!

                            upstage4186 I thought that there was indeed site isolation on the desktop version of Firefox (or Mullvad Browser, which is what I use), and that this only applied to the mobile version? I know that there's a fixed number of site processes and that two sites can potentially share the same sandbox, is this what you're referring to with "weaker sandbox"?

                            You can find some information here from the team at DivestOS. GrapheneOS said complete site isolation which I assume refers to Fission probably not being a particularly powerful implementation of site isolation (as I believe I've heard somewhere).

                              GrapheneOS Firefox doesn't have complete site isolation in any form, whether or not Flatpak is involved. It's also a weaker sandbox. Flatpak weakens it further

                              I didn't say otherwise.

                              GrapheneOS You're mixing up several different things.

                              Which things?

                              Since questions about FF's sandbox and site isolation on different platforms come up often and needing to reply to it many times over years on different communication channels, maybe it would make sense to write a blog post or something on the homepage and actually explain why that is, so it can simply be linked to and people would actually get a chance to understand, instead of having to deal with generic short statements, which readers just have to believe. Even though it would mean initial effort, it might save time in the long run.

                                  GrapheneOS aren't most of the issues mitigated in the setup that I wrote though?

                                  The superior option would be Bubblejail but that's hardly widely available or very user friendly.

                                    So long as you arent going on sketchy websites, watching porn, pirating things, etc on your phone then sandboxing + chromes other "security features" are more or less unnessesary. If you claim to care about your securiry and privacy, it makes much more sense to avoid untrusted/potentially malicious sites rather than testing the waters of the sea of 0 day vulnerabilities etc that exist in chrome and all other browsers.

                                    I will consider using a chrome browser on my phone once somebody makes one that actually supports extensions, is libre, has a good desktop browser w/ sync (good luck), and is well funded / not just one guy compiling code he doesnt actually understand in his bedroom. Internet ads are for cavemen so vanadium is out of the question currently.

                                    Firefox is better for privacy and just as good security wise if you simply avoid malicious websites which you should be doing regardless. This debate really just boils down to the theoretical advantages of chrome if and when you visit a site which contains malware on your phone. Which, to be fair, if you are not blocking ads is going to be common lol

                                      TheGodfather

                                      Very well written, but Firefox simply does not use any filesystem sandboxing in the Flatpak, just seccomp-bpf.

                                        3 months later

                                        • [deleted]

                                        • Post #86

                                        tjk do you use the Mull app from F-Droid or the default Firefox app itself?

                                          4 months later

                                          matchboxbananasynergy Cromite does not support CFI. It used to, but then it broke, and instead of fixing the issue, they simply stopped using it.
                                          Of course, they also don't use MTE, which Vanadium does on devices supporting it.

                                          Do these points still apply? Afaik Chromium (including Brave and Cromite) now support PAC and BTI as a form of CFI, even though no type-based CFI. Also it looks like they show MTE as enabled in their PartitionAlloc Memory Tagging flags.