Is FireFox finally at par with Chrome and derivatives?

monozygote

Just saw this posted on reddit a few hrs back:

Firefox for Android added protection against side-channel attacks (like Spectre) & Site Isolation safeguards in v.147
I saw it in the release notes: https://www.firefox.com/en-US/firefox/android/147.0/releasenotes/

Does it mean now that Firefox for Android has closed its main security disadvantage over Chromium browsers? I've read a lot of people reproach Firefox for this specific lack (no proper site isolation) on mobile.

I'm surprised Mozilla didn't make a splash around this (I may have missed the big announcement though), so I'm starting a discussion here to be sure this is what I believe, or just a smaller security improvement.

Can we now blindly recommend it as a default browser on Android too ?

Besides Vanadium which is the only browser I currently use on mobile/GOS, I'm now also interested in:

Can we now blindly recommend it as a default browser on Android too ?

to see if my 2nd browser could be firefox on GOS and primary browser on other android phones and desktop (MacOS/Linux mainly). For the latter I use brave but want to switch to FF (due to multi-account containers) Anyone knows?

Watermelon

monozygote Good morning Mozilla, you're eight years late. Mozilla gives no damn about security. Would you trust a browser made by them to uphold security? I wouldn't.

I think IronFox is nice (and enabled site isolation way before Mozilla did, because of this security issue), but if you want good security, just use Vanadium.

gMan

monozygote no comment on mobile, but for desktop i ~~highly~~ moderately recommend Firefox - i have serious issues with Mozilla, but in my opinion Firefox lends itself better to customization and privacy hardening better than anything else out there at the moment - i'm less sure about security, but i believe they're pretty much on par with Chrome on Windoze - Linux maybe not as much, but they're always making progress

if you wanna go the easy route, LibreWolf - they uses some scripts to clean up Mozilla's trash and incorporate some of the arkenfox stuff

if you wanna go the manual route, arkenfox

[mod note: removed link to website]

Molasses

monozygote

It seems that internal sandboxing is still not enabled. So what people actually are waiting for, hasn't even happened yet.

Not to mention that even IF those key security measures will finally get implemented after years of delays, what about the quality of their implementation?

Firefox is years, perhaps a decade+ behind Chromium, so I wouldn't hold my breath.

cuckflared

Firefox is probably still behind in terms of exploit mitigations. A 2022 article (well known here):
https://madaidans-insecurities.github.io/firefox-chromium.html

monozygote

Watermelon Yes, like I said, I only use Vanadium on GOS. However I do want a secondary browser and specially something primary on other devices (linx/mac/andorid mainly). I'm using brave right now for those but dearly miss the multi-account containers + temporary-containers (a new tmp container per new tab) present in FF. I'll check out IronFox (maybe it has it if it's based off of FF ?). Btw, would you recommend IronFox over brave?

AcclaimSublevel19

monozygote I absolutely love Firefox, but on GOS I use Vanadium for the best security and Brave as a tradeoff between privacy and security (I absolutely hate the company and in terms of UI it's quite a bit worse than Vanadium (3 taps just to copy a site's URL), but it does a great job at ad-blocking and has a built-in dark mode filter for webpages which is a nice replacement for Dark Reader which I use with Firefox.

I did do some research into Firefox (including the link mentioned previously) and it still has a bunch of security issues that have been open for years. It's generally known to bring in new features slower than other browsers (although to be fair that's mostly because the specifications are usually proposed by the Chromium team because Google wants them). I'm still keeping it as a desktop browser, although I'll take a look into Trivalent, Vanadium's desktop equivalent. As a developer, what matters for me the most is having the best DevTools and Firefox wins here. And of course it's super customizable.

My Android setup is the following:

Vanadium for trusted websites (nearly all logins go here). I guess if there's no way to clear browsing data on exit, I might as well just keep myself logged into sites. I also open links from my private space in it. To be honest, this may be a little stupid from a security perspective, because a secure browser is what you want to use for opening untrusted websites. At least with separating sensitive data between browsers, if the less secure one gets compromised, my data is still safe.
Brave for most everyday browsing to take care of the annoying cookie popups and ads that Vanadium misses. It's also great for not polluting my browsing history (although for some reason it does remember websites every now and then).
IronFox for rare cases when I need audio playback (Chromium-based browsers absolutely suck at that), when I want to open a link that would be redirected by Libredirect (hold link and share to Firefox) and when I want to selectively enable/disable JS scripts for a site.

Novalissoide

One personally persistently nagging question: Why is Torbrowser gecko/ Why isn't there a good Torbrowser not Mozilla-based? (For Android)

Any forked Vanadiumoide Torbrowseroide initiatives since ten years? None I've seen. Except maybe Ironfox (which is Mozilla, like Torbrowser), and maybe Mull, (which is defunct, and not Torbrowser replacement intended anyway).

Xtreix

Novalissoide Why is Torbrowser gecko/ Why isn't there a good Torbrowser not Mozilla-based?

It's mainly historical, Chromium didn't exist when Tor Browser was developed. For Tor Browser to be based on Chromium, everything would have to be rebuilt from scratch, which could cause numerous problems that Tor developers and contributors are not prepared to resolve.

gMan but in my opinion Firefox lends itself better to customization and privacy hardening better than anything else out there at the moment

In terms of customisation, probably, but a Chromium-based browser will always have a clear advantage over Firefox when it comes to enhancing security and privacy (the two go hand in hand) as it stands, that doesn't mean it's impossible to improve Firefox's security, but someone who chooses Chromium will be using a much more robust base and will always be better off.

AcclaimSublevel19

Xtreix a Chromium-based browser will always have a clear advantage over Firefox when it comes to enhancing security and privacy (the two go hand in hand)

Security and privacy do indeed go together. Chromium definitely has a secure base, but Firefox can do much better at privacy than Chromium. It's got much better ad blocking out of the box and on desktop users have hardened choices like arkenfox and LibreWolf. On Android, Firefox is the only (to my knowledge) browser that supports extensions and NoScript is essential at minimizing attack surface too.

In the end, you always have to consider your threat model and make a tradeoff between privacy and security. I personally think it's best to use something privacy preserving, but with proper sandboxing and separation of website data (even if done manually). Qubes' VMs and Firefox profiles or Containers could reduce your attack surface massively.

Novalissoide

Xtreix It's mainly historical, Chromium didn't exist when Tor Browser was developed

Thanks a lot for this simple, yet key explaination.

Xtreix

AcclaimSublevel19 It's got much better ad blocking out of the box and on desktop users have hardened choices like arkenfox and LibreWolf

You should use uBlock Origin anyway if you want effective content blocking, the default ad blocking offered by Firefox in this regard is weak and is comparable to what Edge does.

I don't think I would recommend Arkenfox and Librewolf to someone who wants to use Firefox. One has to be maintained manually and the other is known for having had many delays in updates. I don't see any real reasons to use them.

AcclaimSublevel19 On Android, Firefox is the only (to my knowledge) browser that supports extensions and NoScript is essential at minimizing attack surface too.

This is the opposite of security / privacy and increases the attack surface in the current state, especially on Android. On desktop, you should keep extensions to a minimum.

AcclaimSublevel19 In the end, you always have to consider your threat model

Yes, but I also think that Firefox's lag behind Chromium in terms of security has nothing to do with the threat model, of course nor should it deter you from ever using Firefox regardless.

Secureblue's Trivalent is the Chromium based browser that comes to mind, which enhances security and privacy and will always outperform Arkenfox due to its much more robust base. Of course, it is not at all focused on customisation.

schklom

Xtreix You should use uBlock Origin anyway if you want effective content blocking, the default ad blocking offered by Firefox in this regard is weak and is comparable to what Edge does.

FYI, Chromium does have worse privacy since the deprecation of MV2. Most notably, uBlock Origin is not available anymore for Chromium browsers, only uBlock Origin Lite, which is quite worse according to its creator.

Brave and Firefox maintain MV2 on their own though.

Xtreix

schklom Chromium does have worse privacy since the deprecation of MV2.

MV3 is an improvement in security and privacy compared to MV2, and exploitation is still possible, but more difficult. MV2 easily allows remote exploitation via a malicious or compromised extension. MV2 was inappropriate with its famous “read all data for all sites”, and MV3 did not kill ad blockers, uBlock Origin Lite on Chromium works very well and is no less effective in my experience, even though I disagree with this change. However, it's still possible to enable the extension only for certain sites, which is not possible with Firefox. Ad blockers fall into the “enumerating badness" category and are problematic by design. Things like Site Isolation and state partitioning for network and storage first included in Chromium and more mature in Chromium are real features that improve security and privacy, more than adblockers.

neel

Xtreix I use uBlock Origin with Firefox mainly to block "AI overviews." That's why my GrapheneOS Pixel 10 Pro runs Firefox and not Vanadium.

From what I can gage, Chromium is more secure but Firefox is more "private" (if you don't get exploited). Google does more hardening work, but is a surveillance business.

There should be a "hybrid" between MV2 and MV3, where we have MV3 except for the limit on URLs (if I got it correctly).

ryrona

Xtreix Firefox = more private is a persistent misunderstanding, this is not the case, Firefox is very behind in terms of security and privacy and is not innovating at all since a very long time

Xtreix Things like Site Isolation and state partitioning for network and storage first included in Chromium and more mature in Chromium are real features that improve security and privacy

I was under the impression that Chromium was lacking proper site state isolation, and that only Firefox had a proper implementation for that. At least a year ago. Ie, that Chromium has a shared cache for all top-level domains, and unless you disable third-party cookies, also share third-party cookies between top-level domains, making it trivial for one compromised site to detect what other sites you have visited (eg by requesting resources from other sites and measuring response time to see whether it hit cache or not). Whereas Firefox properly isolate all site state per top-level domain, ie each top-level domain has its own separate cache and cookie storage.

Has this changed recently?

Those are quite important privacy features, which were added only a few years ago to Firefox.

And then we of course have the anti-fingerprinting patch series from Tor Browser that has been uplifted to Firefox. Even if it isn't Firefox that developed it, it is today part of Firefox. At the same time, Chromium, including Vanadium fork, largely lack anti-fingerprinting resistance, since no one has developed any corresponding patch series for Chromium base.

As far as my understanding goes, it is still that Chromium has superior security, but Firefox has superior privacy.

Xtreix

neel Firefox = more private is a persistent misunderstanding, this is not the case, Firefox is very behind in terms of security and privacy and is not innovating at all since a very long time, this does not mean that Firefox cannot improve, and there are improvements, but Firefox has no real security team and all the people who worked on Firefox security have been laid off, Firefox is mainly maintained by volunteers, and the company, Mozilla Corporation, with its new director, is more interested in AI than in improving the security and privacy of its browser.

neel There should be a "hybrid" between MV2 and MV3

No. Ad blocking should be done at the browser level, and users should limit extensions as much as possible, of course those who care about security and privacy of the browser. Even Chromium has built-in ad blocking, but the block list is so tiny. Vanadium and Trivalent use the block list built into Chromium and extend the lists, which is the right approach.

other8026

Very out of date browsers are not secure and it's not hard to connect the dots and realize that unpatched vulnerabilities affect privacy as well. It's highly inappropriate to advise people to use such software.

It's also highly inappropriate to complain about censorship and to advise others to use out of date software. Bad advice like the advice that was given earlier is just one reason we have to remove certain posts.

Also, if people are going to make big claims that go against actual professionals' opinions (not saying I'm one of them to be clear), then the burden of proof is on the ones making those claims. We're not going to let people hijack this forum for them to possibly confuse other community members.

Grapi

other8026

Is Ungoogled Chromium really out of date browser ?

Xtreix

ryrona I was under the impression that Chromium was lacking proper site state isolation, and that only Firefox had a proper implementation fo

I don't really know how to answer that honestly, and I'm not aware of this. I don't know of any links or studies that indicate that the implementation of Site Isolation in Chromium was less effective than in Firefox. In fact, as far as I know, it's only on Windows that Site Isolation on Firefox is roughly comparable to Site Isolation on Chromium. I don't know the current situation with Firefox on Linux. There were security flaws and performance issues with Site Isolation initially on Chromium, but they have all been fixed. Also, as far as I remember, Site Isolation does not prevent cross-site tracking, but is rather handled by the network and storage state partitioning.

https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/
https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/
https://web.archive.org/web/20250113130548/https://divestos.org/pages/browsers

ryrona As far as my understanding goes, it is still that Chromium has superior security, but Firefox has superior privacy.

My understanding is that security is necessary to ensure adequate privacy protection. Otherwise, in the absence of security or serious security with best practices, privacy protection becomes too fragile and we probably shouldn't rely on it.

spl4tt

Honestly, reading all of this, I'm not sure at all what is the right way.

I'll stick to my ironfox for now. The features are just superior in every way, the UX is MUCH better IMO and the only real thing that's bugging me is the (much) worse performance vs vanadium.

I use a lot of PWAs on my phone, and vanadium does that much better than ironfox/firefox, and when a site has sucky performance I open it in vandium. But I really really dislike the UI there.

Also ironfox has ublock origin installed by default.

My understanding was also that firefox (when configured correctly) is superior in privacy terms, but that chromium based browsers are superior in security. Now the question is how big of a difference in every day life it really makes.