Threat posed by Gecko-based browsers

remnant8243

Is the mere presence of a Gecko-based browser on GrapheneOS a security risk? For example, if you installed Firefox but never used it, then does that introduce a substantial security risk to your device? Or is it merely that Firefox only creates a security risk while you use it?

I've read the wiki and searched the forum but can't seem to find information that states this in clear terms to me. I'm asking because I was thinking of installing Tor Browser. If the threat posed by Gecko-based browsers is created only through your use and you have no reason to believe that any sophisticated adversary is targeting you, then the threat would seem minimal if you're browsing safe websites. If the threat is caused merely by a Gecko-based browser's presence on your device, then I wouldn't install one as I don't want to unnecessarily undermine GrapheneOS's security.

Johnnyloans

remnant8243

Only when you use it.

Ironfox looks good: absolutely no autonomous, background data or telemetry.

Fennec - I'm not caught up on all of Mozilla's services; but, signing into firefox sync could connect to the outside world. Not sure if any connections would be made without signing into a mozilla account.

dhhdjbd

remnant8243

In the strictest sense, having apps installed is a risk, even if you do not use them. A scenario is imaginable, involving a malciouse app, some exploit that is using ipc and the installed app.
(if it is not disabled) (maybe there are other attack surface too, it defenitly does increass the attack surface)
Not sure if this specific exploit type is happening in practice at all, and you do not need to worry about it.

For firefox the warning is only about the app itself as mentioned before.
(It is about using the browser, it is easier for webcode to exploit geko then vanadium^^)

edit: a more likely scenario would be an app (that you do not use) and a link, you click on 'open in app' by accident, and it might result in who knows what^^

Johnnyloans

remnant8243 If you installed Firefox but never used it

littlerack hanging to load pages.

How are you loading pages while not using firefox?

background
autonomous
telemetry

You ran an experiment to: block firefox then went to a website to verify if firefox could still work or not?

remnant8243

Johnnyloans Understood, understood. Thank you.

littlerack

Johnnyloans Ironfox looks good: absolutely no autonomous, background data or telemetry.

It phones Mozilla as hell, what are you talking about, especially In a default/clean setup (and also even if I disable what seems not needed).
I only improve situation a bit by disallowing background data and putting it into restricted battery use.
If I try to block it via RethinkDNS, it behaves weirdly by hanging to load pages.

firefox-settings-attachments.cdn.mozilla.net
content-signature-2.cdn.mozilla.net
firefox.settings.services.mozilla.com
to name a few

gristle-cause

I wouldnt recommend Firefox under most circumstances, and I do wish Tor Browser didn't suffer from its Gecko-inherited security flaws

But the Tor Project is such a bastion for internet anonymity, I do consider it worthwhile for specific use cases (general browsing, other anonymous activities), even if just to normalize Tor traffic

You are in a considerably stronger position on GOS, where the OS itself is protected by stronger security measures than nearly any other operating system, short of running it in a disposable VM

remnant8243

gristle-cause According to @GrapheneOS (I don't know if tagging them is forbidden), Gecko-based browsers don't benefit from the majority of GrapheneOS's exploit protections.

https://discuss.grapheneos.org/d/14146-is-tor-browser-more-save-on-graphene-than-on-stock-android/2

What I'm trying to understand is whether this pertains to the mere presence of a Gecko-based browser on GrapheneOS, or if it pertains to attacks that occur as a result of using the browser. @Johnnyloans seems to believe it's the latter.

gvprtskvni

Apparently Firefox did improve their sandbox recently: https://www.reddit.com/r/firefox/comments/1qkhwmh/firefox_for_android_added_protection_against/. Not sure if it lives up to GOS' standards yet though.

littlerack

Johnnyloans block firefox

Czeeze, "block" not the whole browser but the mozilla domains I've listed that IronFox is phoning while in background.
Firefox does the same? So what, it's "Ironfox looks good: absolutely no autonomous, background data or telemetry" is wrong/misleading with it's "absolutely" - I had to whitelist mentioned 3 domains to be able to use IronFox at all.