Current state of Debian for desktop use

DebianAndy

Hi,

As a recent GrapheneOS convert I've been having a look around the forums and noticed a lot of people claiming that Linux operating systems are insecure. In particular Debian seems to have a pretty bad reputation around here.

I'm not a technical user at all, but I still tried to look into it a little more myself. From what I've gathered, the evidence seems quite damning... A lot of security researchers and IT professionals seem to hold similar opinions to the ones expressed here which is quite worrying.

I've only been using Debian for around a year and I have enjoyed learning and using it a lot. The extent of my usage is browsing the internet with Firefox, reading PDF's/emails/messages and occasionally pirating textbooks or scientific papers. The computer is frequently used over public WiFi.

My threat model is pretty much non existent. As far as I know, nobody is trying to hack me and I rarely if ever have to visit "dodgy" sites. My only goal is to maintain privacy over my own data (hence why I actually switched to Graphene in the first place).

Is Debian XFCE still safe for me to use? A lot of these comments were some time ago so how much have things changed?

Additionally, I've been wanting to learn SELinux and configure it on my computer (even before I learned all of this) as a side project. How much would this help, if at all?

Johnnyloans

DebianAndy

Most hacks and viruses are from typing your login into a look-a-like website or downloading shady files.

You're safe dude. Some people are just hardcore or desire a sense of pride/superiority to tell people everything in the world is insecure. Debian is about as unsafe as stairs--I'd still use 'em.

The crux to the linux is insecure debate is:
A virus is on your PC and executing code. It can get farther than if it was a virus running on android or GOS due to the phone having more barriers to contain the virus and the user account has very little privilege over the system. (The virus is running as the user). If it was me, I would keep doing what you're doing--PDFs, emails, textbooks, papers, etc.

Back up anything important while you are haviing fun experimenting in linux. Careful trusting the words of commenters, you could very well have far more knowledge than I or any other commenter :)

or as I said: some people are hardcore. It's like implicitly trusting the advice of a vegan on if meat is good to eat.

Johnnyloans

DebianAndy

I should have noted: Linux is not insecure. It is less secure.

"Less secure" still sounds like a bigger issue than reality to me.

naibed

DebianAndy My threat model is pretty much non existent. As far as I know, nobody is trying to hack me and I rarely if ever have to visit "dodgy" sites. My only goal is to maintain privacy over my own data (hence why I actually switched to Graphene in the first place).

Seems like the majority of responses completely ignored your threat model and defaulted to recommending a hardened distro as usual. TBH, most privacy forums/conversations devolve into mindless hardening against improbable/theoretical possibilities.

I use Debian as well and have taken steps to harden things on my own. It was a fun hobby at first but becomes a time suck for increasingly unlikely scenarios. You quickly hit a wall of diminishing returns and unnecessary friction for your personal setup.

Given your threat model, it sounds like the distro is likely less relevant than the browser you use tbh. Some advice I'd give:

Install the Flatpak version of your browser and use flatseal to make sure it isn't sharing unnecessary folders/data
Use uBO if you aren't already, and maybe take medium mode for a spin as you get more comfortable.
opensnitch to monitor traffic trying to exit your network stealthily (optional)

I do sandbox/firejail/containerize 3rd party apps that have proprietary data and/or are for-profit, but that is likely overkill tbh.

Johnnyloans

DebianAndy My threat model is pretty much non existent.
naibed Seems like the majority of responses completely ignored your threat model and defaulted to recommending a hardened distro as usual

I agree with this.
Good advice, I wouldn't have thought to mention: uBO prevents a common avenue for malware or phishing.

In my opinion: OP's Debian has slow updates. Browsers shouldn't be flatpak.

NoahRaketic You are wrong, and you are spreading misinformation. Stop. What you are doing is harmful.

I said that carpet-bombing malware is rare and singled out attacks on a person are even more rare, so users don't have to live under a rock--you can use Linux OP. Informed users have minimal attack surface on Linux.

Johnnyloans Most desktop linux setups don't have vulnerable ports.
NoahRaketic The same is true for Android; this isn't a security feature of Linux.

Johnnyloans e.g. mqtt, ssh, file server, hosting a website, etc
NoahRaketic Not exposing these services does not make desktop Linux safer than Android.

I know. I never said that. I am comparing the attack surface of:
Linux w/ chrome, an office suite, a network router, no services bound to ports, etc
vs Android: email, messenger apps, 2/3/4/5G, SMS, calls, app stores, no router blocking unsolicited inbound traffic, etc.

For a desktop user.

NoahRaketic A desktop messenger would most likely be running as your user
Johnnyloans qubesos sandboxing.
Selinux
NoahRaketic Neither of these are sandboxing, SELinux alone is not suitable to restrict general-purpose, user-facing apps, and Qubes OS is not Linux.

QubesOS does sandbox executable spaces:
https://en.wikipedia.org/wiki/Qubes_OS#The_User_domains:_qubes

"Selinux" i placed on a new line--a separate idea--in response to you saying an app is running "as your user." I know it isn't sandboxing.

"SELinux alone is not suitable to restrict general-purpose, user-facing apps"
I never said: "all you need is selinux to [accomplish a goal]."

NoahRaketic I'm not starting with "Linux is already infected". Do not misrepresent my argument. What I said in the next quote is ...
NoahRaketic The main question is, [let's say] your computer [is] compromised by some drive-by malware or a browser exploit, for instance, how bad would it be for you? If the answer is "very", then it would be an improvement to at least move away from Debian.

You did start your scenario with: the PC is already infected and how bad would that be. I am talking about how hackable linux is. Furthermore, every comment you said about: 'but sandboxing keeps a threat contained' is answering the question of linux security with "Let's say linux has a virus right now, linux isn't safe." Besides, there are protections for that scenario in linux and android--albeit android is better.

NoahRaketic Yes, that's why it is advisable to use a system that architecturally cannot get a virus (one with proper Verified Boot).

Anything is hackable. This is dangerous to say. collisions exist. It is trivial to setup secure boot on linux.

Johnnyloans Is AWS just 95% viruses because Linux is insecure?
NoahRaketic AWS applies hardening to their hypervisors that simply cannot apply to desktop Linux.

You are confused on a hypervisor or any sandbox's role in this. It can enforce memory protections. Hypervisors cannot fix vulnerabilities in the code. Any OS or code i run inside of ESX or AWS will still have its vulnerabilities.

The AWS hypervisor forwards network traffic to the Linux OS and applications running on it. Similar to bare metal behind a router.

Johnnyloans Zero days are extremely valuable. Yes, viruses can spread indiscriminately to everything it sees; however, the virus will be studied and patched with haste--Linux will be secure from the exploit. Likely a waste of the exploit. Conversely, very few people in the word have the knowledge and resources to target 1 person or organization. We aren't a target.
NoahRaketic Not if the vulnerability is unpatched ...

"Will be patched" > "Not if it's unpatched" ??
I'm not sure of your statement. Either researchers will refuse to fight malware or don't have the knowledge to? Both are historically not true.
There is a reason why carpet-bombing malware like wannacry is rare and why most of us won't be singled out by hackers.

NoahRaketic Desktops lack any implementation of full Verified Boot--and Secure Boot ...
Johnnyloans Does nothing unless the virus is already on the device.
NoahRaketic This is entirely untrue.
NoahRaketic If a virus is on the device [verified boot will notice and take action]

Oh.
So, yes, if is a virus already on the device?
Also, I'm curious if you are aware of and can explain what elements of desktop secure boot is so egregiously missing compared to android verified boot. Which you say is "an extremely weak protection."

Johnnyloans Sandboxing helps after your device is already compromised. They have to get inside the sandbox first.
NoahRaketic This is where any credibility you may have had falls apart. This is absolutely not how sandboxing works

Noahraketic: "[If the system is compromised, the virus can influence the app inside of the sandbox]"

Okay.
https://en.wikipedia.org/wiki/Protection_ring
This is like saying: if bad guys are in your house, they can subvert every closed drawer they want.
Of course.

Noahraketic: "A sandbox protects the host if the program is compromised."

First, the virus compromised the program residing inside of the sandbox. The sandbox then protects the host.

Okay, let's review my quote again:

JohnnyLoans "Sandboxing helps after your device is already compromised. They have to get inside the sandbox first."

NoahRaketic I am not talking about a DMZ.

You said a router doesn't prevent devices from being exposed to the world--DMZ.

NoahRaketic It is absolutely essential to treat all remote networking infrastructure as potentially hostile, and getting compromised this way is not user error.

Everyone knows that you can't trust the internet.

I don't think you understand networking. Outbound connections are initiated by our desktop PC. If it is connecting to a hostile server, it is either:

A virus on our device that initiated this. (Linux is not secure if it is currently infected argument)
it is user error at the helm
A 3rd party executable. (3rd party apps aren't the linux OS. Also, we can reliably trust steam or whatever app it is.)

NoahRaketic A user's choice ... is irrelevant to the security of Android itself.
NoahRaketic Not if ... you're on an insecure distro like Debian that falls far behind on patches.

Seems contradictory. Debian is insecure or people don't update so linux is insecure?

Johnnyloans Linux PGP package signing is the same: trusting 1 key and not an entire CA.
NoahRaketic This is not the same at all. You're trusting your distribution's build and signing infrastructure. Android has the capacity to pin signing keys managed by the developer directly.

Linux and android/GOS all have to: "[trust] your distribution's build and signing infrastructure."
Where do you think android got the idea to trust a developer's key? Linux has the same.

Johnnyloans Downgrading attacks: The attacker already compromised your system before the downgrade.
NoahRaketic No.
NoahRaketic This is false. Downgrade attacks are a very real threat.

I'd love to hear how an attacker will install software without arbitrary code execution or physical access. Leave out all of the technical details if you wish--a high level overview will do.

Johnnyloans You need to chain attack the router
NoahRaketic You don't.

You're right--this is optional. However, the alternative is: an attacker would have to MITM or compromise external infrastructure that the target connects to. All difficult tasks.
(Or the user downloads a virus of course, but--again--we don't need Linus to patch linux because a user ran: rm -rf --no-preserve-root / ).

NoahRaketic Only if there is a sandbox, which isn't the case for the vast majority of apps

The only sandboxing done by app developers that I'm aware of is a web browser.
qubesOS sandboxes apps that don't normally.
flatpak
snap

There seems to be a communication disconnect here. There are great resources out there to explain these various concepts further. We can disagree Noah. Take care.

NoahRaketic

Johnnyloans Desktop Linux is not just less secure--it is dramatically less secure than Android-based OSes.

In response to the user's question, it would be a good idea to at least take sensitive tasks (email, messaging, or whatever else) away from the computer and onto your phone. That way you can still experiment with Linux and reduce the blast radius if you are compromised.

aaronb

Going by that logic GOS is hardcore. You don't need hardened_malloc. Sandboxing? Pff, who cares? Just don't download shady files. Right?

Johnnyloans

aaronb

What you mentioned helps if there is malicious code already on the computer.

Most people don't have any services bound to ports nor an SMS receiver that is globally accessible on the PC to receive a zero day exploit through no fault of the user.

So, yes, don't download or open shady files. Stick to reputable websites.

No malicious code on the computer.

In linus torvalds we trust--install fedora.

Johnnyloans

NoahRaketic Desktop Linux is not just less secure--it is dramatically less secure than Android-based OSes.

What should I use for desktop

Johnnyloans

NoahRaketic Chrome OS

This has almost no applications for productivity (outside of google word processor, sheets, etc) and entertainment. Not a viable option.

NoahRaketic If you must use GNU/Linux

Now we are back to desktop Linux.

NoahRaketic Desktop Linux is not just less secure--it is dramatically less secure than Android-based loses.

DebianAndy

NoahRaketic

Thanks for taking the time to reply, I do appreciate the input.

Given Google's spotty history with privacy, I would feel rather uncomfortable using ChromeOS, even if it's the most secure option available.

While I understand Android offers much more security over a traditional Linux setup, it would be extremely impractical for me to move all sensitive tasks over to my phone. I regularly need to read PDF's sent by peers and watch lectures amongst other things. All of which require me to be logged into a work account and often times a personal messenger too.

Given my threat model and use cases, would you say switching operating system is strictly necessary?

NoahRaketic

Johnnyloans If security is your number one priority, then Chrome OS is the most secure option.

If you must use GNU/Linux, then secureblue is a decent option that makes many mitigations, but it is still much, much less secure than Android-based OSes.

NoahRaketic

Johnnyloans Yes, like I said, it is still dramatically less secure because it inherits issues from desktop Linux.

It is a myth that Chrome OS can only use Google's web-based apps. It supports both Linux and Android apps as well.

Johnnyloans

DebianAndy Given my threat model and use cases, would you say switching operating system is strictly necessary?

You're safe to be on any Linux distro. Switch if you'd like. You'd get faster updates for chromium and other packages on secureblue as well as its other benefits. In the next section, I explain that linux desktop is safe.

NoahRaketic

I misspoke, desktop linux is far safer than android to not get hacked. Most desktop linux users won't have services exposed. My PC doesn't have bluetooth, 2g, 3g, 4g, 5g, nfc, SMS, whatsapp, etc which would all expose attack surface area on a phone to the world. My PC is behind a router--not exposed to the world. Most comparisons of linux and android assume access has already been gained on the device.
The android kernel is derived from the linux kernel.
Linux has a much smaller attack surface for remote hacks. Any other situation about: "what if the user welcomed the hack by installing a virus?"
Well, what if monkeys could fly? We could do all sorts of actions on a phone or laptop. I could say GOS isn't secure because I because I did something unsafe.

compimatiker Since you already did the "Hardcore" way on your phone with GOS

I never said this. I--and no one else--is on this forum thinking: "these people are hardcore/crazy to get GOS." Wild to read my words and somehow arrive at this conclusion.

NoahRaketic Chrome OS ... supports both Linux and Android apps as well.

These apps sometimes have issues or won't run, some apps are not in the repository to install, chromeOS has a FAQ entry about apps possibly being blurry due to chromeos scaling the containerized app, ARM devices won't have all packages available for arm, X11 apps can have issues, no gpu or other hardware acceleration, no hardware video decode/encode, video playback is high cpu usage, you must carve out a reserved section from your harddrive for linux.

To work on files, you must move the files from your chromeOS file system to the reserved linux folder and back again after saving your work. Any copies of the files, you must keep track which is the latest revision.

NoahRaketic

DebianAndy Given my threat model and use cases, would you say switching operating system is strictly necessary?

The main question is, if your computer were compromised by some drive-by malware or a browser exploit, for instance, how bad would it be for you? If the answer is "very", then it would be an improvement to at least move away from Debian.

If you must use GNU/Linux due to the privacy or cost issues of Chrome OS and Mac OS, then you'll be better of on secureblue than on any other Linux distro in terms of security, but you must still accept the issues inherent to desktop Linux.

compimatiker

Since you already did the "Hardcore" way on your phone with GOS and seem to be comfortable... Why not give QubesOS a try. With this you can simply said achive similar privacy results on a desktop in comparison to your GOS-Phone.

Its recommended by Ed Snowden like GOS regarding to security and privacy and you can use for example debian inside of your qubes...and even Windows if required for a particular task.

DebianAndy

compimatiker

Thanks for replying.

I have actually tried Qubes before. It's actually the reason I got Debian on my laptop since I enjoyed using the Debian templates so much. While I really enjoy using Qubes and would love to use it on my laptop, I don't think I could since it's quite old now (>10 years) and would likely struggle to run Qubes properly.

At some point in the future, I would like to get a laptop capable of running Qubes however, due to financial reasons it's not possible right now.

NoahRaketic

Johnnyloans What you're saying is a misconception. Desktop Linux is not safer.

Johnnyloans Most desktop linux users won't have services exposed.

Can you be more specific about what you mean by "services"? If you mean radios, then this is simply untrue. A very large number of desktop devices have both Bluetooth and WiFi functionality. You can decide not to use those things, but the same is true about radios on mobile phones.

Johnnyloans My PC doesn't have bluetooth, 2g, 3g, 4g, 5g, nfc, SMS, whatsapp, etc which would all expose attack surface area on a phone to the world.

Installing an app like WhatsApp on a mobile phone is much safer than on desktop because it is sandboxed. A desktop messenger would most likely be running as your user, which increases attack surface much more for every app installed.

Johnnyloans My PC is behind a router--not exposed to the world.

Your router and firewall does not stop your computer from being "exposed to the world". It makes outgoing connections all the time to potentially hostile sources of data.

Johnnyloans Most comparisons of linux and android assume access has already been gained on the device.

No.

Johnnyloans The android kernel is derived from the linux kernel.

Yes, it is, but it is hardened and stripped down compared to the mainline versions. Note that this is a problem for Android, and the iOS kernel, for instance, is much more secure.

Johnnyloans Linux has a much smaller attack surface for remote hacks.

This is false.

Johnnyloans Any other situation about: "what if the user welcomed the hack by installing a virus?"
Well, what if monkeys could fly? We could do all sorts of actions on a phone or laptop. I could say GOS isn't secure because I because I did something unsafe.

Nobody is arguing this.

There are many blatant security issues in desktop Linux:

The vast majority of apps and utilities run unsandboxed.
Flatpak automatically grants unsafe permissions that an app requests in its manifest.
Even disregarding permissive defaults, Flatpak is years behind Android's sandboxing in terms of security and it is less audited.
Desktops lack any implementation of full Verified Boot--and Secure Boot (most Linux users have this disabled) is an extremely weak protection.
Android has a unified and much more secure update mechanism for apps, including certificate and version pinning.
Among others.

Your attack surface is much, much bigger on desktop Linux, especially so if you're using a Firefox-based browser. Desktop Linux distributions try to maintain legacy as well as broad hardware compatibility to the detriment of its security. The desktop as an ecosystem is horrible for security and privacy. You are free to think that it's okay enough, but you should not spread misinformation to justify that.

Johnnyloans

To preface this:
Linux is not insecure. I am not saying that, for example, an SMS zero-day on android will end up compromising the OS, firmware, or other apps, etc. Nor will a pdf file executing its own code automatically equates to sandbox escape or privilege escalation. I am not saying every linux distro has equal security--QubesOS has sandboxing. Linux is less secure than android in certain scenarios, namely when the device is already infected. It is harder for a virus to spread on Android than on Linux, especially with inferior distros or poor user practices.

NoahRaketic Can you be more specific about what you mean by "services"?

e.g. mqtt, ssh, file server, hosting a website, etc
The word "service" is commonplace in tech. Same idea as: "what services does your business provide."

NoahRaketic A desktop messenger would most likely be running as your user
Every mention of phones having sandboxed Software

qubesos sandboxing.
Selinux
privilege escalation and a sandbox breakout exploit is needed. Otherwise, my ~/Music is in grave danger. (A user storing unencrypted passwords, secrets, etc. isn't a linux vulnerability to bring up to Linus).

Johnnyloans Most comparisons of linux and android assume access has already been gained on the device.
NoahRaketic No.

My point: A scenario starting with "Linux is already infected" doesn't mean linux is insecure. (See the next quote.) A system that protects informed users 99.999% of the time is good. You write as if it is fragile and the entire domino chain will fall. My estimate is conservative--1 in every 100,000 up-to-date, responsible linux environments containing a virus is an overestimation.

NoahRaketic: "The main question is, if your computer were compromised by some drive-by malware or a browser exploit, for instance, how bad would it be for you? If the answer is "very"

We all know that a PC with a virus already on it is not secure.
Again, use QubesOS (sandboxing), selinux, etc.

"Drive by malware"

How commonplace do you think data breaches happen? Is AWS just 95% viruses because Linux is insecure? All of our "insecure PCs" would be infected by end of day via all of our outgoing connections to the web.
Zero days are extremely valuable. Yes, viruses can spread indiscriminately to everything it sees; however, the virus will be studied and patched with haste--Linux will be secure from the exploit. Likely a waste of the exploit. Conversely, very few people in the word have the knowledge and resources to target 1 person or organization. We aren't a target.

"It makes outgoing connections all the time to potentially hostile sources of data."
Anyone with physical access like a user can get any system compromised no matter how secure. Or this comment is touching on the fact that the linux PC already has a virus that is making outgoing connections and thus we inform Linus that linux is insecure.

My main point is comparing the security of linux and android from remote attacks. irresponsible users could do anything.

"Desktops lack any implementation of full Verified Boot--and Secure Boot"
Does nothing unless the virus is already on the device.
"Installing an app like WhatsApp on a mobile phone is much safer than on desktop because it is sandboxed."
Sandboxing helps after your device is already compromised. They have to get inside the sandbox first.

Every point in:

"There are many blatant security issues in desktop Linux"
Don't use flatpaks then. A user installing insecure software isn't a vulnerability. We don't have to report an issue to Linus.

Your router and firewall does not stop your computer from being "exposed to the world". [outgoing connections]

DMZ is not the same as a device under the umbrella of a router.
Making 1 or 1,000 remote connections isn't exposed to the world--<0.01% of the world. Surely we aren't arguing that duckduckgo or a package repository giving us a virus is a serious concern.
Furthermore, I could expose port 22 and web browse. They're separate. Chrome won't get me an ssh exploit.

Johnnyloans Any other situation about: "what if the user welcomed the hack by installing a virus?"
Nobody is arguing this.

NoahRaketic: "It makes outgoing connections all the time to potentially hostile sources of data."

This comment brings us back to my 2 points refuted by you: comparing the security of linux and android if they're already infected or the user welcomes in a virus by going to "hostile sources of data."

#p214442 https://grapheneos.social/@GrapheneOS/115691254933301240
It's a massive monolithic kernel written in a memory unsafe language

Android has more than 60% of its codebase in memory unsafe languages. The "insecure linux kernel" is a small fraction of the codebase.
source: https://openhub.net/p/android/analyses/latest/languages_summary

If you want to compare inferior linux distros, setups, or users then we can talk about android:

The majority of android devices on the internet are on android 13 or older and surely behind on security updates. See how it is an entirely different discussion to argue the various bad practices of users?
https://www.noypigeeks.com/tech-news/android-16-market-share-2026-google/

NoahRaketic Android has a unified and much more secure update mechanism for apps, including certificate and version pinning.

certificate pinning: Trusting 1 cryptography key instead of the entire CA. A compromised CA could have adversaries distribute viruses and your PC trusts it.

Linux PGP package signing is the same: trusting 1 key and not an entire CA.
Surely we aren't saying a serious security concern for your average netizen is: "what if trusted devs have a CA residing in hot storage and/or internet‑facing." The probability of this compromise is similar to compromising the 1 trusted pinned cert.

version pinning: Only certain version(s) of software are allowed.
This is designed to be a stability feature more than a security one--only under extreme conditions.

If we do "version must equal 2.5 or 2.1 to 2.5": It's generally better to update to the latest version than to be scared of a vulnerability that might be created in the latest version.
Vulnerabilities found in software usually affect numerous versions going back months or years. Your pinned version might be safe if you're running old enough software; which, again is risky not gaining the security patches of later versions.
Downgrading attacks: The attacker already compromised your system before the downgrade.
An open-ended version mandate of "anything newer than x" isn't a security vulnerability of linux. e.g. the user downgrades the software themselves or any modifications to the software are updates which will always pass the open-ended mandate.

tl;dr
Most desktop linux setups don't have vulnerable ports. You need to chain attack the router, Linux, 1 or more sandboxes, and privilege escalation.
Phones have 2G, SMS, bluetooth, whatsapp, etc waiting to receive data from the world--larger attack surface.

DebianAndy

NoahRaketic

Please forgive me if these are basic concepts, I am not a technical user at all. What do "drive-by malware" and "browser exploits" mean? How common are they and what kinds of scenarios would I encounter these sorts of threats?

DeletedUser639

the two Operating Systems listed below seem to think the current state of Debian for desktop use is ok.
I would bet on them rather than an anonymous contributor, trying to prove they know best.

https://www.kicksecure.com/
https://tails.net/

NoahRaketic

DeletedUser639 the two Operating Systems listed below seem to think the current state of Debian for desktop use is ok.

Use of an OS as a base should not be treated as an endorsement. Would you also say that Firefox ESR is secure because the Tor Browser is based on it?

DeletedUser639 I would bet on them rather than an anonymous contributor, trying to prove they know best.

You don't have to take my word for it:
https://grapheneos.social/@GrapheneOS/113926144314698265
https://grapheneos.social/@GrapheneOS/114875783683585797

NoahRaketic

DebianAndy

No, that's perfectly okay. Drive-by malware is a broad term that refers to malicious software being installed on someone's device without the user's knowledge. This would normally start with an exploit, followed by a method to gain malware persistence.

An exploit is anything that takes advantage of a security bug in software. A browser exploit just means that this bug is somewhere in the browser, usually the rendering engine (Blink for Chromium and Gecko for Firefox). They are found often, and are rarely exploited in the wild before they are patched. Any page you visit could try to use an exploit, but these are very hard to find, especially for Chromium. On Chromium, the impact of a successful exploit is smaller because it has much stronger isolation, while a successful exploit on Firefox is much more likely to affect the system. You're most likely to find a browser exploit by visiting an untrusted link sent to you, but it could be attempted on any page at all.

Distros like secureblue and Chromium OS further improve Chromium's confinement using SELinux (for secureblue) and Minijail (for Chromium OS).

DeletedUser639

NoahRaketic You don't have to take my word for it:

and I dont...

EverettHitch

Why do people post shit in incorrect forums all the time? Everything alright with you?