chromium and firefox - myths and facts?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

chromium and firefox - myths and facts?

Marko Cupać
Hi,

over last few years, I got an impression that OpenBSD project seem to
favour Chromium over Firefox. For example, in:

https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf

"We know it's right when we can do chrome."
"[...]chrome - the stuff we use frequently"

I don't understand neither browser's code. However, current propaganda
that reaches me goes along the lines "Firefox is made by non-profit
organization with users' freedom in mind, while Chromium is made by
for-profit organization for the purpose of extraction of users'
personal information". I trust OpenBSD project and it's users more than
big vendors' pitches, so I'd like to ask:

Is the above untrue? Am I, as a user, more vulnerable to security and
privacy violations using Firefox than Chromium on OpenBSD?

Or is this question off-topic, as OpenBSD cares about technical
correctness of the code in regard to overall security of a computer
system, not outcome of users voluntarily running technically correct
code, even when it compromises their personal security?

Something else?

Thank you in advance,

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Marc Espie-2
On Mon, Jun 11, 2018 at 01:28:04PM +0200, Marko Cupa�? wrote:

> Hi,
>
> over last few years, I got an impression that OpenBSD project seem to
> favour Chromium over Firefox. For example, in:
>
> https://www.openbsd.org/papers/BeckPledgeUnveilBSDCan2018.pdf
>
> "We know it's right when we can do chrome."
> "[...]chrome - the stuff we use frequently"
>
> I don't understand neither browser's code. However, current propaganda
> that reaches me goes along the lines "Firefox is made by non-profit
> organization with users' freedom in mind, while Chromium is made by
> for-profit organization for the purpose of extraction of users'
> personal information". I trust OpenBSD project and it's users more than
> big vendors' pitches, so I'd like to ask:
>
> Is the above untrue? Am I, as a user, more vulnerable to security and
> privacy violations using Firefox than Chromium on OpenBSD?
>
> Or is this question off-topic, as OpenBSD cares about technical
> correctness of the code in regard to overall security of a computer
> system, not outcome of users voluntarily running technically correct
> code, even when it compromises their personal security?

Chrome is a relative newcomer to browser land, and it was designed from
the start from a security point of view, so it got a headstart there.

The guys running the https part of google, even if we don't always agree
with them, tend to try and make things more secure.

Adam Langley's blog is fairly interesting.
Niels Provos has done some nice work on the malware sites discovery part.

It's been my understanding that firefox is finally catching up. Namely,
they've put a reasonably secure architecture in place.  And they are getting
rid of their old large extension language to try and use the same
architecture as chrome.

The gap is much smaller than it was a year ago.

In short, I feel that most of chrome's focus is on making things reasonably
secure (as far as confidentiality and attacks go) so that people trust the
browser, whereas firefox's focus is waaay more dispersed.

Competition is good.

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Theo de Raadt-2
Marc Espie <[hidden email]> wrote:

> Chrome is a relative newcomer to browser land, and it was designed from
> the start from a security point of view, so it got a headstart there.

In a browser, there are 2 main security components you want: The main
security advantage is privsep.  The other is W^X jit.  Other security
effects will follow from those design choices, especially if you have
privsep.  For instance, the chrome privsep is nicely refined and pledge
enforcements could be added.

chrome was designed to be privsep.  sshd was the first major privsep
program on everyone's machine, and chrome was second.  For instance,
smtpd had it designed-in from the start, and it is very strong.

We have added privsep to software after the fact, but it isn't always a
success.  As an example of this, privsep was added to dhclient and
probably isn't as strong.  Only because it is difficult pasting the
concept in afterwards.

> It's been my understanding that firefox is finally catching up. Namely,
> they've put a reasonably secure architecture in place.  And they are getting
> rid of their old large extension language to try and use the same
> architecture as chrome.

It is my understanding that firefox says they are catching but, but all
I see is lipstick on a pig.  It now has multiple processes.  That does
not mean it has a well-designed privsep model.  Landry's attempt to add
pledge to firefox, shows that pretty much all processes need all
pledges.

From where I stand, I think it fails to be privsep because the various
process initializations still need way too much, and tasks aren't being
done in the right process.  I think firefox is still only 2 process
classes, whereas chrome is 6 or 7.

> The gap is much smaller than it was a year ago.

I don't think so.

> In short, I feel that most of chrome's focus is on making things reasonably
> secure (as far as confidentiality and attacks go) so that people trust the
> browser, whereas firefox's focus is waaay more dispersed.

I doubt firefox will ever focus on security.  The security mechanisms we
are talking about require breaking compatibility or performance.  This
isn't the stuff one rearranges deck chairs for.

BTW, the jit in chrome isn't W^X.  So chrome is behind in one sense,
because the jit in firefox is W^X [well not truly, it uses two mappings
of the same object, and if the attacker can find the shadow he can play,
but it is still raising the bar]

I'm replying becuase I think the picture is being painted too rosy.
I think firefox is YEARS behind, unless they change their strategy.

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Patrick Harper
In that case, are the Chromium updates in current worth attempting to backport to stable? Or are the stable builds safer than the backported Firefox builds throughout the six months or so that they remain frozen?

--
  Patrick Harper
  [hidden email]

On Mon, 11 Jun 2018, at 06:56, Theo de Raadt wrote:

> Marc Espie <[hidden email]> wrote:
>
> > Chrome is a relative newcomer to browser land, and it was designed from
> > the start from a security point of view, so it got a headstart there.
>
> In a browser, there are 2 main security components you want: The main
> security advantage is privsep.  The other is W^X jit.  Other security
> effects will follow from those design choices, especially if you have
> privsep.  For instance, the chrome privsep is nicely refined and pledge
> enforcements could be added.
>
> chrome was designed to be privsep.  sshd was the first major privsep
> program on everyone's machine, and chrome was second.  For instance,
> smtpd had it designed-in from the start, and it is very strong.
>
> We have added privsep to software after the fact, but it isn't always a
> success.  As an example of this, privsep was added to dhclient and
> probably isn't as strong.  Only because it is difficult pasting the
> concept in afterwards.
>
> > It's been my understanding that firefox is finally catching up. Namely,
> > they've put a reasonably secure architecture in place.  And they are getting
> > rid of their old large extension language to try and use the same
> > architecture as chrome.
>
> It is my understanding that firefox says they are catching but, but all
> I see is lipstick on a pig.  It now has multiple processes.  That does
> not mean it has a well-designed privsep model.  Landry's attempt to add
> pledge to firefox, shows that pretty much all processes need all
> pledges.
>
> From where I stand, I think it fails to be privsep because the various
> process initializations still need way too much, and tasks aren't being
> done in the right process.  I think firefox is still only 2 process
> classes, whereas chrome is 6 or 7.
>
> > The gap is much smaller than it was a year ago.
>
> I don't think so.
>
> > In short, I feel that most of chrome's focus is on making things reasonably
> > secure (as far as confidentiality and attacks go) so that people trust the
> > browser, whereas firefox's focus is waaay more dispersed.
>
> I doubt firefox will ever focus on security.  The security mechanisms we
> are talking about require breaking compatibility or performance.  This
> isn't the stuff one rearranges deck chairs for.
>
> BTW, the jit in chrome isn't W^X.  So chrome is behind in one sense,
> because the jit in firefox is W^X [well not truly, it uses two mappings
> of the same object, and if the attacker can find the shadow he can play,
> but it is still raising the bar]
>
> I'm replying becuase I think the picture is being painted too rosy.
> I think firefox is YEARS behind, unless they change their strategy.
>

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Theo de Raadt-2
In reply to this post by Marko Cupać
> In that case, are the Chromium updates in current worth attempting to
> backport to stable?

the team does not do significant backports like that.

> Or are the stable builds safer than the backported Firefox builds
> throughout the six months or so that they remain frozen?

Answered it in the long, the short version is: Chrome/Iridium is safer code.

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

BergenBergen BergenBergen
> Answered it in the long, the short version is: Chrome/Iridium is safer
code.

Chrome is also way more comfortable to develop y'all web/mobile apps in.
Win-win!

All the best,
Murk


On Mon, Jun 11, 2018 at 4:29 PM, Theo de Raadt <[hidden email]> wrote:

> > In that case, are the Chromium updates in current worth attempting to
> > backport to stable?
>
> the team does not do significant backports like that.
>
> > Or are the stable builds safer than the backported Firefox builds
> > throughout the six months or so that they remain frozen?
>
> Answered it in the long, the short version is: Chrome/Iridium is safer
> code.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Stuart Longland
In reply to this post by Marko Cupać
On 11/06/18 21:28, Marko Cupać wrote:
> I don't understand neither browser's code. However, current propaganda
> that reaches me goes along the lines "Firefox is made by non-profit
> organization with users' freedom in mind, while Chromium is made by
> for-profit organization for the purpose of extraction of users'
> personal information".

There's a great irony here…

Firefox is a derivative of the Mozilla code base which used to be known
in the general public as Netscape.  Netscape Communications was a
for-profit company, that actually *sold* their browser for commercial
use (it was only free for personal use).

Chrome and Safari both derive from Apple WebKit which itself is a fork
of the KHTML rendering engine developed by the KDE project, and has
*always* been, LGPL licensed code since its first release in 1998.

Yet today, Firefox is held up as the open-source darling and
Chrome/Safari is seen as the proprietary devil.  Go figure. :-)
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Flipchan
Im currently using qutebrowser which is written in python 3 and pledge has started to get in to the python world so i hope that will be supported soon

On June 12, 2018 12:40:18 AM UTC, Stuart Longland <[hidden email]> wrote:

>On 11/06/18 21:28, Marko Cupać wrote:
>> I don't understand neither browser's code. However, current
>propaganda
>> that reaches me goes along the lines "Firefox is made by non-profit
>> organization with users' freedom in mind, while Chromium is made by
>> for-profit organization for the purpose of extraction of users'
>> personal information".
>
>There's a great irony here…
>
>Firefox is a derivative of the Mozilla code base which used to be known
>in the general public as Netscape.  Netscape Communications was a
>for-profit company, that actually *sold* their browser for commercial
>use (it was only free for personal use).
>
>Chrome and Safari both derive from Apple WebKit which itself is a fork
>of the KHTML rendering engine developed by the KDE project, and has
>*always* been, LGPL licensed code since its first release in 1998.
>
>Yet today, Firefox is held up as the open-source darling and
>Chrome/Safari is seen as the proprietary devil.  Go figure. :-)
>--
>Stuart Longland (aka Redhatter, VK4MSL)
>
>I haven't lost my mind...
>  ...it's backed up on a tape somewhere.

--
Take Care Sincerely flipchan layerprox dev
Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Roman Zolotarev
On Tue, Jun 12, 2018, at 07:08, flipchan wrote:
> Im currently using qutebrowser which is written in python 3 and pledge
> has started to get in to the python world so i hope that will be
> supported soon

Which version of qutebrowser are you using?
Have you tried to build/install qutebrowser v1.3/v1.4 on OpenBSD 6.3?
Thanks.

Roman https://www.romanzolotarev.com

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Lampshade
In reply to this post by Marko Cupać
&gt;Chrome and Safari both derive from Apple WebKit which itself is a fork&gt;of the KHTML rendering engine developed by the KDE project, and has&gt;*always* been, LGPL licensed code since its first release in 1998.&gt;&gt;Yet today, Firefox is held up as the open-source darling and&gt;Chrome/Safari is seen as the proprietary devil.&nbsp; Go figure. :-)But still Chrome has a purpose to push away people from desktop programs to WebApps, because of all the advertisement, marketing and tracking possibilities WebApps give to the companies, especially Google. WebApps also meansdata is not stored locally, but remotely.Not to mention Chrome sends your history to Googleservers when you log in into Google Account(Gmail, Youtube).I know some people can write open-source WebAppsand host them on their private servers or at leastpaid VPSes, but how many?
Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Lampshade
In reply to this post by Marko Cupać
Maybe this time mail will be encoded properly.

 >Chrome and Safari both derive from Apple WebKit which itself is a fork
 >of the KHTML rendering engine developed by the KDE project, and has
 >*always* been, LGPL licensed code since its first release in 1998.
 >Yet today, Firefox is held up as the open-source darling and
 >Chrome/Safari is seen as the proprietary devil.
 >Go figure. :-)

But still Chrome has a purpose to push away people
from desktop programs to WebApps, because of all the advertisement,
marketing and tracking possibilities WebApps give to the companies,
especially Google.
WebApps also means data is not stored locally, but remotely.

Not to mention Chrome sends your history to Google
servers when you log in into Google Account(Gmail, Youtube).

I know some people can write open-source WebApps
and host them on their private servers or at least
paid VPSes, but how many? Not to mention these
WebApps will probably not cover every use-case
and they are going to use some company WebApp
anyway.

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Darren S.
One other factor with Firefox is the use of the platform to push
"experiements" and "studies" in their nightly builds, as discussed in
these posts:

https://drewdevault.com/2017/12/16/Firefox-is-on-a-slippery-slope.html
https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxNoNightly

Decisions made by Mozilla on this front indicate an overall
willingness to abuse their user base without explicit consent in
support of opaque data sharing partnerships and what are essentially
affiliate programs to side load code on user computers.

--
Darren Spruell
[hidden email]


On Tue, Jun 12, 2018 at 11:25 AM, lampshade <[hidden email]> wrote:

> Maybe this time mail will be encoded properly.
>
>>Chrome and Safari both derive from Apple WebKit which itself is a fork
>>of the KHTML rendering engine developed by the KDE project, and has
>>*always* been, LGPL licensed code since its first release in 1998.
>>Yet today, Firefox is held up as the open-source darling and
>>Chrome/Safari is seen as the proprietary devil.
>>Go figure. :-)
>
> But still Chrome has a purpose to push away people
> from desktop programs to WebApps, because of all the advertisement,
> marketing and tracking possibilities WebApps give to the companies,
> especially Google.
> WebApps also means data is not stored locally, but remotely.
>
> Not to mention Chrome sends your history to Google
> servers when you log in into Google Account(Gmail, Youtube).
>
> I know some people can write open-source WebApps
> and host them on their private servers or at least
> paid VPSes, but how many? Not to mention these
> WebApps will probably not cover every use-case
> and they are going to use some company WebApp
> anyway.

Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Stuart Henderson
On 2018-06-12, Darren S. <[hidden email]> wrote:
> One other factor with Firefox is the use of the platform to push
> "experiements" and "studies" in their nightly builds, as discussed in
> these posts:

It's unfair to single out Firefox for that (plus, they're disabled in the
OpenBSD port).

> https://drewdevault.com/2017/12/16/Firefox-is-on-a-slippery-slope.html
> https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxNoNightly

https://textslashplain.com/2017/10/18/chrome-field-trials/


Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Darren S.
On Tue, Jun 12, 2018 at 2:46 PM Stuart Henderson <[hidden email]>
wrote:

> On 2018-06-12, Darren S. <[hidden email]> wrote:
> > One other factor with Firefox is the use of the platform to push
> > "experiements" and "studies" in their nightly builds, as discussed in
> > these posts:
>
> It's unfair to single out Firefox for that
>
> > https://drewdevault.com/2017/12/16/Firefox-is-on-a-slippery-slope.html
> > https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxNoNightly
>
> https://textslashplain.com/2017/10/18/chrome-field-trials/


I’m don’t mean to single out Mozilla for having experimental feature
support, which is indeed in common. The distinction for me is the Chrome
post describes testing of upcoming features in the browser whereas the
Firefox history discloses things like an ad (one of how many?) being pushed
silently to the client for an affiliate (that’s adware behavior, and as an
extension that they intended to be hidden), and a DNS data collection event
to which many users are very likely to be opposed. Mozilla argues against
that sort of thing being opt-in and widely disclosed.
--
Darren Spruell
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: chromium and firefox - myths and facts?

Kevin Chadwick-4
In reply to this post by Theo de Raadt-2
On Mon, 11 Jun 2018 07:56:50 -0600


> In a browser, there are 2 main security components you want: The main
> security advantage is privsep.  The other is W^X jit.  Other security
> effects will follow from those design choices, especially if you have
> privsep.  For instance, the chrome privsep is nicely refined and
> pledge enforcements could be added.

This is surely of far less interest than the ability to pledge but
perhaps of interest.

These are the Windows 10 1803 exploit protection settings that I have
found can be enabled without crashing chrome then firefox. There seems
to be a few targeted at ROP that firefox runs with but break Chrome.

  <AppConfig Executable="C:\Program Files
  (x86)\Google\Chrome\Application\chrome.exe"> <DEP Enable="true"
  EmulateAtlThunks="false" /> <ASLR ForceRelocateImages="true"
  RequireInfo="true" BottomUp="true" HighEntropy="true" />
  <StrictHandle Enable="true" /> <ExtensionPoints
  DisableExtensionPoints="true" /> <ControlFlowGuard Enable="true"
  SuppressExports="false" /> <SignedBinaries
  EnforceModuleDependencySigning="true" /> <Fonts
  DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
  <ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false"
  BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" />
  <Payload EnableImportAddressFilter="false"
  EnableRopSimExec="false" /> <SEHOP Enable="true"
  TelemetryOnly="false" /> <Heap TerminateOnError="true" />

  <AppConfig Executable="C:\Program Files\Mozilla Firefox\firefox.exe">
    <DEP Enable="true" EmulateAtlThunks="false" />
    <ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true"
  HighEntropy="true" /> <StrictHandle Enable="true" />
    <ExtensionPoints DisableExtensionPoints="true" />
    <ControlFlowGuard Enable="true" SuppressExports="false" />
    <SignedBinaries EnforceModuleDependencySigning="true" />
    <Fonts DisableNonSystemFonts="true" AuditOnly="false"
  Audit="false" /> <ImageLoad BlockRemoteImageLoads="true"
  AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true"
  AuditLowLabelImageLoads="false" /> <Payload
  EnableExportAddressFilter="true"
  AuditEnableExportAddressFilter="false"
  EnableExportAddressFilterPlus="true"
  AuditEnableExportAddressFilterPlus="false"
  EnableImportAddressFilter="true"
  AuditEnableImportAddressFilter="false" EnableRopStackPivot="true"
  AuditEnableRopStackPivot="false" EnableRopCallerCheck="true"
  AuditEnableRopCallerCheck="false" EnableRopSimExec="true"
  AuditEnableRopSimExec="false" /> <SEHOP Enable="true"
  TelemetryOnly="false" /> <Heap TerminateOnError="true" /> </AppConfig>