Our new officially-supported repository allows users of the F-Droid client to install the browser and receive automatic updates without requiring Google Play.
Funniest thing is, I read this after learning Chrome had a zero-day exploit, Brave might not even have the patch yet 😆
To be fair, on sites like privacytests.org Brave seems to pass more tests than default Firefox, but these tests don’t take extensions into accounts. Extensions wouldn’t add much to Brave since it’s a chromium browser, but Firerox should have better results with ublock alone…and then there are forks and ways to harden Firefox on top of that.
And of course it’s not taken into account how sus Brave is, if I remember right Brave search has already been caught spying on its users (and used word play to pretend it was open-source) and then there’s also the crypto scam. Passing most of the security/privacy tests won’t help if the browser is spying and exploiting you.
I have used FF based browsers for a long time and still do. I recently saw this from the GrapheneOS developers, which kinda freaks me out and has me considering switching to a Chromium based browser:
Chromium-based browsers like Vanadium provide the strongest sandbox implementation, leagues ahead of the alternatives. It is much harder to escape from the sandbox and it provides much more than acting as a barrier to compromising the rest of the OS. Site isolation enforces security boundaries around each site using the sandbox by placing each site into an isolated sandbox… Browsers without site isolation are very vulnerable to attacks like Spectre…
Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn’t have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn’t happening for their Android browser yet.
EDIT: I really hope Ladybird turns out to be amazing.
We should challenge some of those superlatives that projects such as GrapheneOS can coin from time to time. Those projects are not abstract master entities, they have people behind of it and they are not authorities in all subject matters. They are correct about Gecko browsers insecurities on Android however it may be questionable the use of the term “leagues ahead” in this comparative. I use GrapheneOS and Vanadium but I don’t believe that using some Gecko hardened browser would be so terrible like it sound. Specially if you are not a focused target. For example, I keep Tor as a secondary browser for some specific tasks on my phone.
People could perhaps start helping more the Servo project. They really need some help and for those that program in Rust or want to learn it this could be a very good place to devote your attention.
Feel free to freak out. That doesn’t worry me at all. I guess you prefer getting tracked and monetized over having a little weaker security in hypothetical problem areas…
You know, I’ve worked with, and helped people with issues on primarily Windows, but also Mac and Linux, since the 90s, and I can’t remember one single time, where the problem were bases on this kind of vulnerability. So please, do live in a hypothetical world - I’ll stick with what works and keeps me from being monetized.
Same here. I prefer to avoid Chromium-based browsers whenever I can. A lot of them are better than Chrome, and I do like to mess with them from time to time to stay aware of features and test things. But Firefox on my phone has access to uBlock Origin and all my other extensions, after activating the hidden debug menu/dev mode that you turn on in a similar way as activating Dev Mode for the Android OS. I only mention that last part because it seems a lot of FF Android users don’t know about it and allows for installing xpi files just like you can with desktop. Freaking game changing for me. It really sucks that the main-line Chromium-based browsers don’t support extensions, even in the limited options way FF used to before allowing more to officially work (even without the debug menu/dev mode trick.
For those that might want the instructions for the hidden debug menu/dev mode. Some extensions still might not work correctly as they might not play nice with the UI/layout of the Android version. I would imagine that some of these might be things like the third-party tab-tree extensions for example.
Open Firefox App
Go to the settings menu.
Enable Developer Settings:
You need to tap on the Firefox logo five times. This action will unlock an additional debug menu.
Find “Install extension with a file” option in Settings
Look for the option to install an extension from your own storage. And pick the xpi file. Also will just work using the extensions page on the FF site.
Oh, so where is Firefox subpar? Please elaborate?
Funniest thing is, I read this after learning Chrome had a zero-day exploit, Brave might not even have the patch yet 😆
To be fair, on sites like privacytests.org Brave seems to pass more tests than default Firefox, but these tests don’t take extensions into accounts. Extensions wouldn’t add much to Brave since it’s a chromium browser, but Firerox should have better results with ublock alone…and then there are forks and ways to harden Firefox on top of that.
And of course it’s not taken into account how sus Brave is, if I remember right Brave search has already been caught spying on its users (and used word play to pretend it was open-source) and then there’s also the crypto scam. Passing most of the security/privacy tests won’t help if the browser is spying and exploiting you.
I have used FF based browsers for a long time and still do. I recently saw this from the GrapheneOS developers, which kinda freaks me out and has me considering switching to a Chromium based browser:
https://grapheneos.org/usage#web-browsing
EDIT: I really hope Ladybird turns out to be amazing.
We should challenge some of those superlatives that projects such as GrapheneOS can coin from time to time. Those projects are not abstract master entities, they have people behind of it and they are not authorities in all subject matters. They are correct about Gecko browsers insecurities on Android however it may be questionable the use of the term “leagues ahead” in this comparative. I use GrapheneOS and Vanadium but I don’t believe that using some Gecko hardened browser would be so terrible like it sound. Specially if you are not a focused target. For example, I keep Tor as a secondary browser for some specific tasks on my phone.
People could perhaps start helping more the Servo project. They really need some help and for those that program in Rust or want to learn it this could be a very good place to devote your attention.
Feel free to freak out. That doesn’t worry me at all. I guess you prefer getting tracked and monetized over having a little weaker security in hypothetical problem areas…
You know, I’ve worked with, and helped people with issues on primarily Windows, but also Mac and Linux, since the 90s, and I can’t remember one single time, where the problem were bases on this kind of vulnerability. So please, do live in a hypothetical world - I’ll stick with what works and keeps me from being monetized.
Same here. I prefer to avoid Chromium-based browsers whenever I can. A lot of them are better than Chrome, and I do like to mess with them from time to time to stay aware of features and test things. But Firefox on my phone has access to uBlock Origin and all my other extensions, after activating the hidden debug menu/dev mode that you turn on in a similar way as activating Dev Mode for the Android OS. I only mention that last part because it seems a lot of FF Android users don’t know about it and allows for installing xpi files just like you can with desktop. Freaking game changing for me. It really sucks that the main-line Chromium-based browsers don’t support extensions, even in the limited options way FF used to before allowing more to officially work (even without the debug menu/dev mode trick.
For those that might want the instructions for the hidden debug menu/dev mode. Some extensions still might not work correctly as they might not play nice with the UI/layout of the Android version. I would imagine that some of these might be things like the third-party tab-tree extensions for example.
Open Firefox App
Go to the settings menu.
Enable Developer Settings: You need to tap on the Firefox logo five times. This action will unlock an additional debug menu.
Find “Install extension with a file” option in Settings
Look for the option to install an extension from your own storage. And pick the xpi file. Also will just work using the extensions page on the FF site.