Ask HN: Firefox vs. Chrome security
I'm seeing a lot of hype surrounding Mozilla's recent release of Firefox Quantum - which promises massive improvements, mainly speed.
Looking past the speed aspect, where does FF stand against Chrome? Does Rust offer much better security? AFAIK Chrome is gold standard in sandboxing...does this still hold true?
72 comments
[ 3.6 ms ] story [ 119 ms ] threadhttps://blog.mozilla.org/security/2017/09/13/verified-crypto...
recent blog post https://blog.rust-lang.org/2017/11/14/Fearless-Concurrency-I...
Well, as long as you avoid unsafe blocks (which turn off a few safety features in a specific scope so you can do complex or performance critical things in that scope) you're supposed to be safe, but to my knowledge it's not formally proven. In practice it seems to be working quite well though.
Well, you can very easily: write bad code in unsafe blocks.
That said, your badness is contained within unsafe blocks, so hopefully you have much less code to closely review.
https://www.bleepingcomputer.com/news/security/firefox-57-br...
Sandboxing for Windows was introduced in version 54.
Hopefully with Quantum and a resurge in popularity, it'll become a target of white-hat hackers again.
[0] http://www.eweek.com/security/pwn2own-hacking-contest-return...
Update Maybe this:
http://www.cvedetails.com/product/15031/Google-Chrome.html?v...
http://www.cvedetails.com/product/9900/Microsoft-Internet-Ex...
If (almost) everyone runs Windows you’re safer if you run Linux.
The only big rust component was introduced a couple of releases ago: Stylo.
Once Webrender is in Firefox, a serious chunk of Firefox will be written in Rust.
"Quantum" as a term covers a large number of areas, this blog post covers it well:
https://hacks.mozilla.org/2017/11/entering-the-quantum-era-h...
So yes, Quantum is faster as a direct result both of Rust code, and of Rust's memory-safety-makes-parallelism-practical features. That is not the only source of performance improvement in Quantum though.
Also, Quantum isn't yet getting the full benefits possible from this code for a few reasons. Firefox 57 uses Stylo for content, but not yet for chrome, which will be coming in a later release. In Servo, CSS is parsed off the main thread, but in Quantum it is not yet (will be done in a future release). Servo pipelines style resolution and frame construction (basically after the top down pass to deal with the style cascade, we go back up the tree bottom up constructing the layout data structures), and Quantum does not yet do this. Lastly, cross-language inlining is missing which would allow inlining FFI calls. Servo doesn't have this issue since all the driver and layout code is also in Rust.
While today's release represents a major step forward in the browser's performance and reliability, work on Quantum continues. One major weakness of Firefox, relative to Chrome and Edge, is its use of sandboxing and process isolation to limit the impact that security flaws can have. Next year Mozilla will be working to improve these areas. Early next year should also see the rollout of a new GPU-accelerated rendering engine."
So what version will get Webrender exactly?
1) open about:config 2) set gfx.webrender.enabled to true 3) restart Nightly
For the even more adventurous:
1) open about:config 2) set gfx.webrender.enabled to true 3) set gfx.webrendest.enabled to true 4) restart Nightly
Firefox has been shipping with a sandbox for a while, let alone e10s. Is that an old post?
Firefox offers similar sandboxing; see https://wiki.mozilla.org/Security/Sandbox
Firefox's JavaScript engine also implements more in-depth protections than V8, such as W^X in the JIT and compartments+wrappers to provide revokable access control and separation between code from different origins. There's a lot more to security than ensuring code execution can't break out of the browser.
From what I've seen, FF57 only uses one content process by default (at least when you upgrade it from FF56), although you can enable up to 7 in settings ( I wish they gave higher numbers, too, like 50, or have a custom field).
Also, Rust is still a small portion of the browser. I'm not sure how big of a portion is of the rendering parts, which are usually the ones causing security issues.
We'll see how it fares at the next Pwn2Own and perhaps in new papers comparing browsers' security over the coming year.
That said, I am excited that Tor will soon use FF59, which should include all of these improvements (but hopefully customized to have improved hardening by default compared to regular Firefox, on all operating systems).
More content processes wouldn't do much difference. It doesn't reduce the attack surface (potentially increasing it due to complexity), but only reduce amount of data per process in case you gain read-only access to its memory (which I can't currently think of as being an interesting attack).
I would imagine that more content processes is about stability, rather than security. However, splitting larger processes into smaller ones can yield great benefit on the security front.
EDIT: FF57 defaults to four content processes.
This seems to be a recent Firefox policy change: all editions of Firefox is now collecting data, such as telemetry, information gathering, usage data. (URL's? Form data?) This is all opt-out instead of opt-in now, and you're asked only after installation. You have to pro-actively disable it.
(Formerly, telemetry gathering was only gathered by default on nightlies and dev tracks; this telemetry does cover usage.. i.e., this seems to include what URL's you're browsing; this could be a security risk for apps like Dropbox and OneDrive.)
To be fair, it's easier to opt-out in Firefox than it is in Chrome, and Firefox is also more up-front about it after initial setup/installation; still, given that Firefox held itself out as the privacy-oriented browser, this is a significant change.
(Which leads to a new question.. what's the new best privacy browser? probably Brave? or, perhaps, Opera?)
EDIT: citation, thanks to cJ0th:
https://www.mozilla.org/en-US/privacy/firefox/
A public discussion was started to get to know how people felt about privacy conserving telemetry collection that would be opt out by default. There was massive negative feedback (duh). The feature did not ship in 57.
https://medium.com/georg-fritzsche/data-preference-changes-i...
"instead we always collect LESS data on Firefox release."
But CliqZ did ship for some German users, randomly chosen. Which tracks your entire browsing history, and sends it to a company that’s most known for its tracking products.
After this, Firefox deserves to be treated as just as much spyware as Chrome.
"Mozilla pilots Cliqz engine in Firefox to slurp user browsing data"
"Users who receive a version of Firefox with Cliqz will have their browsing activity sent to Cliqz servers, including the URLs of pages they visit," Mozilla says. "Cliqz uses several techniques to attempt to remove sensitive information from this browsing data before it is sent from Firefox."
http://www.zdnet.com/article/firefox-tests-cliqz-engine-whic...
That's so much of an improvement for a browser which people only use because they want absolute privacy.
"Firefox by default shares data to: Improve performance and stability for users everywhere
Interaction data: Firefox sends data about your interactions with Firefox to us (such as number of open tabs and windows; number of webpages visited; number and type of installed Firefox Add-ons; and session length) and Firefox features offered by Mozilla or our partners (such as interaction with Firefox search features and search partner referrals).
Technical data: Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.
Read the telemetry documentation for Desktop, Android, or iOS or learn how to opt-out of this data collection."
via
https://www.mozilla.org/en-US/privacy/firefox/
I have no idea where you pull the "this seems to include what URL's you're browsing; this could be a security risk for apps like Dropbox and OneDrive" stuff from. The only place I know of that these could potentially be recorded is a crash report, and this has always been the case if you allow it to send crash reports back because they contain the stack contents.
Telemetry was previously only enabled by default in Nightly and Aurora:
https://blog.theochevalier.fr/telemetry-enabled-by-default-o...
The telemetry data includes a lot more than just update checks. You wouldn't need to send information to Mozilla to get an update or get CA revocation lists.
For example, from the privacy policy[1]:
Many of your comments are about Firefox, development with Rust, etc. I didn't mean to offend you if you are closely aligned with Mozilla. A healthy browser ecosystem (and especially the great new rendering engine from Mozilla) benefit us all.1. https://www.mozilla.org/en-US/privacy/firefox/
I already did. Much of the stuff you mentioned has always been enabled and had nothing to do with telemetry. This is most obvious with the update checks. And yes, you DO need to send information to know which add-ons to update. Probing every installed add-on to see if there's an update amounts to sending over the list of installed add-ons. Let's be forthright about that.
I quoted an article from one of the Telemetry engineers explaining that now LESS data is collected by default.
I think that's a good enough rebuttal to your claim that there has been a change of direction to collect more.
In fact, your link explicitly explains that you cannot control the extent of data collection now. ("There is just one control for data upload for Firefox") It also explains that this is a new change ("which is on by default.")
Trying to spin this or casting aspersions on casual users who noticed a change won't change the facts.
> (URL's? Form data?)
> this telemetry does cover usage.. i.e., this seems to include what URL's you're browsing; this could be a security risk for apps like Dropbox and OneDrive.
Back these claims up with something specific and concrete, otherwise they're just wild speculation.
The search bit you're quoting refers to when you, say, search for something using Amazon via the Amazon search provider built into the browser search box, a piece of data is sent along with the request to Amazon to attribute Mozilla as the source. In aggregate this influences how much Amazon pays out to Mozilla for their default presence in Firefox.
I'm happy to try to clarify any concerns about telemetry or other data collection you might have (in an individual capacity, not as a representative of Mozilla), but usually that should come before the flinging of damaging accusations over a public forum.
I was pointing out that this is a new opt-in change. The links that were posted prove it. Is that FUD?
> specific and concrete
In the absence of specific information, should we not assume the worst?
> data collection
That sounds reasonable for normal users, but any of this data can be used for fingerprinting, data mining, etc. Do you disagree?
One suggestion for improvement would be that the specifics of what data is collected and why would be a welcome addition to the Privacy Policy page, or perhaps a more detailed page that the PP links to. This would be something people could paste in public forums to refute incorrect statements... especially if the page was on mozilla.org instead of Medium.
https://firefox-source-docs.mozilla.org/toolkit/components/t...
The wording of the search partnership disclaimer could be made clearer. Is there anything else that you find confusing or disconcerting?
Any request to Mozilla is sending info to Mozilla, and thus should be covered under the privacy policy. Every check for an update likely also includes the current version running so they can send back info on whether the update is important/security related or not. Even if it was just a "list all versions" request, it still signifies that IP used the browser. Similarly, a CRL list update signifies that the IP used Firefox and that the conditions that trigger a CRL update were met (which might mean an HTTPS address was visited, or it might happen at startup).
Any time Firefox implicitly requests data from Mozilla, that's something that they would likely cover in their Privacy policy. Chrome got a lot of flack a few years back for essentially the same problem, but with a twist. Every time it started it would download a binary blob from Google. It turns out it was the code to do voice recognition, which was executed after download. Fairly innocuous if you trust Google, but it was executing remote code from Google on every startup, so people were rightly disturbed by what they saw going on until an explanation was put forth.
Of course it's done after installation -- how would an app allow you to configure something BEFORE it's installed?
I had a fair number of tabs open (~28 or so), and I restarted the browser so a change I made would take effect. I have FF set to show my windows and tabs from my previous session on start up, but it instead launched with a single tab showing my home page. Okay, no big deal, I'll just restore my previous session from the History menu. When I clicked on the history menu, though, I didn't see my most recent history, but instead a list of URLs from my bank.
I assume this is due to a syncing issue with my Firefox account (I changed my banking password just to be safe), but it's still concerning.
What Firefox release channel(s) are you using? Are you running the same version across all of your sync'd devices? And can you share what change you made before restarting the browser?
[0]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
tl;dr Chrome + Edge are more secure. Do not use Internet Exploder