50 comments

[ 2.3 ms ] story [ 124 ms ] thread
Interesting change-set. Not sure DNT by default really helps things. Perhaps if it were a first run prompt? Afraid that DNT by default undermines the case for legislation to enforce it.
Why?

Tracking should be opt-in. If we hide it in settings, where most normal people never go, they will get no benefit.

Trackers should need explicit permission, not just ignorance.

That all a saw is, DNT is a waste of time anyway because it has no force of anything behind it.

> That all a saw is,

Wow autocorrect has gone mad... "That all said".

DNT is specifically used as a data point in fingerprinting algorithms that stalk you during your daily life. If it is a configurable option the “entropy” will be weaponised against you. If it always matches exactly for every user of this browser that “entropy” doesn’t exist and can’t be used against you.
DNT can be backed by laws to enforce it. Bad actors may still use it as a signal, yet it's only one bit of information and they risk suffering the consequences if found out. A worthy tradeoff IMO, or at least it would be if we can get some legal enforcement in place.
This was flagged by our internal security scans due to some dumb Easter egg the developer added.

Fast or not.

Not a fun email

(comment deleted)
(comment deleted)
Yeah.. not sure I want my browsing taking place in software authored by someone who does this kind of thing. Gross level of immaturity. Dumb furry joke today, adware tomorrow.
(comment deleted)
I don't know why you're down voted.

Even if it doesn't get a person in trouble with HR, it'd be embaressing and humiliating to have one of those images pop up at work, in a public place, during a presentation, in front of family members, etc.

So strange that they'd do so much work to make a professional looking product and then throw users under the bus with something stupid and juvenile like that. It's their right, of course, but count me out.

Hey calm down a bit can't be that bad. If I read the code correctly this will almost never happen because the Easter egg has been designed to only show up when your mother, the head of HR, and your boss are jointly attending a presentation you're giving at a public venue, so... quite unlikely /s
Found previous HN discussions: https://news.ycombinator.com/item?id=38854932

TLDR:

- project contained a suggestive furry art(no genitals)

- also contained anti-circumcision photo(with genitals)

- that photo may or may not have been reported as CP

Am I just super unlucky, or do furry people have high chances of being super arrogant religious extremists?

It's not an easter egg. It's just something needless and inappropriate. I'm all for whimsy and fun and easter eggs, but this is just... crass.
I’m curious what kind of rule set/heuristic this set off? It’s not necessarily a bad alarm but certainly a non-obvious result.
Tongue in cheek but faster browser would be curl or some text based one no?
Curl isn't a browser.
Technically it is. It's just a non-interactive browser.
Isn't that kind of like saying my pressure washer is a non-ambulatory car?
More like your newspaper isn't a TV. You still get the news, but it's a different format.
If we envision a spectrum ranging from an HTTP(s) client to a full-fledged web browser (like Chrome or Firefox), I would place cURL very close to the HTTP(s) client end of the scale.
The stakes are so high with browser security that it's the last software I'd want to use some random persons fork of, even if they appear to have good intentions. I don't particularly trust Googles intentions but I do at least trust that they have their shit together when it comes to security.
what would be some security concerns in a situation like this? genuine question
Remote code execution + local privilege escalation to own your device. Just last week on the RCE front: https://thehackernews.com/2024/05/new-chrome-zero-day-vulner...
Is there such a thing as a 'stable' browser that will never have these flaws. (I'm afraid to use the word Stable since Debian-family corrupted the meaning)

I really don't need push notifications going to my desktop. HTML, CSS... ughhhh javascript...

So if covering javascript is too hard, maybe a HTML/CSS browser, and anytime you need javascript, you open a chrome session.

Patches introducing buffer overflows, or weakening existing security through ignorance or negligence.
Chromium likely has plenty of "dormant" bugs - bugs that exist in the source code, but consistently compile to safe (or unreachable) machine code, more or less due to good luck.

This project messes with optimisation flags, which have a good chance of "waking up" those bugs (If you've ever had code work at -O1 but not at -O3, you know what I'm talking about). The same goes for compiler bugs, too. The real Chromium is aggressively fuzz tested, but this project is almost certainly not, or at least, not to the same extent.

Turning on features like JPEG-XL also increases attack surface.

OTOH, the original Chromium is so popular that the motivation of finding these bugs is very high. I think zero-day RCE bugs can be sold for tons of money on the black market.

However, the motivation to find similar bugs in Thorium is very low, too few users. And because the project messes with compiler flags, there’s chance at least some of the Chromium bugs don’t apply to the fork, because the machine code is different. Or maybe they apply but require adjustments to the exploit, which most attackers won’t do because too few users of the fork.

This is one of the interesting parts about owning obscure phones.

I cannot imagine having anything important on an iPhone since there is a huge demand to find a bug in the hardware/OS layer. (And we've seen this live in the wild with multiple 0 click exploits)

Meanwhile obscure phones could only be targeted by Pegasus by:

1. Go to a website and download an app 2. Change your settings to allow this app to install 3. Change another setting to allow this app to install.

I mean... not really elite hackers, I had to do this for my own Android app.

It also usually only gets one release per upstream major version (and sometimes not even that), meaning a lot of Chromium security fixes can take several weeks to show up in a Thorium release. I appreciate the author's effort, but it's definitely riskier than normal Chrome/Chromium.
No surprise, first thing I see in the comments section is FUD.
(comment deleted)
Surveillance capitalism is built on the ad tech foundation that's primarily facilitated by Google but sure let's give them points for security.
Just slurp upstream's security patches, that ain't so bad.
Not to put salt in an old wound but didn't Chris Titus get in hot water after he recommended this, and it was found to contain certain adult images?
Related. Others?

Thorium Browser: The fastest browser on Earth - https://news.ycombinator.com/item?id=38900191 - Jan 2024 (3 comments)

Thorium – The Fastest Browser on Earth - https://news.ycombinator.com/item?id=38896266 - Jan 2024 (14 comments)

Thorium – The first browser to score over 600 speedometer points on a Mac M3 Pro - https://news.ycombinator.com/item?id=38894920 - Jan 2024 (57 comments)

Thorium – Radioactive Chromium Fork - https://news.ycombinator.com/item?id=38854932 - Jan 2024 (26 comments)

Don't Use Thorium Browser – If Installed, Remove It - https://news.ycombinator.com/item?id=38647363 - Dec 2023 (21 comments)

Thorium – The Fastest Browser on Earth - https://news.ycombinator.com/item?id=37917922 - Oct 2023 (2 comments)

Thorium is the first browser with HEVC and AC3 support even in a mkv container - https://news.ycombinator.com/item?id=36455533 - June 2023 (8 comments)

Show HN: Thorium – The fastest browser on Earth - https://news.ycombinator.com/item?id=31525464 - May 2022 (3 comments)

Outline of benefits of Thorium over vanilla Chromium - https://news.ycombinator.com/item?id=29946310 - Jan 2022 (31 comments)

I ran Thorium for a while on Linux because the claimed performance improvements appealed to me. However, I recently ran some actual modern browser benchmarks and vanilla Chrome performed significantly better in every one I tested. My testing wasn't by any means scientific and there are an enormous number of factors to consider of course.

Maybe it's a quirk of my system, or some recent changes they made to Chrome's build process (LTO, BOLT optimizer, etc.) but yeah I've switched back to plain Chromium.