Interesting change-set. Not sure DNT by default really helps things. Perhaps if it were a first run prompt? Afraid that DNT by default undermines the case for legislation to enforce it.
DNT is specifically used as a data point in fingerprinting algorithms that stalk you during your daily life. If it is a configurable option the “entropy” will be weaponised against you. If it always matches exactly for every user of this browser that “entropy” doesn’t exist and can’t be used against you.
DNT can be backed by laws to enforce it. Bad actors may still use it as a signal, yet it's only one bit of information and they risk suffering the consequences if found out. A worthy tradeoff IMO, or at least it would be if we can get some legal enforcement in place.
You're correct for the time being. It's my hope some laws can be put in place since DNT is already built. And making DNT default undermines such efforts.
Yeah.. not sure I want my browsing taking place in software authored by someone who does this kind of thing. Gross level of immaturity. Dumb furry joke today, adware tomorrow.
Even if it doesn't get a person in trouble with HR, it'd be embaressing and humiliating to have one of those images pop up at work, in a public place, during a presentation, in front of family members, etc.
So strange that they'd do so much work to make a professional looking product and then throw users under the bus with something stupid and juvenile like that. It's their right, of course, but count me out.
Hey calm down a bit can't be that bad. If I read the code correctly this will almost never happen because the Easter egg has been designed to only show up when your mother, the head of HR, and your boss are jointly attending a presentation you're giving at a public venue, so... quite unlikely /s
I found the original commit [1] since the other Github link in the thread shows the removal. I'm not entirely sure what the thought process was around adding it to begin with
If we envision a spectrum ranging from an HTTP(s) client to a full-fledged web browser (like Chrome or Firefox), I would place cURL very close to the HTTP(s) client end of the scale.
The stakes are so high with browser security that it's the last software I'd want to use some random persons fork of, even if they appear to have good intentions. I don't particularly trust Googles intentions but I do at least trust that they have their shit together when it comes to security.
Is there such a thing as a 'stable' browser that will never have these flaws. (I'm afraid to use the word Stable since Debian-family corrupted the meaning)
I really don't need push notifications going to my desktop. HTML, CSS... ughhhh javascript...
So if covering javascript is too hard, maybe a HTML/CSS browser, and anytime you need javascript, you open a chrome session.
Chromium likely has plenty of "dormant" bugs - bugs that exist in the source code, but consistently compile to safe (or unreachable) machine code, more or less due to good luck.
This project messes with optimisation flags, which have a good chance of "waking up" those bugs (If you've ever had code work at -O1 but not at -O3, you know what I'm talking about). The same goes for compiler bugs, too. The real Chromium is aggressively fuzz tested, but this project is almost certainly not, or at least, not to the same extent.
Turning on features like JPEG-XL also increases attack surface.
OTOH, the original Chromium is so popular that the motivation of finding these bugs is very high. I think zero-day RCE bugs can be sold for tons of money on the black market.
However, the motivation to find similar bugs in Thorium is very low, too few users. And because the project messes with compiler flags, there’s chance at least some of the Chromium bugs don’t apply to the fork, because the machine code is different. Or maybe they apply but require adjustments to the exploit, which most attackers won’t do because too few users of the fork.
This is one of the interesting parts about owning obscure phones.
I cannot imagine having anything important on an iPhone since there is a huge demand to find a bug in the hardware/OS layer. (And we've seen this live in the wild with multiple 0 click exploits)
Meanwhile obscure phones could only be targeted by Pegasus by:
1. Go to a website and download an app
2. Change your settings to allow this app to install
3. Change another setting to allow this app to install.
I mean... not really elite hackers, I had to do this for my own Android app.
It also usually only gets one release per upstream major version (and sometimes not even that), meaning a lot of Chromium security fixes can take several weeks to show up in a Thorium release. I appreciate the author's effort, but it's definitely riskier than normal Chrome/Chromium.
I ran Thorium for a while on Linux because the claimed performance improvements appealed to me. However, I recently ran some actual modern browser benchmarks and vanilla Chrome performed significantly better in every one I tested. My testing wasn't by any means scientific and there are an enormous number of factors to consider of course.
Maybe it's a quirk of my system, or some recent changes they made to Chrome's build process (LTO, BOLT optimizer, etc.) but yeah I've switched back to plain Chromium.
50 comments
[ 2.3 ms ] story [ 124 ms ] threadTracking should be opt-in. If we hide it in settings, where most normal people never go, they will get no benefit.
Trackers should need explicit permission, not just ignorance.
That all a saw is, DNT is a waste of time anyway because it has no force of anything behind it.
Wow autocorrect has gone mad... "That all said".
https://www.eff.org/gpc-privacy-badger
Fast or not.
Not a fun email
Even if it doesn't get a person in trouble with HR, it'd be embaressing and humiliating to have one of those images pop up at work, in a public place, during a presentation, in front of family members, etc.
So strange that they'd do so much work to make a professional looking product and then throw users under the bus with something stupid and juvenile like that. It's their right, of course, but count me out.
TLDR:
- project contained a suggestive furry art(no genitals)
- also contained anti-circumcision photo(with genitals)
- that photo may or may not have been reported as CP
Am I just super unlucky, or do furry people have high chances of being super arrogant religious extremists?
[1] https://github.com/Alex313031/thorium/commit/26655c920b6a9e4...
edit: the commit link is nsfw
Edit: looks like the post title has since been edited
I really don't need push notifications going to my desktop. HTML, CSS... ughhhh javascript...
So if covering javascript is too hard, maybe a HTML/CSS browser, and anytime you need javascript, you open a chrome session.
This project messes with optimisation flags, which have a good chance of "waking up" those bugs (If you've ever had code work at -O1 but not at -O3, you know what I'm talking about). The same goes for compiler bugs, too. The real Chromium is aggressively fuzz tested, but this project is almost certainly not, or at least, not to the same extent.
Turning on features like JPEG-XL also increases attack surface.
However, the motivation to find similar bugs in Thorium is very low, too few users. And because the project messes with compiler flags, there’s chance at least some of the Chromium bugs don’t apply to the fork, because the machine code is different. Or maybe they apply but require adjustments to the exploit, which most attackers won’t do because too few users of the fork.
I cannot imagine having anything important on an iPhone since there is a huge demand to find a bug in the hardware/OS layer. (And we've seen this live in the wild with multiple 0 click exploits)
Meanwhile obscure phones could only be targeted by Pegasus by:
1. Go to a website and download an app 2. Change your settings to allow this app to install 3. Change another setting to allow this app to install.
I mean... not really elite hackers, I had to do this for my own Android app.
Thorium Browser: The fastest browser on Earth - https://news.ycombinator.com/item?id=38900191 - Jan 2024 (3 comments)
Thorium – The Fastest Browser on Earth - https://news.ycombinator.com/item?id=38896266 - Jan 2024 (14 comments)
Thorium – The first browser to score over 600 speedometer points on a Mac M3 Pro - https://news.ycombinator.com/item?id=38894920 - Jan 2024 (57 comments)
Thorium – Radioactive Chromium Fork - https://news.ycombinator.com/item?id=38854932 - Jan 2024 (26 comments)
Don't Use Thorium Browser – If Installed, Remove It - https://news.ycombinator.com/item?id=38647363 - Dec 2023 (21 comments)
Thorium – The Fastest Browser on Earth - https://news.ycombinator.com/item?id=37917922 - Oct 2023 (2 comments)
Thorium is the first browser with HEVC and AC3 support even in a mkv container - https://news.ycombinator.com/item?id=36455533 - June 2023 (8 comments)
Show HN: Thorium – The fastest browser on Earth - https://news.ycombinator.com/item?id=31525464 - May 2022 (3 comments)
Outline of benefits of Thorium over vanilla Chromium - https://news.ycombinator.com/item?id=29946310 - Jan 2022 (31 comments)
Maybe it's a quirk of my system, or some recent changes they made to Chrome's build process (LTO, BOLT optimizer, etc.) but yeah I've switched back to plain Chromium.
and FWIW I despise the thinking that leads one to commit ever-changing binary artifacts into git because then $(git clone) turns into a DVD sized download https://github.com/Alex313031/codium/commit/5bd47c17194e8019...