this post was submitted on 12 Jul 2023
1054 points (99.3% liked)

Firefox

17907 readers
23 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

cross-posted from: https://lemmy.world/post/1376783

Thought I'd never see the day when Firefox would match Chrome on Speedometer.

There's also a few other benchmarks got a sizable boost. https://arewefastyet.com/

you are viewing a single comment's thread
view the rest of the comments
[–] henfredemars@lemdro.id 18 points 1 year ago* (last edited 1 year ago) (8 children)

Great, now implement modern exploit mitigations and sandboxing like Chrome uses. Firefox is objectively less resistant to exploitation. Some Firefox security has improved since the article was written, such as some sandboxing on Windows, but it's definitely not as mature.

I'm not writing that Firefox is insecure. Security is very important to Firefox! However, Chrome has had more work done in the realm of browser hardening.

[–] garam@lemmy.my.id 2 points 1 year ago (4 children)

I think it's already on par with Chromium, most attack won't work with sandboxing that introduced to firefox, and mostly now each site/iframe have it's own process, so it's on par with chrome, imho

[–] henfredemars@lemdro.id 9 points 1 year ago* (last edited 1 year ago) (1 children)

As a security researcher, running each site in its own process isn't enough. Chrome has a much stronger multiprocessing model on most platforms. For example, Chrome on Android sandboxes between processes whereas Firefox simply relies on the built-in Android sandbox, which provides limited protection between these processes. It's much easier to break out of the sandbox in Firefox because it's easier to move laterally, for one. Those processes have to communicate with each other at some point.

But, don't believe me just because I claim any sort of credential on the Internet. It's such a difference in security that GrapheneOS strongly discourages using Firefox for its weak implementation in addition to the link I provided above. From the link:

Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox's sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole.

I love Firefox. I use it anyway. It's not insecure. But it's absolutely not as secure because it lacks modern exploit mitigations. Running process per site is an improvement but it's still less secure than the architecture used in Chrome.

EDIT: Sound less entitled.

[–] garam@lemmy.my.id 3 points 1 year ago (1 children)

I can't speak for Android, it's long way to go for sure, but on desktop, it's great. And for Fedora PhoneUI / Phosh seems already working because it's linux ootb.

in short android not included I suppose. They have custom multiple process sandbox, but last time I enable it, it broke everything in nightly

[–] Piky_Nieves@mastodon.social 1 points 1 year ago (1 children)

@garam
Firefox is not that bad 4 android, not that brilliant either
@henfredemars

[–] garam@lemmy.my.id 1 points 1 year ago

Well, for me it's great, but if we talk about sandboxing, it's not there, not even in nightly, but it's useful for me for day to day task, almost anything in Android

load more comments (2 replies)
load more comments (5 replies)