[arch-general] current flash vulnerabilities - what to do?
Hello! Run: - Arch linux 64-bit - 4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64 GNU/Linux - Firefox 39.0-1 - flashplugin 11.2.202.481-1 (Install Date : Wed 08 Jul 2015) What is best practice about the current flash vulnerabilites? Just uninstall flashplugin? Can live without, but many websites still require it.
I've actually posted a thread on the forums about this. For youtube you can just use HTML5. If you require flash there are alternatives: gnash, lightspark, freshplayerplugin-git, shumway, etc... On Wed, Jul 15, 2015 at 7:09 PM, Francis Gerund <ranrund@gmail.com> wrote:
Hello!
Run: - Arch linux 64-bit - 4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64 GNU/Linux - Firefox 39.0-1 - flashplugin 11.2.202.481-1 (Install Date : Wed 08 Jul 2015)
What is best practice about the current flash vulnerabilites? Just uninstall flashplugin? Can live without, but many websites still require it.
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFOa9oMBCACc0vf5MZEKqfyCWw3foRhYqM3zL9zmIuDpLxGZ11BM6dLvTKVG xets5b2RZX+aPUbASnLFZWqANW2d5K+O7PNkvwKk7jJGu951WQkd1HGNHqQekb3Y SC6AOIt5G4Iu3xuJdbh8vuSU0tRIU3YVKSIWFCxgdTWO3XukgNYB1ncl39x4VGPh OsQ8ErsLfVMCwO7q4eTTv89HQZEzvCI+BhMlw0bjViBeMe+4ZfYuiFJp9SyZBcTY rVkdnn5gVOeqhU1eAk4uieG1t/anGm3GQ6NVDnh/+k6in6SwSZ2jAUXQluCMmyNA aCOCz7G4kytg8qel3VvT4YuI7hFQxcg17DMnABEBAAG0HURvcmlhbiA8Y2FtZW5z Y2hpY0BnbWFpbC5jb20+iQE/BBMBAgApBQJTmvaDAhsDBQkFo5qABwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AACgkQugwP0JaXCVNyvAf/Z9gAtGh4SSxNv0/CWFxL d5P6ikr8qGD9sVuH1QZa90zigmhAngfQyMF0DuPVnRTcVu0pwFObkvdI0/11UaSj Rdst9sPFV5b4wfLfGw4MinO9vTD7RQoLisnggaroNk98I894lvgtVWECxHYdPnW+ VJWNONAfTOUjfqPVV7B2A35N4DxkgBM0VNdqpcd0Qj6acEaGRcGBlQUyssy+NYEr 5+nS9c58eM9wqxkcaWy2axrX2vvQth5PedGjZl53gsR3cSWLpFmyryyyVi2da4rv IFLdhZaZfWyRG7y0MTnPdi8NRwBO33r2UX0W+BC8VvGBjob17EgCZT06QHGzAs9F fLkBDQRTmvaDAQgA2p9RwuEWF16nWkc+z/5Vu6KlQh9paxw1zEHlmC+r103tWby8 27BLocuD7hKqcweuu17HL0LW1iSYfhr/iXDOTiJ5LsKXtBMYAVXbhamLKNOuHTO1 qFdA55f6vtY/eMdWQ8qM+q31cLX0WYiQdsGonuIzqeIXETnmq9rx7fRaxpvv6K4Y 0u9N1NFwrpz2eOuIX/KFicoZs1tGID5OjnL2QB897za8i56oKjHFwNzZCndESc3h 78HXNzu7XMjRQHN8QvwybpWhtDanLd/3ZFvHMViZT9Zo2KAMsCgPNkqDe9SXrrEC vEYgZn0QO3Akrk1FmmzCCgMzP3F9l3czBNK7mwARAQABiQElBBgBAgAPBQJTmvaD AhsMBQkFo5qAAAoJELoMD9CWlwlTfKQH/2UsN6WgoyMGgRFm+INdAT8/ew4r30l5 mTMKuAfpLs9lbIfeRJoq2+HtKsv8MNzYYCR595tdI9kTijhD0RKKhEfacBLIZFvZ 0j5SLaR+PC7Ky+KAIXIIZnrHsFAQR21Hup0POxuWeuvs0pfcFWTnNEb6cZHzTP7J YnUA/khgamUK/uWWymKxOsgR5A/zzHrjnWgMws7vKi7Kd0gvr2t/X393iAxvfUqT IGiSx+fq/bGB8uyTuQPFpaDRNMo7k2knzQzt4idSKz89tejWyimS71QdnmPWJP84 OTnHUaGQdQamnAQqh5g3GC6XqS57apLQZx+7Y7WUpPjeX/+vQ2GtzuE= =RFjZ -----END PGP PUBLIC KEY BLOCK-----
On 16.07.2015 01:22, D C wrote:
I've actually posted a thread on the forums about this. For youtube you can just use HTML5.
To my best knowledge, it depends on the video / the compression algorithm used. For some videos on YouTube HTML5 works just fine, for some Videos you still need Flash.
If you require flash there are alternatives: gnash, lightspark, freshplayerplugin-git, shumway, etc...
On Wed, Jul 15, 2015 at 7:09 PM, Francis Gerund <ranrund@gmail.com> wrote:
Hello!
Run: - Arch linux 64-bit - 4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64 GNU/Linux - Firefox 39.0-1 - flashplugin 11.2.202.481-1 (Install Date : Wed 08 Jul 2015)
What is best practice about the current flash vulnerabilites?
I believe your options are: * to enable Flash on a per-bideo basis for content you "consider safe" or * to switch to a version of Chrom(ium|e) running Pepper API Flash 18.0.0.209 or newer (https://helpx.adobe.com/security/products/flash-player/apsb15-18.html) or * freshplayerplugin-git with Chrom(ium|e) Pepper Flash 18.0.0.209 or newer in Firefox, may be be less safe than ussage from Chrom(ium|e), due to "This particular implementation doesn't implement any sandbox. [..] This is the same level of security as NPAPI Flash have." see https://github.com/i-rinat/freshplayerplugin or * not using Flash until an update is released.
Just
uninstall flashplugin? Can live without, but many websites still require it.
Since you put it that way, uninstalling Flash has other benefits like making your browser fingerprint "less unique". If it's an option to you, maybe this is the best occasion to quit. Best, S
On 07/16/2015 01:37 AM, Sebastian Pipping wrote:
On 16.07.2015 01:22, D C wrote:
I've actually posted a thread on the forums about this. For youtube you can just use HTML5.
To my best knowledge, it depends on the video / the compression algorithm used. For some videos on YouTube HTML5 works just fine, for some Videos you still need Flash.
FWIW, I don't think I've ever encountered a non-HTML5-friendly video on YouTube in at least 2 years. (Granted, this is just anecdata, but...)
freshplayerplugin
Just to nitpick: even if it's more current (feature-wise) than standard Adobe Linux 11.2 flashplugin, it's still Adobe Flash and thus just as problematic regarding its security. --byte
On 15/07/15 07:38 PM, Jens Adam wrote:
freshplayerplugin
Just to nitpick: even if it's more current (feature-wise) than standard Adobe Linux 11.2 flashplugin, it's still Adobe Flash and thus just as problematic regarding its security.
--byte
PPAPI Flash runs in a strong sandbox in Chromium. However, fresh player throws away that advantage.
Okay. Just uninstalled flashplugin (really should never have installed anyway). can always try gnash later, but I'll try without to see how it goes. Thanks. On Wed, Jul 15, 2015 at 6:38 PM, Jens Adam <jra@byte.cx> wrote:
freshplayerplugin
Just to nitpick: even if it's more current (feature-wise) than standard Adobe Linux 11.2 flashplugin, it's still Adobe Flash and thus just as problematic regarding its security.
--byte
On Wed, 15 Jul 2015 19:45:35 -0500, Francis Gerund wrote:
Just uninstalled flashplugin (really should never have installed anyway). can always try gnash later, but I'll try without to see how it goes.
Gnash can't replace the proprietary crap. I neither have the proprietary, nor gnash installed. For "emergency" I've got Chrome installed, but my usual approach is, that as soon as Chrome is needed, I'm not interested in the content anymore. JFTR assumed you're using Firefox with safe browsing and auto-updates e.g. for Cisco H264, with prefetch and keyword enabled and geo information and reports enabled, then you don't need to care about how evil a Google browser or Adobe crap are, since your Firefox is bad too ;).
On 16 July 2015 at 13:04, Ralf Mardorf <ralf.mardorf@rocketmail.com> wrote:
On Wed, 15 Jul 2015 19:45:35 -0500, Francis Gerund wrote:
Just uninstalled flashplugin (really should never have installed anyway). can always try gnash later, but I'll try without to see how it goes.
Gnash can't replace the proprietary crap. I neither have the proprietary, nor gnash installed. For "emergency" I've got Chrome installed, but my usual approach is, that as soon as Chrome is needed, I'm not interested in the content anymore. JFTR assumed you're using Firefox with safe browsing and auto-updates e.g. for Cisco H264, with prefetch and keyword enabled and geo information and reports enabled, then you don't need to care about how evil a Google browser or Adobe crap are, since your Firefox is bad too ;).
I have to agree with Ralf, you will be fine. I have been flash-free for 18 months now and it's going absolutely fine. Unless you have a penchant for flash games, there's very little reason to have it installed any more.
On Thu, 16 Jul 2015 13:10:33 +0100, Ben Oliver wrote:
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine. Unless you have a penchant for flash games, there's very little reason to have it installed any more.
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-f...
On 16/07/15 12:06 PM, Ralf Mardorf wrote:
On Thu, 16 Jul 2015 13:10:33 +0100, Ben Oliver wrote:
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine. Unless you have a penchant for flash games, there's very little reason to have it installed any more.
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-f...
Mozilla blocked the vulnerable version, as they've done in the past. The current release isn't blocked because there aren't yet disclosed security vulnerabilities. Google bundles the PPAPI Flash player with Chrome so they don't need a comparable blacklist as it gets updated with the browser.
On Thu, 16 Jul 2015 12:20:48 -0400, Daniel Micay wrote:
On 16/07/15 12:06 PM, Ralf Mardorf wrote:
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-f...
Mozilla blocked the vulnerable version, as they've done in the past. The current release isn't blocked because there aren't yet disclosed security vulnerabilities.
Google bundles the PPAPI Flash player with Chrome so they don't need a comparable blacklist as it gets updated with the browser.
That's not why I posted this link. I posted it regarding the quote of Facebook’s head of security Alex Stamos: "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day."
Just noticed in Firefox 39.0-1 preferences an entry "Flash video". In the drop down menu next to it, "Use mplayerplug-in is now gecko-mediaplayer 1.0.9 (in Firefox)" is selected. Gecko-mediaplayer 1.0.9-1, Build Date: Tue 27 May 2014 is installed. I could uninstall gecko-mediaplayer, but quite a few things in Firefox preferences in (other than "Flash video") seem to be set up to use it also. So, unless I want to lose a lot of functionality in Firefox (and mplayer 37379-3, and elsewhere?), should I just switch the menu selection in Firefox to "Always ask"? Or is there a better idea? On Thu, Jul 16, 2015 at 11:32 AM, Ralf Mardorf <ralf.mardorf@rocketmail.com> wrote:
On Thu, 16 Jul 2015 12:20:48 -0400, Daniel Micay wrote:
On 16/07/15 12:06 PM, Ralf Mardorf wrote:
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-f...
Mozilla blocked the vulnerable version, as they've done in the past. The current release isn't blocked because there aren't yet disclosed security vulnerabilities.
Google bundles the PPAPI Flash player with Chrome so they don't need a comparable blacklist as it gets updated with the browser.
That's not why I posted this link. I posted it regarding the quote of Facebook’s head of security Alex Stamos:
"It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day."
On Thu, 16 Jul 2015 12:01:09 -0500, Francis Gerund wrote:
Just noticed in Firefox 39.0-1 preferences an entry "Flash video".
Where exactly is this entry? I heard that H.264 from Cisco phones home, resp. auto-updates, so you might want to edit about:config to use gstreamer H.264. Perhaps this automatically is done by installing the optional dependencies? JFTR I didn't change something regarding H.264 and I kept several other phone home crap of a default Firefox. I guess I only disabled "Block reported..." by the preferences. However, if I right click on a YouTube video there is "About the HTML5 player": https://www.youtube.com/html5
Ralf Mardorf wrote:
Where exactly is this entry?
In the Firefox menu bar, click the "Open menu" icon (3 stacked horizontal lines) Then click the "Preferences" icon. Then click "Applications" in the menu at the far left. [Note: shows in the URL diplay area as: "about:preferences#applications"]. There are 2 columns: "Content type", on the left, and "Action", on the right. Under "Content type" is the entry "Flash video". Next to that, under "Action", is "Use mplayerplug-in is now gecko-mediaplayer 1.0.9 (in Firefox)". If that is clicked, other choices also appear: - "Always ask" - "Save file" - "Use Videos (default)" - "Use other . . ." On Thu, Jul 16, 2015 at 12:32 PM, Ralf Mardorf <ralf.mardorf@rocketmail.com> wrote:
On Thu, 16 Jul 2015 12:01:09 -0500, Francis Gerund wrote:
Just noticed in Firefox 39.0-1 preferences an entry "Flash video".
Where exactly is this entry?
I heard that H.264 from Cisco phones home, resp. auto-updates, so you might want to edit about:config to use gstreamer H.264. Perhaps this automatically is done by installing the optional dependencies?
JFTR I didn't change something regarding H.264 and I kept several other phone home crap of a default Firefox. I guess I only disabled "Block reported..." by the preferences.
However, if I right click on a YouTube video there is "About the HTML5 player": https://www.youtube.com/html5
On Thu, 16 Jul 2015 13:10:47 -0500, Francis Gerund wrote:
shows in the URL diplay area as: "about:preferences#applications"
Ok, my guess was that you were talking about those preferences. My Firefox doesn't have an entry "Flash video".
On 07/16/2015 05:10 AM, Ben Oliver wrote:
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine. Unless you have a penchant for flash games, there's very little reason to have it installed any more.
I totally support phasing out flash, however, I run firefox inside a docker container and then I don't have to worry about these security issues since I disgard the running container and reload from the saved image daily. Natu
On 16/07/15 03:48 PM, Natu wrote:
On 07/16/2015 05:10 AM, Ben Oliver wrote:
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine. Unless you have a penchant for flash games, there's very little reason to have it installed any more.
I totally support phasing out flash, however, I run firefox inside a docker container and then I don't have to worry about these security issues since I disgard the running container and reload from the saved image daily.
Natu
You do have to worry unless you don't care about it someone grabbing all of your active login sessions (cookies), all of the entered form data, etc. There's a reason for browser sandboxes being per-site-instance instead of trying to wrap the browser as a whole. Most of the information the attackers want is in the web browser, or can be obtained there by grabbing passwords and other information like credit card numbers as they're entered. Anyway, local privilege exploits in the Linux kernel are as common as remote Flash exploits. Docker exposes nearly the entire Linux kernel attack surface to code in the container. It's not much of a sandbox.
On 07/16/2015 01:06 PM, Daniel Micay wrote:
On 16/07/15 03:48 PM, Natu wrote:
On 07/16/2015 05:10 AM, Ben Oliver wrote:
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine. Unless you have a penchant for flash games, there's very little reason to have it installed any more.
I totally support phasing out flash, however, I run firefox inside a docker container and then I don't have to worry about these security issues since I disgard the running container and reload from the saved image daily.
Natu
You do have to worry unless you don't care about it someone grabbing all of your active login sessions (cookies), all of the entered form data, etc. There's a reason for browser sandboxes being per-site-instance instead of trying to wrap the browser as a whole. Most of the information the attackers want is in the web browser, or can be obtained there by grabbing passwords and other information like credit card numbers as they're entered.
Anyway, local privilege exploits in the Linux kernel are as common as remote Flash exploits. Docker exposes nearly the entire Linux kernel attack surface to code in the container. It's not much of a sandbox.
Thanks for pointing this out.. What you say is true. I actually run two different firefox browsers, one for secure uses and the other for random browsing. One inside of a VM on my desktop (and I revert back to the base image daily). The other web browser I run in a docker container running on a tiny arm box. The one running on the arm box, obviously doesn't support flash. I generally use the one running on the arm box for online banking/credit cards etc. I don't know that I even trust openssl anymore. I used to run chromium, but got tired of it passing so much information back to google, so I went back to firefox. What I run is not an ideal solution. I'm open to other suggestions. I used to love chrome, but got tired of google spying. And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code. Natu
On Thu, 16 Jul 2015 13:43:25 -0700, Natu wrote:
And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code.
But we need to monitor Firefox. A minute ago I deleted 7 Yahoo entries in about:config. Using Wireshark I noticed connections to a Yahoo thingy. If you clean about:config from all unwanted entries, you might automagically get new unwanted entries after a while. I consider my machine as a digital audio workstation with less security and less privacy. Pale Moon seems not to be (much) better. Maybe QupZilla is a little bit better, at least the history is better usable :D.
On 07/16/2015 02:55 PM, Ralf Mardorf wrote:
And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code. But we need to monitor Firefox. A minute ago I deleted 7 Yahoo entries in about:config. Using Wireshark I noticed connections to a Yahoo
On Thu, 16 Jul 2015 13:43:25 -0700, Natu wrote: thingy. If you clean about:config from all unwanted entries, you might automagically get new unwanted entries after a while. I consider my machine as a digital audio workstation with less security and less privacy. Pale Moon seems not to be (much) better. Maybe QupZilla is a little bit better, at least the history is better usable :D.
Tor browser, or Jondofox are another possibility. I'm pretty sure jondofox can be easily configured to go directly out to the internet without using their network (not that TOR or Jondo network's are bad, just too slow for many uses. I do use both TOR and Jondo networks at times) and the browsers (both Tor and Jondofox are based on firefox) have been modifed and hopefully spy features have been removed.
On 07/17/2015 01:01 AM, Natu wrote:
On 07/16/2015 02:55 PM, Ralf Mardorf wrote:
And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code. But we need to monitor Firefox. A minute ago I deleted 7 Yahoo entries in about:config. Using Wireshark I noticed connections to a Yahoo
On Thu, 16 Jul 2015 13:43:25 -0700, Natu wrote: thingy. If you clean about:config from all unwanted entries, you might automagically get new unwanted entries after a while. I consider my machine as a digital audio workstation with less security and less privacy. Pale Moon seems not to be (much) better. Maybe QupZilla is a little bit better, at least the history is better usable :D.
Tor browser, or Jondofox are another possibility. I'm pretty sure jondofox can be easily configured to go directly out to the internet without using their network (not that TOR or Jondo network's are bad, just too slow for many uses. I do use both TOR and Jondo networks at times) and the browsers (both Tor and Jondofox are based on firefox) have been modifed and hopefully spy features have been removed.
There's also GNU Icecat in AUR and Parabola's libre repositories. I don't think it has spyware, but it's probably not better security-wise. The releases seem to lag slightly behind the Firefox ESR releases it is based on.
On Thu, 16 Jul 2015 16:01:42 -0700, Natu wrote:
Tor browser
Tor browser not necessarily is slow, but it is missing comfort such as a history. I need around 1½ hours to compile a kernel with a default Arch configuration and around 3½ hours to compile Firefox. In Western civilisations we seldom need TOR, what we need are less bloated browsers, that still provide some comfort.
On Fri, Jul 17, 2015, at 02:13 AM, Ralf Mardorf wrote:
In Western civilisations we seldom need TOR, what we need are less bloated browsers, that still provide some comfort.
There are a few minimalist browsers out there. Gnome, KDE, and XFCE all have them. The basic comfort I require is cross-platform bookmark sync. None of these small browsers have the manpower to do this unless they wrap themselves into FF sync like icecat does. Anyone have any ideas on how to sync bookmarks, history, and tabs across FLOSS browsers on all platforms? Aside, flash is still important. It should just be treated as if it is riddled with 0-days (which it is) and an open door for malware. I've used it more than a few times viewing .swf`s for college classes, for instance, and I doubt the university is going to pay someone to convert content that is still "functional". There's a lot of legacy flash content that should be preserved and accessible, but there definitely shouldn't be any new flash content being created.
I don't know that I even trust openssl anymore. I used to run chromium, but got tired of it passing so much information back to google, so I went back to firefox. What I run is not an ideal solution. I'm open to other suggestions. I used to love chrome, but got tired of google spying. And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code.
Chromium doesn't have 'spying' code that's not optional. It supports more Google services than Firefox and uses more of them out-of-the-box since it's the basis of the browser Google uses to promote themselves. Firefox is picking up support for non-Google proprietary services over time anyway so it'll probably end up with more in the end. User security is certainly much, much lower on Firefox's priority list. They don't even enable ASLR yet, let alone robust sandboxing and advanced exploit mitigations throughout the browser. Mozilla ends up taking the same anti-user positions on issues like DRM after pretending that they're different. I can't think of one issue where they've taken the high road compared to Chromium. At least you know what you're getting with Google: profit-oriented corporation. Mozilla may not be accountable to shareholders, but they're even less concerned about the users. Google will reverse course during a PR disaster... Mozilla will just dig in and stonewall. For just one of many examples, look at the difference in the handling of the WebRTC IP leak: https://code.google.com/p/chromium/issues/detail?id=333752 https://bugzilla.mozilla.org/show_bug.cgi?id=959893 Oh, and the developer making the calls at Mozilla on this WebRTC privacy disaster developed the backdoored random number generation standard with the NSA. Mozilla isn't interested in commenting on this at all, as is usually the case (all discussion about it has been shut down).[1] [1] http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U... Google would have fired this guy ASAP because it's not in their self-interest to make themselves look bad. Mozilla just coasts by on a naive, trusting community as they always do... and yet of their prominent developers think you should be groveling at their feet for all the good they've done for FOSS.
I don't know how exactly this thread morphed into a debate about Chrome/Chromium vs. Firefox, or Google vs. Mozilla (Although I think Daniel Micay makes some interesting points re Google vs. Mozilla.), but for now, flashplugin-11.2.202.491-1 has finally been released. And while that's great for linux firefox users who still need or want to use flash, take note of the fact that it took a week for Adobe to release it. Three days after the more recent versions (18 and 13). Extraordinary circumstances, yes, but it shows Adobe's priorities. Users should also remember, they've only committed to maintaining the NPAPI linux version until mid-2017. Bottomline, time to start trying your daily firefox browsing without flash and see how bad it is. I did it for a week in firefox and only one of my regular sites (teamcoco.com) required it for actual content. Also, re WebRTC issues, the latest uBlock Origin plugin has a settings option, turned off by default, to prevent IP leaking.
On 07/16/2015 05:50 PM, Daniel Micay wrote:
I don't know that I even trust openssl anymore. I used to run chromium, but got tired of it passing so much information back to google, so I went back to firefox. What I run is not an ideal solution. I'm open to other suggestions. I used to love chrome, but got tired of google spying. And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code. Chromium doesn't have 'spying' code that's not optional. It supports more Google services than Firefox and uses more of them out-of-the-box since it's the basis of the browser Google uses to promote themselves. Firefox is picking up support for non-Google proprietary services over time anyway so it'll probably end up with more in the end.
Have you used something like tcpdump and verified that you can configure chromium such that it doesn't connect to any google servers or any other servers other than the ones that you've specified in the url or that are referenced on web pages that you've opened? Maybe I'll have to try it again. That wasn't my experience the last time I tried it. Mozilla gets a large amount of their funding from google, so there's alot of politics behind this. Google for "firefox funded by google".
User security is certainly much, much lower on Firefox's priority list. They don't even enable ASLR yet, let alone robust sandboxing and advanced exploit mitigations throughout the browser. Mozilla ends up taking the same anti-user positions on issues like DRM after pretending that they're different. I can't think of one issue where they've taken the high road compared to Chromium. At least you know what you're getting with Google: profit-oriented corporation. Mozilla may not be accountable to shareholders, but they're even less concerned about the users. Google will reverse course during a PR disaster... Mozilla will just dig in and stonewall.
For just one of many examples, look at the difference in the handling of the WebRTC IP leak:
https://code.google.com/p/chromium/issues/detail?id=333752 https://bugzilla.mozilla.org/show_bug.cgi?id=959893
Oh, and the developer making the calls at Mozilla on this WebRTC privacy disaster developed the backdoored random number generation standard with the NSA. Mozilla isn't interested in commenting on this at all, as is usually the case (all discussion about it has been shut down).[1]
I do agree that chromium is technically more advanced, but I don't exactly trust google either. I'm not really sure where to find a web browser that can be trusted. I do note that both tor and jondo have chosen firefox, and I suspect there is a good reason for this, though they do apply their own modifications. The security of TOR has been touted as being very solid, though I haven't seen as many reviews of jondo. By default flash is disabled in both of them, but easier to turn on in jondofox.
[1] http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U...
Google would have fired this guy ASAP because it's not in their self-interest to make themselves look bad. Mozilla just coasts by on a naive, trusting community as they always do... and yet of their prominent developers think you should be groveling at their feet for all the good they've done for FOSS.
On 16/07/15 11:30 PM, Natu wrote:
On 07/16/2015 05:50 PM, Daniel Micay wrote:
I don't know that I even trust openssl anymore. I used to run chromium, but got tired of it passing so much information back to google, so I went back to firefox. What I run is not an ideal solution. I'm open to other suggestions. I used to love chrome, but got tired of google spying. And yes, you have to turn off features in firefox to avoid similar spying behavior, but it can be done without maintaining your own version of the source code. Chromium doesn't have 'spying' code that's not optional. It supports more Google services than Firefox and uses more of them out-of-the-box since it's the basis of the browser Google uses to promote themselves. Firefox is picking up support for non-Google proprietary services over time anyway so it'll probably end up with more in the end.
Have you used something like tcpdump and verified that you can configure chromium such that it doesn't connect to any google servers or any other servers other than the ones that you've specified in the url or that are referenced on web pages that you've opened? Maybe I'll have to try it again. That wasn't my experience the last time I tried it.
It will check for updates to extensions... so will other browsers. You are claiming that spying code is there yet it's an open-source project and no one has ever found any. Prove it instead of spreading FUD.
Mozilla gets a large amount of their funding from google, so there's alot of politics behind this. Google for "firefox funded by google".
Mozilla gets their money from other sources like Yahoo and the in-browser advertising and proprietary services now.
User security is certainly much, much lower on Firefox's priority list. They don't even enable ASLR yet, let alone robust sandboxing and advanced exploit mitigations throughout the browser. Mozilla ends up taking the same anti-user positions on issues like DRM after pretending that they're different. I can't think of one issue where they've taken the high road compared to Chromium. At least you know what you're getting with Google: profit-oriented corporation. Mozilla may not be accountable to shareholders, but they're even less concerned about the users. Google will reverse course during a PR disaster... Mozilla will just dig in and stonewall.
For just one of many examples, look at the difference in the handling of the WebRTC IP leak:
https://code.google.com/p/chromium/issues/detail?id=333752 https://bugzilla.mozilla.org/show_bug.cgi?id=959893
Oh, and the developer making the calls at Mozilla on this WebRTC privacy disaster developed the backdoored random number generation standard with the NSA. Mozilla isn't interested in commenting on this at all, as is usually the case (all discussion about it has been shut down).[1]
I do agree that chromium is technically more advanced, but I don't exactly trust google either.
Yet you trust another American corporation (Mozilla) that has repeatedly shown itself to place users and especially contributors in even lower regard.
I'm not really sure where to find a web browser that can be trusted. I do note that both tor and jondo have chosen firefox, and I suspect there is a good reason for this, though they do apply their own modifications. The security of TOR has been touted as being very solid, though I haven't seen as many reviews of jondo. By default flash is disabled in both of them, but easier to turn on in jondofox.
The Tor browser is quite insecure. It's nearly the same thing as Firefox, so it falls near the bottom of the list when it comes to browser security, i.e. below even Internet Explorer, which has a basic sandbox (but not nearly on par with Chromium, especially on Linux) and other JIT / allocator hardening features not present at all in Firefox. What the Tor browser *does* have that's unique are tweaks to significantly reduce the browser's unique fingerprint. https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardenin... Tor would be a fork of Chromium if they were starting again today with a large team. They don't have the resources to switch browsers. That would only change if they can get Google to implement most of the features they need.
On Fri, 17 Jul 2015 11:30:05 -0400, Daniel Micay wrote:
The Tor browser is quite insecure. It's nearly the same thing as Firefox, so it falls near the bottom of the list when it comes to browser security, i.e. below even Internet Explorer, which has a basic sandbox (but not nearly on par with Chromium, especially on Linux) and other JIT / allocator hardening features not present at all in Firefox. What the Tor browser *does* have that's unique are tweaks to significantly reduce the browser's unique fingerprint.
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardenin...
Tor would be a fork of Chromium if they were starting again today with a large team. They don't have the resources to switch browsers. That would only change if they can get Google to implement most of the features they need.
Vivaldi is based on Chromium. How does Vivaldi compare regarding security and privacy to IceCat, Pale Moon, Firefox, QupZilla, Opera? https://aur4.archlinux.org/packages/?O=0&K=vivaldi https://aur.archlinux.org/packages/?O=0&K=vivaldi
On 17/07/15 12:35 PM, Ralf Mardorf wrote:
On Fri, 17 Jul 2015 11:30:05 -0400, Daniel Micay wrote:
The Tor browser is quite insecure. It's nearly the same thing as Firefox, so it falls near the bottom of the list when it comes to browser security, i.e. below even Internet Explorer, which has a basic sandbox (but not nearly on par with Chromium, especially on Linux) and other JIT / allocator hardening features not present at all in Firefox. What the Tor browser *does* have that's unique are tweaks to significantly reduce the browser's unique fingerprint.
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardenin...
Tor would be a fork of Chromium if they were starting again today with a large team. They don't have the resources to switch browsers. That would only change if they can get Google to implement most of the features they need.
Vivaldi is based on Chromium. How does Vivaldi compare regarding security and privacy to IceCat, Pale Moon, Firefox, QupZilla, Opera?
https://aur4.archlinux.org/packages/?O=0&K=vivaldi https://aur.archlinux.org/packages/?O=0&K=vivaldi
It's a proprietary browser built on Chromium. It's not interesting from a security / privacy perspective. If you want Chromium without Google integration then you can use Iridium. It doesn't remove any tracking / spying code though. There wasn't any to remove. Their redefinition of tracking just means support for any service hosted by Google (like adding a warning message when a dictionary would be downloaded from them). Most of what it does is changing the the default settings to be more privacy conscious. https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/
On Fri, 17 Jul 2015 at 22:30 Daniel Micay <danielmicay@gmail.com> wrote:
If you want Chromium without Google integration then you can use Iridium. It doesn't remove any tracking / spying code though. There wasn't any to remove. Their redefinition of tracking just means support for any service hosted by Google (like adding a warning message when a dictionary would be downloaded from them). Most of what it does is changing the the default settings to be more privacy conscious.
https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/
We don't have it in the AUR though.
On 17/07/15 01:14 PM, Jagannathan Tiruvallur Eachambadi wrote:
We don't have it in the AUR though.
Well, I don't really think it's useful. It was just a suggestion for people who can't tolerate Chromium downloading things like dictionaries from Google.
On Fri, 17 Jul 2015 17:14:59, Jagannathan Tiruvallur Eachambadi wrote:
We don't have it in the AUR though.
Unfortunately it needs more than just an "averaged" git-PKGBUILD, IOW it's much work. I started writing a PKGBUILD, but for my taste it's too much work to finish it. There's https://aur4.archlinux.org/packages/inox/ , but this fails to build with "error: target not found: python2-ply<3.5 ==> ERROR: 'pacman' failed to install missing dependencies." Even writing a comment seems not to be worth the effort.
participants (13)
-
Bardur Arantsson
-
Ben Oliver
-
Christian Demsar
-
D C
-
Daniel Micay
-
David Kaylor
-
Florian Pelz
-
Francis Gerund
-
Jagannathan Tiruvallur Eachambadi
-
Jens Adam
-
Natu
-
Ralf Mardorf
-
Sebastian Pipping