[arch-general] current flash vulnerabilities - what to do?

Daniel Micay danielmicay at gmail.com
Fri Jul 17 00:50:27 UTC 2015


> I don't know that I even trust openssl anymore.  I used to run chromium,
> but got tired of it passing so much information back to google, so I
> went back to firefox.  What I run is not an ideal solution.  I'm open to
> other suggestions.  I used to love chrome, but got tired of google
> spying.  And yes, you have to turn off features in firefox to avoid
> similar spying behavior, but it can be done without maintaining your own
> version of the source code.

Chromium doesn't have 'spying' code that's not optional. It supports
more Google services than Firefox and uses more of them out-of-the-box
since it's the basis of the browser Google uses to promote themselves.
Firefox is picking up support for non-Google proprietary services over
time anyway so it'll probably end up with more in the end.

User security is certainly much, much lower on Firefox's priority list.
They don't even enable ASLR yet, let alone robust sandboxing and
advanced exploit mitigations throughout the browser. Mozilla ends up
taking the same anti-user positions on issues like DRM after pretending
that they're different. I can't think of one issue where they've taken
the high road compared to Chromium. At least you know what you're
getting with Google: profit-oriented corporation. Mozilla may not be
accountable to shareholders, but they're even less concerned about the
users. Google will reverse course during a PR disaster... Mozilla will
just dig in and stonewall.

For just one of many examples, look at the difference in the handling of
the WebRTC IP leak:

https://code.google.com/p/chromium/issues/detail?id=333752
https://bugzilla.mozilla.org/show_bug.cgi?id=959893

Oh, and the developer making the calls at Mozilla on this WebRTC privacy
disaster developed the backdoored random number generation standard with
the NSA. Mozilla isn't interested in commenting on this at all, as is
usually the case (all discussion about it has been shut down).[1]

[1]
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

Google would have fired this guy ASAP because it's not in their
self-interest to make themselves look bad. Mozilla just coasts by on a
naive, trusting community as they always do... and yet of their
prominent developers think you should be groveling at their feet for all
the good they've done for FOSS.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150716/096a9ed8/attachment.asc>


More information about the arch-general mailing list