[arch-general] current flash vulnerabilities - what to do?

Fri Jul 17 15:30:05 UTC 2015

On 16/07/15 11:30 PM, Natu wrote:
> On 07/16/2015 05:50 PM, Daniel Micay wrote:
>>> I don't know that I even trust openssl anymore.  I used to run chromium,
>>> but got tired of it passing so much information back to google, so I
>>> went back to firefox.  What I run is not an ideal solution.  I'm open to
>>> other suggestions.  I used to love chrome, but got tired of google
>>> spying.  And yes, you have to turn off features in firefox to avoid
>>> similar spying behavior, but it can be done without maintaining your own
>>> version of the source code.
>> Chromium doesn't have 'spying' code that's not optional. It supports
>> more Google services than Firefox and uses more of them out-of-the-box
>> since it's the basis of the browser Google uses to promote themselves.
>> Firefox is picking up support for non-Google proprietary services over
>> time anyway so it'll probably end up with more in the end.
> 
> Have you used something like tcpdump and verified that you can configure
> chromium such that it doesn't connect to any google servers or any other
> servers other than the ones that you've specified in the url or that are
> referenced on web pages that you've opened?  Maybe I'll have to try it
> again.  That wasn't my experience the last time I tried it.

It will check for updates to extensions... so will other browsers. You
are claiming that spying code is there yet it's an open-source project
and no one has ever found any. Prove it instead of spreading FUD.

> Mozilla gets a large amount of their funding from google, so there's
> alot of politics behind this.  Google for "firefox funded by google".

Mozilla gets their money from other sources like Yahoo and the
in-browser advertising and proprietary services now.

>> User security is certainly much, much lower on Firefox's priority list.
>> They don't even enable ASLR yet, let alone robust sandboxing and
>> advanced exploit mitigations throughout the browser. Mozilla ends up
>> taking the same anti-user positions on issues like DRM after pretending
>> that they're different. I can't think of one issue where they've taken
>> the high road compared to Chromium. At least you know what you're
>> getting with Google: profit-oriented corporation. Mozilla may not be
>> accountable to shareholders, but they're even less concerned about the
>> users. Google will reverse course during a PR disaster... Mozilla will
>> just dig in and stonewall.
>>
>> For just one of many examples, look at the difference in the handling of
>> the WebRTC IP leak:
>>
>> https://code.google.com/p/chromium/issues/detail?id=333752
>> https://bugzilla.mozilla.org/show_bug.cgi?id=959893
>>
>> Oh, and the developer making the calls at Mozilla on this WebRTC privacy
>> disaster developed the backdoored random number generation standard with
>> the NSA. Mozilla isn't interested in commenting on this at all, as is
>> usually the case (all discussion about it has been shut down).[1]
> 
> I do agree that chromium is technically more advanced, but I don't
> exactly trust google either.

Yet you trust another American corporation (Mozilla) that has repeatedly
shown itself to place users and especially contributors in even lower
regard.

> I'm not really sure where to find a web
> browser that can be trusted.  I do note that both tor and jondo have
> chosen firefox, and I suspect there is a good reason for this, though
> they do apply their own modifications.  The security of TOR has been
> touted as being very solid, though I haven't seen as many reviews of
> jondo.  By default flash is disabled in both of them, but easier to turn
> on in jondofox.

The Tor browser is quite insecure. It's nearly the same thing as
Firefox, so it falls near the bottom of the list when it comes to
browser security, i.e. below even Internet Explorer, which has a basic
sandbox (but not nearly on par with Chromium, especially on Linux) and
other JIT / allocator hardening features not present at all in Firefox.
What the Tor browser *does* have that's unique are tweaks to
significantly reduce the browser's unique fingerprint.

https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study

Tor would be a fork of Chromium if they were starting again today with a
large team. They don't have the resources to switch browsers. That would
only change if they can get Google to implement most of the features
they need.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150717/d55f2550/attachment.asc>