
Ask HN: Firefox vs. Chrome security - nsudio
I&#x27;m seeing a lot of hype surrounding Mozilla&#x27;s recent release of Firefox Quantum - which promises massive improvements, mainly speed.<p>Looking past the speed aspect, where does FF stand against Chrome? Does Rust offer much better security? AFAIK Chrome is gold standard in sandboxing...does this still hold true?
======
nwah1
One of the exciting new features is the beginnings of a formally verified
cryptography stack.

[https://blog.mozilla.org/security/2017/09/13/verified-
crypto...](https://blog.mozilla.org/security/2017/09/13/verified-cryptography-
firefox-57/)

------
mintplant
> AFAIK Chrome is gold standard in sandboxing...does this still hold true?

Firefox offers similar sandboxing; see
[https://wiki.mozilla.org/Security/Sandbox](https://wiki.mozilla.org/Security/Sandbox)

Firefox's JavaScript engine also implements more in-depth protections than V8,
such as W^X in the JIT and compartments+wrappers to provide revokable access
control and separation between code from different origins. There's a lot more
to security than ensuring code execution can't break out of the browser.

------
prohor
The release is also improving sandboxing for Linux:

[https://www.bleepingcomputer.com/news/security/firefox-57-br...](https://www.bleepingcomputer.com/news/security/firefox-57-brings-
better-sandboxing-on-linux/)

Sandboxing for Windows was introduced in version 54.

------
AdmiralAsshat
Firefox has been a low-priority target for a couple years due to its waning
user-base. In fact, Firefox wasn't even at Pwn2Own 2016 because hackers didn't
think it was worth their time[0].

Hopefully with Quantum and a resurge in popularity, it'll become a target of
white-hat hackers again.

[0] [http://www.eweek.com/security/pwn2own-hacking-contest-
return...](http://www.eweek.com/security/pwn2own-hacking-contest-returns-as-
joint-hpe-trend-micro-effort)

~~~
styfle
Are there historical records for number of "critical" vulnerabilities found in
browsers? It would be interesting to compare the number for different
browsers.

 _Update_ Maybe this:

[http://www.cvedetails.com/product/15031/Google-
Chrome.html?v...](http://www.cvedetails.com/product/15031/Google-
Chrome.html?vendor_id=1224)

[http://www.cvedetails.com/product/9900/Microsoft-Internet-
Ex...](http://www.cvedetails.com/product/9900/Microsoft-Internet-
Explorer.html?vendor_id=26)

~~~
mccr8
Comparing the number of CVEs is not a good way to compare how vulnerable
different browsers are. For instance, I believe that Firefox and maybe Chrome
bucket together multiple internally reported vulnerabilities into a single
CVE.

------
beaconfield
From Peter Bright at Ars: "And security remains a pressing concern, prompting
the use of new techniques to protect against exploitation. Some of the rebuilt
portions are even using Mozilla's new Rust programming language, which is
designed to offer improved security compared to C++.

While today's release represents a major step forward in the browser's
performance and reliability, work on Quantum continues. One major weakness of
Firefox, relative to Chrome and Edge, is its use of sandboxing and process
isolation to limit the impact that security flaws can have. Next year Mozilla
will be working to improve these areas. Early next year should also see the
rollout of a new GPU-accelerated rendering engine."

~~~
gcp
_One major weakness of Firefox, relative to Chrome and Edge, is its use of
sandboxing and process isolation to limit the impact that security flaws can
have. Next year Mozilla will be working to improve these areas._

Firefox has been shipping with a sandbox for a while, let alone e10s. Is that
an old post?

~~~
majewsky
It is not a binary choice; there are sandboxes and then there are sandboxes.
For example, a VM is a stricter sandbox than a container is a stricter sandbox
than a chroot is better than nothing.

~~~
gcp
For sure. But he doesn't go into any details where he think the advantage
would lie, which I think conflicts with calling it a "major weakness".

------
hdhzy
One interesting extension for desktop Firefox is Containers [0]. This is like
per site incognito mode so tracking cookies do not escape between containers.
While it's not a strict security thing for me it's one of more interesting
aspects of Firefox as a browser.

[0]: [https://addons.mozilla.org/en-US/firefox/addon/multi-
account...](https://addons.mozilla.org/en-US/firefox/addon/multi-account-
containers/)

------
_hyn3
Google has (always) gathered information about Chrome -- and Chromium -- users
_by default_ , including every keystroke typed into the "omnibox". Not easy to
disable, either.

This seems to be a recent Firefox policy change: all editions of Firefox is
now collecting data, such as telemetry, information gathering, usage data.
(URL's? Form data?) This is all _opt-out_ instead of opt-in now, and you're
asked only after installation. You have to pro-actively disable it.

(Formerly, telemetry gathering was only gathered by default on nightlies and
dev tracks; this telemetry _does_ cover usage.. i.e., this seems to include
what URL's you're browsing; this could be a security risk for apps like
Dropbox and OneDrive.)

To be fair, it's easier to opt-out in Firefox than it is in Chrome, and
Firefox is also more up-front about it after initial setup/installation;
still, given that Firefox held itself out as the privacy-oriented browser,
this is a significant change.

(Which leads to a new question.. what's the new best privacy browser? probably
Brave? or, perhaps, Opera?)

EDIT: citation, thanks to cJ0th:

[https://www.mozilla.org/en-US/privacy/firefox/](https://www.mozilla.org/en-
US/privacy/firefox/)

~~~
gcp
Firefox does _NOT_ do any this, as far as I know. What is the source of this
FUD?

A public discussion was started to get to know how people felt about privacy
conserving telemetry collection that would be opt out by default. There was
massive negative feedback (duh). The feature _did_ _not_ _ship_ in 57.

[https://medium.com/georg-fritzsche/data-preference-
changes-i...](https://medium.com/georg-fritzsche/data-preference-changes-in-
firefox-58-2d5df9c428b5)

"instead we always collect LESS data on Firefox release."

~~~
cJ0th
> Firefox does NOT do any this, as far as I know. What is the source of this
> FUD?

"Firefox by default shares data to: Improve performance and stability for
users everywhere

Interaction data: Firefox sends data about your interactions with Firefox to
us (such as number of open tabs and windows; number of webpages visited;
number and type of installed Firefox Add-ons; and session length) and Firefox
features offered by Mozilla or our partners (such as interaction with Firefox
search features and search partner referrals).

Technical data: Firefox sends data about your Firefox version and language;
device operating system and hardware configuration; memory, basic information
about crashes and errors; outcome of automated processes like updates,
safebrowsing, and activation to us. When Firefox sends data to us, your IP
address is temporarily collected as part of our server logs.

Read the telemetry documentation for Desktop, Android, or iOS or learn how to
opt-out of this data collection."

via

[https://www.mozilla.org/en-US/privacy/firefox/](https://www.mozilla.org/en-
US/privacy/firefox/)

~~~
gcp
I'm objecting to the fact that you are calling this a change and that it
supposedly collects more data. My understanding is that _it_ _is_ _the_
_opposite_. Much of the stuff that you list is the update check and the update
checks for add-ons, CA revocation checking etc, all things that have always
been on by default and that _can_ _now_ _actually_ _be_ _disabled_ _more_
_easily_.

I have no idea where you pull the "this seems to include what URL's you're
browsing; this could be a security risk for apps like Dropbox and OneDrive"
stuff from. The only place I know of that these could potentially be recorded
is a crash report, and this has _always_ been the case if you allow it to send
crash reports back because they contain the stack contents.

~~~
jamiesonbecker
You claimed that I was spreading FUD; rather than resort to ad hominem
responses, please counter with facts. I'm happy to apologize if I am
incorrect, but it appears that your information appears to be out of date:

Telemetry was previously only enabled by default in Nightly and Aurora:

[https://blog.theochevalier.fr/telemetry-enabled-by-
default-o...](https://blog.theochevalier.fr/telemetry-enabled-by-default-on-
firefox-nightly-and-aurora/)

The telemetry data includes a lot more than just update checks. You wouldn't
need to send information _to_ Mozilla to get an update or get CA revocation
lists.

For example, from the privacy policy[1]:

    
    
        Firefox features offered by Mozilla or our partners (such as *interaction with Firefox search features* and search partner referrals). [emphasis added]
    

Many of your comments are about Firefox, development with Rust, etc. I didn't
mean to offend you if you are closely aligned with Mozilla. A healthy browser
ecosystem (and especially the great new rendering engine from Mozilla) benefit
us all.

1\. [https://www.mozilla.org/en-
US/privacy/firefox/](https://www.mozilla.org/en-US/privacy/firefox/)

~~~
gcp
_please counter with facts_

I already did. Much of the stuff you mentioned has always been enabled and had
nothing to do with telemetry. This is most obvious with the update checks. And
yes, you DO need to send information to know which add-ons to update. Probing
every installed add-on to see if there's an update amounts to sending over the
list of installed add-ons. Let's be forthright about that.

I quoted an article from one of the Telemetry engineers explaining that now
LESS data is collected by default.

I think that's a good enough rebuttal to your claim that there has been a
change of direction to collect more.

~~~
jamiesonbecker
Personally, I actually don't have any issue with any of the individual
telemetry data, although it can certainly be used to fingerprint and for other
nefarious purposes, or even if it's opt-out instead of opt-in, but collecting
it by default is definitely a new change.

In fact, your link explicitly explains that you cannot control the extent of
data collection now. ("There is just one control for data upload for Firefox")
It also explains that this is a _new_ change ("which is _on by default_.")

Trying to spin this or casting aspersions on casual users who noticed a change
won't change the facts.

------
3ds
My understanding is, that Firefox Quantum is not faster due to any additional
rust parts, but because the team focused on performance optimization across
the entire codebase.

The only big rust component was introduced a couple of releases ago: Stylo.

Once Webrender is in Firefox, a serious chunk of Firefox will be written in
Rust.

~~~
metajack
Stylo is about 10x faster than the old style system on a four core machine,
and about 4x faster than Chrome's style system. This feature alone is worth
30% of initial page load time on amazon and youtube.

So yes, Quantum is faster as a direct result both of Rust code, and of Rust's
memory-safety-makes-parallelism-practical features. That is not the only
source of performance improvement in Quantum though.

Also, Quantum isn't yet getting the full benefits possible from this code for
a few reasons. Firefox 57 uses Stylo for content, but not yet for chrome,
which will be coming in a later release. In Servo, CSS is parsed off the main
thread, but in Quantum it is not yet (will be done in a future release). Servo
pipelines style resolution and frame construction (basically after the top
down pass to deal with the style cascade, we go back up the tree bottom up
constructing the layout data structures), and Quantum does not yet do this.
Lastly, cross-language inlining is missing which would allow inlining FFI
calls. Servo doesn't have this issue since all the driver and layout code is
also in Rust.

------
robbyking
I actually noticed some weird and potentially concerning behavior with Firefox
Quantum this morning.

I had a fair number of tabs open (~28 or so), and I restarted the browser so a
change I made would take effect. I have FF set to show my windows and tabs
from my previous session on start up, but it instead launched with a single
tab showing my home page. Okay, no big deal, I'll just restore my previous
session from the History menu. When I clicked on the history menu, though, I
didn't see my most recent history, but instead a list of URLs from my bank.

I assume this is due to a syncing issue with my Firefox account (I changed my
banking password just to be safe), but it's still concerning.

~~~
mintplant
That really does sound like a sync/profile issue, especially as it coincided
with a failure to restore your previous session. I suspect you encountered
some sort of corruption in your profile, and Firefox automatically restored
one of the multiple backup copies it keeps to attempt to mitigate data loss.
Still, always good to take precautions.

What Firefox release channel(s) are you using? Are you running the same
version across all of your sync'd devices? And can you share what change you
made before restarting the browser?

------
beaconfield
From what I understand about Rust, it does offer some native security
improvements.

~~~
nwah1
Apparently about a third of browser security vulnerabilities can be traced to
memory safety issues. So, yes.

~~~
icen
But how many of them come from the rendering engine?

~~~
bkor
They're slowing replacing more and more code with Rust. So eventually Rust
will have a much bigger impact.

~~~
rammy1234
Rust helps in to avoid segFaults which helps in avoid buffer overflows and
stack overflows. most of security attacks are due to these and can prevent
them better. there is no way a developer can write a code in Rust that causes
segfaults ( atleast language promises that ).

recent blog post [https://blog.rust-lang.org/2017/11/14/Fearless-
Concurrency-I...](https://blog.rust-lang.org/2017/11/14/Fearless-Concurrency-
In-Firefox-Quantum.html)

~~~
gsnedders
> there is no way a developer can write a code in Rust that causes segfaults (
> atleast language promises that ).

Well, you can very easily: write bad code in unsafe blocks.

That said, your badness is contained within unsafe blocks, so hopefully you
have much less code to closely review.

~~~
rammy1234
right, it is well known to the developers what to look for when we see
something wrong. it doesnt crash randomly, it cries out loud when it fails so
we know what is happening and manage it better.

------
notacissp
Look for the recent whitepapers by Cure53 and X41 both titled Browser Security
Whitepaper.

tl;dr Chrome + Edge are more secure. Do not use Internet Exploder

------
mtgx
Until proven otherwise, I think Chrome remains the most secure browser.

From what I've seen, FF57 only uses one content process by default (at least
when you upgrade it from FF56), although you can enable up to 7 in settings (
I wish they gave higher numbers, too, like 50, or have a custom field).

Also, Rust is still a small portion of the browser. I'm not sure how big of a
portion is of the rendering parts, which are usually the ones causing security
issues.

We'll see how it fares at the next Pwn2Own and perhaps in new papers comparing
browsers' security over the coming year.

That said, I am excited that Tor will soon use FF59, which should include all
of these improvements (but hopefully customized to have improved hardening by
default compared to regular Firefox, on all operating systems).

~~~
arghwhat
FF57 has a relatively small amount of Rust (~160k lines of C++ replaced with
~80k lines of 10x faster Rust). Chrome is "pure" C++, though.

More _content_ processes wouldn't do much difference. It doesn't reduce the
attack surface (potentially increasing it due to complexity), but only reduce
amount of data per process in case you gain read-only access to its memory
(which I can't currently think of as being an interesting attack).

I would imagine that _more_ content processes is about stability, rather than
security. However, splitting larger processes into smaller ones can yield
great benefit on the security front.

EDIT: FF57 defaults to _four_ content processes.

