Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Firefox vs. Chrome security
82 points by nsudio on Nov 15, 2017 | hide | past | favorite | 70 comments
I'm seeing a lot of hype surrounding Mozilla's recent release of Firefox Quantum - which promises massive improvements, mainly speed.

Looking past the speed aspect, where does FF stand against Chrome? Does Rust offer much better security? AFAIK Chrome is gold standard in sandboxing...does this still hold true?

One of the exciting new features is the beginnings of a formally verified cryptography stack.


> AFAIK Chrome is gold standard in sandboxing...does this still hold true?

Firefox offers similar sandboxing; see https://wiki.mozilla.org/Security/Sandbox

Firefox's JavaScript engine also implements more in-depth protections than V8, such as W^X in the JIT and compartments+wrappers to provide revokable access control and separation between code from different origins. There's a lot more to security than ensuring code execution can't break out of the browser.

The release is also improving sandboxing for Linux:


Sandboxing for Windows was introduced in version 54.

Firefox has been a low-priority target for a couple years due to its waning user-base. In fact, Firefox wasn't even at Pwn2Own 2016 because hackers didn't think it was worth their time[0].

Hopefully with Quantum and a resurge in popularity, it'll become a target of white-hat hackers again.

[0] http://www.eweek.com/security/pwn2own-hacking-contest-return...

Coincidentally it not being worth their time coincided with Mozilla not sponsoring the contest any more. You can make of that what you will.

Mozilla has never sponsored the Pwn2Own contest.

Are there historical records for number of "critical" vulnerabilities found in browsers? It would be interesting to compare the number for different browsers.

Update Maybe this:



Comparing the number of CVEs is not a good way to compare how vulnerable different browsers are. For instance, I believe that Firefox and maybe Chrome bucket together multiple internally reported vulnerabilities into a single CVE.

Don't do this, it's an anti-metric. Unless you think Opera and Konqueror are the most secure browsers.

That is a great argument against the monoculture seen in some product categories.

If (almost) everyone runs Windows you’re safer if you run Linux.

I heard a different story. Firefox was not at the contest because it was not in the same league as the others browsers (and not in a good way). See the last sentence of your link "We wanted to focus on the browsers that have made serious security improvements in the last year"

A rather arbitrary claim with nothing to back it up. For sure, Firefox made more security improvements in 2016 than it did in some of the years where they did feature it.

From Peter Bright at Ars: "And security remains a pressing concern, prompting the use of new techniques to protect against exploitation. Some of the rebuilt portions are even using Mozilla's new Rust programming language, which is designed to offer improved security compared to C++.

While today's release represents a major step forward in the browser's performance and reliability, work on Quantum continues. One major weakness of Firefox, relative to Chrome and Edge, is its use of sandboxing and process isolation to limit the impact that security flaws can have. Next year Mozilla will be working to improve these areas. Early next year should also see the rollout of a new GPU-accelerated rendering engine."

One major weakness of Firefox, relative to Chrome and Edge, is its use of sandboxing and process isolation to limit the impact that security flaws can have. Next year Mozilla will be working to improve these areas.

Firefox has been shipping with a sandbox for a while, let alone e10s. Is that an old post?

It is not a binary choice; there are sandboxes and then there are sandboxes. For example, a VM is a stricter sandbox than a container is a stricter sandbox than a chroot is better than nothing.

For sure. But he doesn't go into any details where he think the advantage would lie, which I think conflicts with calling it a "major weakness".

> Early next year should also see the rollout of a new GPU-accelerated rendering engine

So what version will get Webrender exactly?


Where did you get that info? I'm running Nightly (v59) but it's not enabled by default. Can't find anything on their roadmap either.

Version numbers in Nightly should be treated as works in progress, as it's built straight from the working Firefox source tree. When the current cycle ends, the code in Nightly will be bundled up to become the 59 release, and the Nightly version number will tick over to 60. Nightly displaying the 59 version number doesn't mean all features of the 59 release are present there yet.

For the adventurous:

1) open about:config 2) set gfx.webrender.enabled to true 3) restart Nightly

For the even more adventurous:

1) open about:config 2) set gfx.webrender.enabled to true 3) set gfx.webrendest.enabled to true 4) restart Nightly

In the nightly you need to enable it in about:config. I.e. it ships both Webrender and Gecko engine.


That's a rough guess; the 59 cycle just started, but it's still opt-in, not on by default. But we can say for sure it will be at least 59.

One interesting extension for desktop Firefox is Containers [0]. This is like per site incognito mode so tracking cookies do not escape between containers. While it's not a strict security thing for me it's one of more interesting aspects of Firefox as a browser.

[0]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...

Google has (always) gathered information about Chrome -- and Chromium -- users by default, including every keystroke typed into the "omnibox". Not easy to disable, either.

This seems to be a recent Firefox policy change: all editions of Firefox is now collecting data, such as telemetry, information gathering, usage data. (URL's? Form data?) This is all opt-out instead of opt-in now, and you're asked only after installation. You have to pro-actively disable it.

(Formerly, telemetry gathering was only gathered by default on nightlies and dev tracks; this telemetry does cover usage.. i.e., this seems to include what URL's you're browsing; this could be a security risk for apps like Dropbox and OneDrive.)

To be fair, it's easier to opt-out in Firefox than it is in Chrome, and Firefox is also more up-front about it after initial setup/installation; still, given that Firefox held itself out as the privacy-oriented browser, this is a significant change.

(Which leads to a new question.. what's the new best privacy browser? probably Brave? or, perhaps, Opera?)

EDIT: citation, thanks to cJ0th:


Firefox does NOT do any this, as far as I know. What is the source of this FUD?

A public discussion was started to get to know how people felt about privacy conserving telemetry collection that would be opt out by default. There was massive negative feedback (duh). The feature did not ship in 57.


"instead we always collect LESS data on Firefox release."

> Firefox does NOT do any this, as far as I know. What is the source of this FUD?

"Firefox by default shares data to: Improve performance and stability for users everywhere

Interaction data: Firefox sends data about your interactions with Firefox to us (such as number of open tabs and windows; number of webpages visited; number and type of installed Firefox Add-ons; and session length) and Firefox features offered by Mozilla or our partners (such as interaction with Firefox search features and search partner referrals).

Technical data: Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs.

Read the telemetry documentation for Desktop, Android, or iOS or learn how to opt-out of this data collection."



I'm objecting to the fact that you are calling this a change and that it supposedly collects more data. My understanding is that it is the opposite. Much of the stuff that you list is the update check and the update checks for add-ons, CA revocation checking etc, all things that have always been on by default and that can now actually be disabled more easily.

I have no idea where you pull the "this seems to include what URL's you're browsing; this could be a security risk for apps like Dropbox and OneDrive" stuff from. The only place I know of that these could potentially be recorded is a crash report, and this has always been the case if you allow it to send crash reports back because they contain the stack contents.

You claimed that I was spreading FUD; rather than resort to ad hominem responses, please counter with facts. I'm happy to apologize if I am incorrect, but it appears that your information appears to be out of date:

Telemetry was previously only enabled by default in Nightly and Aurora:


The telemetry data includes a lot more than just update checks. You wouldn't need to send information to Mozilla to get an update or get CA revocation lists.

For example, from the privacy policy[1]:

    Firefox features offered by Mozilla or our partners (such as *interaction with Firefox search features* and search partner referrals). [emphasis added]
Many of your comments are about Firefox, development with Rust, etc. I didn't mean to offend you if you are closely aligned with Mozilla. A healthy browser ecosystem (and especially the great new rendering engine from Mozilla) benefit us all.

1. https://www.mozilla.org/en-US/privacy/firefox/

> You wouldn't need to send information to Mozilla to get an update or get CA revocation lists.

Any request to Mozilla is sending info to Mozilla, and thus should be covered under the privacy policy. Every check for an update likely also includes the current version running so they can send back info on whether the update is important/security related or not. Even if it was just a "list all versions" request, it still signifies that IP used the browser. Similarly, a CRL list update signifies that the IP used Firefox and that the conditions that trigger a CRL update were met (which might mean an HTTPS address was visited, or it might happen at startup).

Any time Firefox implicitly requests data from Mozilla, that's something that they would likely cover in their Privacy policy. Chrome got a lot of flack a few years back for essentially the same problem, but with a twist. Every time it started it would download a binary blob from Google. It turns out it was the code to do voice recognition, which was executed after download. Fairly innocuous if you trust Google, but it was executing remote code from Google on every startup, so people were rightly disturbed by what they saw going on until an explanation was put forth.

please counter with facts

I already did. Much of the stuff you mentioned has always been enabled and had nothing to do with telemetry. This is most obvious with the update checks. And yes, you DO need to send information to know which add-ons to update. Probing every installed add-on to see if there's an update amounts to sending over the list of installed add-ons. Let's be forthright about that.

I quoted an article from one of the Telemetry engineers explaining that now LESS data is collected by default.

I think that's a good enough rebuttal to your claim that there has been a change of direction to collect more.

Personally, I actually don't have any issue with any of the individual telemetry data, although it can certainly be used to fingerprint and for other nefarious purposes, or even if it's opt-out instead of opt-in, but collecting it by default is definitely a new change.

In fact, your link explicitly explains that you cannot control the extent of data collection now. ("There is just one control for data upload for Firefox") It also explains that this is a new change ("which is on by default.")

Trying to spin this or casting aspersions on casual users who noticed a change won't change the facts.

You are spreading FUD.

> (URL's? Form data?)

> this telemetry does cover usage.. i.e., this seems to include what URL's you're browsing; this could be a security risk for apps like Dropbox and OneDrive.

Back these claims up with something specific and concrete, otherwise they're just wild speculation.

The search bit you're quoting refers to when you, say, search for something using Amazon via the Amazon search provider built into the browser search box, a piece of data is sent along with the request to Amazon to attribute Mozilla as the source. In aggregate this influences how much Amazon pays out to Mozilla for their default presence in Firefox.

I'm happy to try to clarify any concerns about telemetry or other data collection you might have (in an individual capacity, not as a representative of Mozilla), but usually that should come before the flinging of damaging accusations over a public forum.

> You are spreading FUD

I was pointing out that this is a new opt-in change. The links that were posted prove it. Is that FUD?

> specific and concrete

In the absence of specific information, should we not assume the worst?

> data collection

That sounds reasonable for normal users, but any of this data can be used for fingerprinting, data mining, etc. Do you disagree?

One suggestion for improvement would be that the specifics of what data is collected and why would be a welcome addition to the Privacy Policy page, or perhaps a more detailed page that the PP links to. This would be something people could paste in public forums to refute incorrect statements... especially if the page was on mozilla.org instead of Medium.

I believe the information you're asking for is already all there on the privacy policy page, broken down by feature and with links to disable each, even. It also includes a link to the full technical docs on Firefox telemetry:


The wording of the search partnership disclaimer could be made clearer. Is there anything else that you find confusing or disconcerting?

Thanks - this is really helpful! I appreciate this link, missed it the first time.

> The feature did not ship in 57.

But CliqZ did ship for some German users, randomly chosen. Which tracks your entire browsing history, and sends it to a company that’s most known for its tracking products.

After this, Firefox deserves to be treated as just as much spyware as Chrome.

This is simply not true. They do not send the user browser history. Most data is processed on the client side https://gist.github.com/solso/423a1104a9e3c1e3b8d7c9ca14e885...

Great, so it only transmits half of your search history without asking you.

That's so much of an improvement for a browser which people only use because they want absolute privacy.

Why was this downvoted? I didn't know anything about this, but it seems (in)credible:

"Mozilla pilots Cliqz engine in Firefox to slurp user browsing data"

"Users who receive a version of Firefox with Cliqz will have their browsing activity sent to Cliqz servers, including the URLs of pages they visit," Mozilla says. "Cliqz uses several techniques to attempt to remove sensitive information from this browsing data before it is sent from Firefox."


> you're asked only after installation. You have to pro-actively disable it.

Of course it's done after installation -- how would an app allow you to configure something BEFORE it's installed?

brave and opera both sit on top of chromium so idk about those

Well, they both use webkit or blink for rendering, but I don't know how much of the actual chromium codebase is used. However that shouldn't actually matter, because they both claim to focus on privacy (especially Brave), which means that they've presumably removed or disabled the data tracking code from Chromium... or just changed the API endpoints ;)

Brave browser from Brendan Eich, Mozilla co-founder

My understanding is, that Firefox Quantum is not faster due to any additional rust parts, but because the team focused on performance optimization across the entire codebase.

The only big rust component was introduced a couple of releases ago: Stylo.

Once Webrender is in Firefox, a serious chunk of Firefox will be written in Rust.

Stylo is about 10x faster than the old style system on a four core machine, and about 4x faster than Chrome's style system. This feature alone is worth 30% of initial page load time on amazon and youtube.

So yes, Quantum is faster as a direct result both of Rust code, and of Rust's memory-safety-makes-parallelism-practical features. That is not the only source of performance improvement in Quantum though.

Also, Quantum isn't yet getting the full benefits possible from this code for a few reasons. Firefox 57 uses Stylo for content, but not yet for chrome, which will be coming in a later release. In Servo, CSS is parsed off the main thread, but in Quantum it is not yet (will be done in a future release). Servo pipelines style resolution and frame construction (basically after the top down pass to deal with the style cascade, we go back up the tree bottom up constructing the layout data structures), and Quantum does not yet do this. Lastly, cross-language inlining is missing which would allow inlining FFI calls. Servo doesn't have this issue since all the driver and layout code is also in Rust.

My understanding was the Stylo is released to the production channel today, and it is a major part of the performance boost.

"Quantum" as a term covers a large number of areas, this blog post covers it well:


This is incorrect, Stylo is new in 57 and part of the speed boost of Quantum.

Stylo is a big perf jump, but so are many of other changes. It isn't solely replacing things with Rust that has made it fast.

I actually noticed some weird and potentially concerning behavior with Firefox Quantum this morning.

I had a fair number of tabs open (~28 or so), and I restarted the browser so a change I made would take effect. I have FF set to show my windows and tabs from my previous session on start up, but it instead launched with a single tab showing my home page. Okay, no big deal, I'll just restore my previous session from the History menu. When I clicked on the history menu, though, I didn't see my most recent history, but instead a list of URLs from my bank.

I assume this is due to a syncing issue with my Firefox account (I changed my banking password just to be safe), but it's still concerning.

That really does sound like a sync/profile issue, especially as it coincided with a failure to restore your previous session. I suspect you encountered some sort of corruption in your profile, and Firefox automatically restored one of the multiple backup copies it keeps to attempt to mitigate data loss. Still, always good to take precautions.

What Firefox release channel(s) are you using? Are you running the same version across all of your sync'd devices? And can you share what change you made before restarting the browser?

From what I understand about Rust, it does offer some native security improvements.

Apparently about a third of browser security vulnerabilities can be traced to memory safety issues. So, yes.

But how many of them come from the rendering engine?

They're slowing replacing more and more code with Rust. So eventually Rust will have a much bigger impact.

Rust helps in to avoid segFaults which helps in avoid buffer overflows and stack overflows. most of security attacks are due to these and can prevent them better. there is no way a developer can write a code in Rust that causes segfaults ( atleast language promises that ).

recent blog post https://blog.rust-lang.org/2017/11/14/Fearless-Concurrency-I...

> there is no way a developer can write a code in Rust that causes segfaults ( atleast language promises that ).

Well, as long as you avoid unsafe blocks (which turn off a few safety features in a specific scope so you can do complex or performance critical things in that scope) you're supposed to be safe, but to my knowledge it's not formally proven. In practice it seems to be working quite well though.

> there is no way a developer can write a code in Rust that causes segfaults ( atleast language promises that ).

Well, you can very easily: write bad code in unsafe blocks.

That said, your badness is contained within unsafe blocks, so hopefully you have much less code to closely review.

right, it is well known to the developers what to look for when we see something wrong. it doesnt crash randomly, it cries out loud when it fails so we know what is happening and manage it better.

I remember that quite a few were JS exploits (which is why noscript is so popular), and there's no plan to rewrite the JS JIT to rust (not that it would help much anyways)

They want to rewrite everything in Rust, including the JS JIT https://blog.mozilla.org/javascript/2017/10/20/holyjit-a-new...

For example, NoScript disables webfonts because parsing font files (which is among the jobs of the rendering engine) is done in decades-old, convoluted C code.

They plan to replace that with Pathfinder https://blog.rust-lang.org/2017/11/14/Fearless-Concurrency-I...

A quick look at the recent CVEs for Firefox seems like most of them come from there.

Written in C/C++ or any memory-unsafe language means the above.

Look for the recent whitepapers by Cure53 and X41 both titled Browser Security Whitepaper.

tl;dr Chrome + Edge are more secure. Do not use Internet Exploder

Until proven otherwise, I think Chrome remains the most secure browser.

From what I've seen, FF57 only uses one content process by default (at least when you upgrade it from FF56), although you can enable up to 7 in settings ( I wish they gave higher numbers, too, like 50, or have a custom field).

Also, Rust is still a small portion of the browser. I'm not sure how big of a portion is of the rendering parts, which are usually the ones causing security issues.

We'll see how it fares at the next Pwn2Own and perhaps in new papers comparing browsers' security over the coming year.

That said, I am excited that Tor will soon use FF59, which should include all of these improvements (but hopefully customized to have improved hardening by default compared to regular Firefox, on all operating systems).

FF57 has a relatively small amount of Rust (~160k lines of C++ replaced with ~80k lines of 10x faster Rust). Chrome is "pure" C++, though.

More content processes wouldn't do much difference. It doesn't reduce the attack surface (potentially increasing it due to complexity), but only reduce amount of data per process in case you gain read-only access to its memory (which I can't currently think of as being an interesting attack).

I would imagine that more content processes is about stability, rather than security. However, splitting larger processes into smaller ones can yield great benefit on the security front.

EDIT: FF57 defaults to four content processes.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact