Hacker News new | past | comments | ask | show | jobs | submit login
Firefox 95 might be the most secure web browser on the market (techrepublic.com)
67 points by todsacerdoti 47 days ago | hide | past | favorite | 19 comments

Sandboxing libraries with webasm is an interesting step forward, but on the whole, Firefox is still way behind chromium in security. There's still a massive amount of memory-unsafe code in Firefox, and the granularity and quality of the sandboxing ranges from significantly worse to comically worthless relative to chrome, depending on platform (e.g. audio, GPU, and network all live in the same process on linux, and escaping from that process is essentially trivial, because it has an X11 socket).

Thank you for this. Most people don't realise just how much effort has gone into securing chromium (and therefore chrome) and/or they conflate privacy and security.

One question, you mention memory unsafe code. Is chromium not written in C++? Isn't that still considered an "unsafe" language?

Yes, Chromium is basically entirely memory unsafe modulo mitigations [1], with the exception of some codecs being generated from a memory safe language. I meant that the memory safe parts of Firefox are a very small minority: it's also an enormous pile of memory unsafe C++.

1: There's a very clever project that'll protect against use after free that's being worked on right now: https://docs.google.com/document/d/1m0c63vXXLyGtIGBi9v6YFANu...

With that and memory tagging, the vast majority of vulnerabilities go from remote code execution to just denial of service.

what if firefox is compiled and used wayland only?

Firefox still doesn't encrypt your session cookies.


Isn't that always true for any Firefox version?, at least with the correct 'about:config' tweaks. It could be more secure and private than others. Maybe the defaults are not that great but still better than others default.

> Isn't that always true for any Firefox version?

No, it has not been that way. For a long time Google Chrome was the only browser that had sandboxing by using separate processes for each tab (essentially).

See: https://www.google.com/googlebooks/chrome/small_04.html

For a long time, Firefox did not isolate different different websites in different processes. Today, Firefox has something similar to process sandboxing afaik but it took them some time to do it because their browser has a very old codebase and it took time for them to disentangle everything to provide this feature.

See: https://hacks.mozilla.org/2021/05/introducing-firefox-new-si...

Over the years, Chrome's sandbox has not stood still. It has become more and more sophisticated with various other features added (e.g. sandboxing in Linux using seccomp BPF -- e.g. https://chromium.googlesource.com/chromium/src/+/0e94f26e8/d... ). BTW web searching reveals that firefox is using seccomp too now. However, I don't know the details.

So it would be interesting for someone to have a comparison between the two today.

However, with RLBox, Firefox has added a very powerful sandboxing technology that goes beyond process isolation.

Its quite impressive and I do think that Firefox can now have grounds to argue that it's more secure than Chrome.

I wish Firefox had close to feature parity with Chrome for the developer tools. Would replace Chrome for Firefox in a jiffy

Have you tried firefox developer edition: https://www.mozilla.org/en-US/firefox/developer/

I prefer it to chrome.

Edit: Reason I point it out is, that it took me far too long to realize it was available.

Wow, I never knew this existed. It's not even listed on the download page as "FireFox Developer", you need to click "Learn more about dev tools". From what I can tell, it's normal Firefox, but with added experimental features turned on.

Is this just a tweaked and tuned Firefox release aimed at developers? I like how they also go out of the way to enable dark theming :-)

Yep. Iirc it's based on nightly.

I'm pretty sure it's beta, the former "aurora" channel.

Wow, didn't know this was available! They should add a message when the dev tools is opened to let developers know avout this developer edition. Thanks, will give it a try!

I wish it was the other way around. I miss the option to modify requests and re-send them in Chrome each and every day. That‘s something Firefox has.

What am i missing since i used Firefox Dev-Tools all the time?

Firefox has Resend and Edit and Resend in the network pane, Chromium can debug NodeJS, has a unified sources tab that let's you edit files and (if you set it up) save them, and becomes unresponsive when prettifying large js files faster than Firefox. Those are the only differences I know of.

Firefox recently revamped the performance tools, that was the only thing keeping me in Chrome's developer tools. The new tools in Firefox beat out Chrome imo.

In which way do they beat Chrome?

Difficult to pinpoint specifics, it's probably a matter of personal preference. I just enjoy working in Firefox's performance tools more than I enjoy working in Chrome's now.

Previously Fx lacked so many features that existed in Chrome that you couldn't really compare them.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact