About security: Chrome has a biggest workforce, yes. but let's think about this a bit...
First, let's not forget that chrome is also a bigger target.
let's imagine this: Consider that 90% of the users worldwide use chromium-based browsers, and you are an hacker who wants to steal peoples data or access their computers.
Would you bother targeting 10% of the users. Or would you just go after those 90%???
now add another detail into that thinking:
people who use Firefox are mostly techies, people who know about computers, gnu/linux users, developers, more security-conscientious users, people who actually know and care about the tech that goes bellow, people that knows what's happening in the IT world, and people that simple don't go with the flock without studding it's path first... now... would you really bother targeting those when you have 90% of people - where probably 85% don't know anything about computers or just don't give a #$%& about it???
Would you go easy bait, or would you try to outsmart those who might be at the same level you are???
(sure, there is always exceptions!!!)
but then again... maybe that's just me...
Most of cyber-criminals however, will target Chrome because it's way more used.
In term of control the password manager of firefox don't need you to have an account. That is very important because, you want to use a password manager on the web and to be able to actually trust it. Google can close you account without previous notice.
Chrome is much more secure against browser exploits than Firefox. It is perhaps the most advanced piece of security software in the world.
Firefox is a lot more private than Chrome, given that Chrome is chock full of Google surveillance.
Ungoogled Chromium is the best of both worlds, but only if you manually build and update on a near-daily basis.
Note that most people’s advice on this topic is a non-expert, non-informed opinion. Browser choice is a pretty tribalistic, identity-tied thing. It’s like asking people “which is more secure, android or ios?”. (The answer is iOS by a mile, but most “security” types won’t give that answer because they don’t like it. Same goes with Chrome/Firefox.)
So I wonder how much unnecessary information people using Chrome leak to those sites and the third parties that receive, log and possibly sell those data.
But Firefox seems to have much better security when it comes to reviewing extensions. Some popular extensions go through approval and source code review on every release.
Chrome Play store does not seems to have that. Google incentive even goes against something like UBlock. If extension gets sold, or developer account compromised, we may get widely distributed malware!
Firefox security has improved significantly in the last decade, it was pretty terrible back then. "Electrolysis" and "Quantum" certainly helped.
You are so unlikely to get exploited by a browser vulnerability (if you update) that it's not worth writing about. The people powerful/rich enough have or can acquire an exploit for both.
The choice of browsers is more about what features you want and whether you want a browser engine monopoly or not. Firefox has a few features I like not present in chromium and it's also not part of the monopoly so I use it.
I don't think 0-day will be wasted on targeting random nobody.
To be more secure, only way is to reduce surface area. Someone like journalist should disable JS/cookies, all plugins and extensions and preferably browse through a locked down VM. Don't know if there is any minimal browser that has actively removed features.
Integrations for Google accounts can be seen as a privacy violation. Google doesn’t need to know what other services I am using.
Google’s password manager still has my passwords saved after disabling the feature AND manually “deleting” each one individually. Do not trust them with your passwords.
For the vast majority of people (ie, 99%) there's no difference between the major browsers and the overall security they provide.
For that 1% the difference may be noticeable but pale in comparison to other things like solid opsec, etc. For instance, it doesn't matter what browser you use if you are using SMS 2FA and get hit with a sim-swap because you're bragging on Twitter about how your Coinbase account is sitting at $2MM.
On the other hand, if you're international arms dealer your browser choice probably matters a lot more. Though, the three letter agencies already have your poster on their wall and you were pwned a year prior anyway. Even worse, if you're outside the US the drones have already been deployed.
The US isn't beyond blowing up hackers, look at Junaid Hussain[1].
I would say other things like tracking for example poses a higher security risk and for that reason makes Firefox the safer choice. But you have other browsers that builds on their engines like Librewolf and similar that are even safer.
Also, doesn't Firefox also have a decent password management function?
The main consideration is chance of zero days. Anyone knows?
Multiple confirmations from reputable sources, including former and current Googlers, have verified the authenticity of this leak. It's not a hoax or a joke but a genuine breach of information that has piqued the interest of all SEO researchers. Here's a reliable summary of the findings:
– Google has allowlists of manually optimized sites, at least for certain topics, such as the 2020 elections or COVID-19.
– Domain names and subdomains are significant factors (despite Google's previous claims).
– There's a sandbox for new sites, which Google has always denied.
– Google directly uses data from EWOK (a system where paid users rate the quality of search results).
– User behavior on sites is actively used for ranking.
– Click data is collected not only from Google Analytics but also directly from the Chrome browser.
– Sites are categorized based on click volume, affecting their quality ranking and PageRank contribution.
– Google considers the overall brand size, including mentions across the internet, not just links.
– Content and links are secondary to clicks and site navigation behavior.
– SEO is almost irrelevant for most small companies and sites without a brand, user base, and reputation.
This is a monumental event in the world of Google Search, marking the most significant leak in the past 10-15 years. It suggests a potential discrepancy between Google's public statements and its actual search practices [3]. The strategy has shifted towards clickbait and bot farms, challenging the long-standing belief that 'content is king.' Unsurprisingly, Google has chosen to remain silent [4]. I recommend reading this article on iPullRank [5] for a more comprehensive understanding.
If you want to stop giving all your data to Google, consider using a non-chrome browser like Firefox.
[1] https://github.com/googleapis/elixir-google-api/commit/078b4...
[2] https://sparktoro.com/blog/an-anonymous-source-shared-thousa...
[3] https://www.seroundtable.com/google-chrome-search-usage-1561...
[4] https://www.theverge.com/2024/5/28/24166177/google-search-ra...
imo having a much smaller market share disincentivize exploiters for searching ways to attack browsers like firefox. this is the same argument used for the aforementioned os. it is very optimistic to assume that either sides are able to fix all vulnerabilities, as both have been shown to have 0-days recently.
on the other hand, just like in linux, you need to trust the developers publishing extensions as i don't find moderation quite as competent as google's (even though theirs is also very lacklusture overall).
The Mullvad browser is a privacy focused version of Firefox (based on the TOR browser with the TOR part removed). It runs fine without the Mullvad VPN.
But, I tend to thing on OpenBSD both chrome and Firefox is more secure than other systems because those are patched with pledge and unveil. So most of the system does not exist for them.
That aside, what you are asking is really just you giving your personal preference of a browser and if we agree.
For Firefox, you have to worry about the next "pocket", or the next "Mr. Robot"...
Manifest v3 is looming as well.
Six of one, half a dozen of the other. /shrug
My experience is that security is a function of simplicity and individuals having a complete understanding of the code and implications of changes.
Implications:
- A smaller team will generally lead to more secure software than a larger team.
- Many security layers are counterproductive.
In studies, bugs per KLOC are relatively consistent. A 100-line program can be fully auditable. One with a JIT in a virtual machine in a sandbox looks, on paper, more secure. In practice:
- There are many more places to introduce bugs.
- Beyond some level of complexity, it's impossible to understand the security model holistically.
- Bugs often cut across layers
- Layers are often used as an excuse ("We'll leave this, since that other layer will catch it).
Layers can be okay if they're well-understood, analyzed, and well-documented (e.g. postfix). However, the vast majority of the time, they're not. People pointing to bigger workforce or sandboxes in Chrome aren't selling me. It only takes one idiot.... And for sandboxes? I've never seen a clean block diagram of the Chrome security model.
To be clear: I'm not arguing which browser is more secure -- simply that the arguments in this thread don't sell me.