I will make a controversial comment:

My experience is that security is a function of simplicity and individuals having a complete understanding of the code and implications of changes.

Implications:

- A smaller team will generally lead to more secure software than a larger team.

- Many security layers are counterproductive.

In studies, bugs per KLOC are relatively consistent. A 100-line program can be fully auditable. One with a JIT in a virtual machine in a sandbox looks, on paper, more secure. In practice:

- There are many more places to introduce bugs.

- Beyond some level of complexity, it's impossible to understand the security model holistically.

- Bugs often cut across layers

- Layers are often used as an excuse ("We'll leave this, since that other layer will catch it).

Layers can be okay if they're well-understood, analyzed, and well-documented (e.g. postfix). However, the vast majority of the time, they're not. People pointing to bigger workforce or sandboxes in Chrome aren't selling me. It only takes one idiot.... And for sandboxes? I've never seen a clean block diagram of the Chrome security model.

To be clear: I'm not arguing which browser is more secure -- simply that the arguments in this thread don't sell me.

Let's not talk about privacy (because there is no point in talking about it: Firefox is eons more private than Chrome - or any of it's based browsers - can ever be)

About security: Chrome has a biggest workforce, yes. but let's think about this a bit...

First, let's not forget that chrome is also a bigger target.

let's imagine this: Consider that 90% of the users worldwide use chromium-based browsers, and you are an hacker who wants to steal peoples data or access their computers.

Would you bother targeting 10% of the users. Or would you just go after those 90%???

now add another detail into that thinking:

people who use Firefox are mostly techies, people who know about computers, gnu/linux users, developers, more security-conscientious users, people who actually know and care about the tech that goes bellow, people that knows what's happening in the IT world, and people that simple don't go with the flock without studding it's path first... now... would you really bother targeting those when you have 90% of people - where probably 85% don't know anything about computers or just don't give a #$%& about it???

Would you go easy bait, or would you try to outsmart those who might be at the same level you are???

(sure, there is always exceptions!!!)

but then again... maybe that's just me...

In term of time to patch 0-day, Firefox is very quick to fix them (usually hours committed, days to publish). Chrome is quick too, so it's not a competitive advantage.

Most of cyber-criminals however, will target Chrome because it's way more used.

In term of control the password manager of firefox don't need you to have an account. That is very important because, you want to use a password manager on the web and to be able to actually trust it. Google can close you account without previous notice.

Chrome sends every address that you enter into your address bar to google. I noticed this when I decided to look through my google history and it contained all my duck duck go searches. That was enough to put me off of it.

It depends on what you mean by safety.

Chrome is much more secure against browser exploits than Firefox. It is perhaps the most advanced piece of security software in the world.

Firefox is a lot more private than Chrome, given that Chrome is chock full of Google surveillance.

Ungoogled Chromium is the best of both worlds, but only if you manually build and update on a near-daily basis.

Note that most people’s advice on this topic is a non-expert, non-informed opinion. Browser choice is a pretty tribalistic, identity-tied thing. It’s like asking people “which is more secure, android or ios?”. (The answer is iOS by a mile, but most “security” types won’t give that answer because they don’t like it. Same goes with Chrome/Firefox.)

I use Firefox so I don't really have a meaningful experience with Chrome. What I can tell you is that any time I open the matrix of uMatrix (it's one click on the toolbar) I often see a zillion of sites and potential script and XHR requests. Only a few are really needed to display the content of page or even to make some complex UI work. In almost no case blocking the scripts for telemetry, error reporting, etc break the page.

So I wonder how much unnecessary information people using Chrome leak to those sites and the third parties that receive, log and possibly sell those data.

I think chrome has better security model, sandboxing...

But Firefox seems to have much better security when it comes to reviewing extensions. Some popular extensions go through approval and source code review on every release.

Chrome Play store does not seems to have that. Google incentive even goes against something like UBlock. If extension gets sold, or developer account compromised, we may get widely distributed malware!

Looking at the pwn2own recent competition results, both Chrome and Firefox have been exploited. Overall it looks like they are more or less on the same level security-wise.

Firefox security has improved significantly in the last decade, it was pretty terrible back then. "Electrolysis" and "Quantum" certainly helped.

Chrome is more secure in aspects like the Sandbox. Check f.e. https://madaidans-insecurities.github.io/firefox-chromium.ht...

Practically, the number of people infected with 0-day drive bys vs the number of computers compromised by exploiting the user is insignificant. A browser that helps me concentrate is _MUCH_ safer.

There is no difference for 99.999% of people.

You are so unlikely to get exploited by a browser vulnerability (if you update) that it's not worth writing about. The people powerful/rich enough have or can acquire an exploit for both.

The choice of browsers is more about what features you want and whether you want a browser engine monopoly or not. Firefox has a few features I like not present in chromium and it's also not part of the monopoly so I use it.

For average user both are secure enough and privacy is more important concern.

I don't think 0-day will be wasted on targeting random nobody.

To be more secure, only way is to reduce surface area. Someone like journalist should disable JS/cookies, all plugins and extensions and preferably browse through a locked down VM. Don't know if there is any minimal browser that has actively removed features.

Larger teams actually mean slower changes, and more likelihood that the code is not great.

Integrations for Google accounts can be seen as a privacy violation. Google doesn’t need to know what other services I am using.

Google’s password manager still has my passwords saved after disabling the feature AND manually “deleting” each one individually. Do not trust them with your passwords.

I think it comes down to your threat model.

For the vast majority of people (ie, 99%) there's no difference between the major browsers and the overall security they provide.

For that 1% the difference may be noticeable but pale in comparison to other things like solid opsec, etc. For instance, it doesn't matter what browser you use if you are using SMS 2FA and get hit with a sim-swap because you're bragging on Twitter about how your Coinbase account is sitting at $2MM.

On the other hand, if you're international arms dealer your browser choice probably matters a lot more. Though, the three letter agencies already have your poster on their wall and you were pwned a year prior anyway. Even worse, if you're outside the US the drones have already been deployed.

The US isn't beyond blowing up hackers, look at Junaid Hussain[1].

[1]: https://en.wikipedia.org/wiki/Junaid_Hussain

I would probably say it's impossible to tell so both are equal in that security regard.

I would say other things like tracking for example poses a higher security risk and for that reason makes Firefox the safer choice. But you have other browsers that builds on their engines like Librewolf and similar that are even safer.

I don't know if it makes sense to ignore "Google as a company" for this question. You can employ as many people as you want but it won't make a difference if you don't incentivise responsible and secure engineering.

Also, doesn't Firefox also have a decent password management function?

Firefox is much more private, but Chrome is more secure, although I don’t know to what extent and whether there is a difference in practice.

The main consideration is chance of zero days. Anyone knows?

Last month, there was a significant buzz among those involved with Google Search (which includes almost the entire modern internet and all its developers). "Erfan Azimi," the owner of an SEO firm, suddenly began sharing leaked documents revealing how Google's ranking system works. It's more complicated than just the search itself; it involves various APIs around it. Nonetheless, these APIs reveal a lot. The leak happened when a Google developer wrote a program to convert API calls into his preferred programming language but accidentally published everything (if you're interested, I've included a link to the commit with all these descriptions [1]).

Multiple confirmations from reputable sources, including former and current Googlers, have verified the authenticity of this leak. It's not a hoax or a joke but a genuine breach of information that has piqued the interest of all SEO researchers. Here's a reliable summary of the findings:

– Google has allowlists of manually optimized sites, at least for certain topics, such as the 2020 elections or COVID-19.

– Domain names and subdomains are significant factors (despite Google's previous claims).

– There's a sandbox for new sites, which Google has always denied.

– Google directly uses data from EWOK (a system where paid users rate the quality of search results).

– User behavior on sites is actively used for ranking.

– Click data is collected not only from Google Analytics but also directly from the Chrome browser.

– Sites are categorized based on click volume, affecting their quality ranking and PageRank contribution.

– Google considers the overall brand size, including mentions across the internet, not just links.

– Content and links are secondary to clicks and site navigation behavior.

– SEO is almost irrelevant for most small companies and sites without a brand, user base, and reputation.

This is a monumental event in the world of Google Search, marking the most significant leak in the past 10-15 years. It suggests a potential discrepancy between Google's public statements and its actual search practices [3]. The strategy has shifted towards clickbait and bot farms, challenging the long-standing belief that 'content is king.' Unsurprisingly, Google has chosen to remain silent [4]. I recommend reading this article on iPullRank [5] for a more comprehensive understanding.

If you want to stop giving all your data to Google, consider using a non-chrome browser like Firefox.

[1] https://github.com/googleapis/elixir-google-api/commit/078b4...

[2] https://sparktoro.com/blog/an-anonymous-source-shared-thousa...

[3] https://www.seroundtable.com/google-chrome-search-usage-1561...

[4] https://www.theverge.com/2024/5/28/24166177/google-search-ra...

[5] https://ipullrank.com/google-algo-leak

i am not a security expert but i got a counterpoint for the "workforce" argument for why chrome might have better security - firefox is better the same way macs or linux desktops are "more secure" than windows.

imo having a much smaller market share disincentivize exploiters for searching ways to attack browsers like firefox. this is the same argument used for the aforementioned os. it is very optimistic to assume that either sides are able to fix all vulnerabilities, as both have been shown to have 0-days recently.

on the other hand, just like in linux, you need to trust the developers publishing extensions as i don't find moderation quite as competent as google's (even though theirs is also very lacklusture overall).

Worth checking out.

The Mullvad browser is a privacy focused version of Firefox (based on the TOR browser with the TOR part removed). It runs fine without the Mullvad VPN.

https://mullvad.net/en/browser

I think so, but maybe not much better. I use noscript so I thing that helps a lot.

But, I tend to thing on OpenBSD both chrome and Firefox is more secure than other systems because those are patched with pledge and unveil. So most of the system does not exist for them.

Not many people are capable of evaluating that. The bar is very, very high.

You are ignoring the elephant in the room, so to speak. Apple has a large share of mobile browser usage with Safari (a Webkit browser). Add to this also that any browser used on iOS is webkit.

That aside, what you are asking is really just you giving your personal preference of a browser and if we agree.

A lot of people are talking about privacy versus security as two different things. Surely knowing more about someone makes the likely hood of guessing a password, or targeting phishing attacks more likely. A lot of security is down to social engineering tricks, no?

if it is safer, its more like a photo finish than 2x or 10x or 100x safer

Why would you pick Google? They support genocide in China.

Both browsers are very large, very old software. Both companies are big enough to support fast response to exploits. There’s really nothing technical you can point out that makes one more secure. Firefox scores better on privacy which tips the scales towards Firefox.

For Chrome, you have to deal with Google.

For Firefox, you have to worry about the next "pocket", or the next "Mr. Robot"...

Manifest v3 is looming as well.

Six of one, half a dozen of the other. /shrug

If you're willing to include Chrome forks then I'd say Brave is, despite the issues surrounding their love for crypto, more secure than Chrome, and it has much better anti-fingerprinting if you care about that.