vax_Mar 24

Hi @GrapheneOS, Can I ask a question?
I know that at the privacy and security communities, many people recommends to stay of off Firefox because it lacks site isolation (also saw the statement at your usage page under web browsing). In my understanding, last year Mozilla rolled out their fission feature, which introduce said site isolation, for their android version. I noticed for example that IronFox ships with it turned on by default. So, based on this, in your opinion are Firefox based browsers now as usable as a chromium based browser security wise?

Thanks.

By the way, bought a Pixel 10 pro specifically to use GrapheneOS. It's been great so far. Thanks for your hard work; it's nice to see people as passionate about their line of work as you!

O'SchellMar 24
Show threadGrapheneOS
@vax_ Firefox entirely lacks process sandboxing on Android. Firefox rolled out incomplete site isolation providing protection against data being leaked via side channels through not having it in-process. It does not implement sandboxing site isolation required to protect against more than side channels. It doesn't have sandboxing so it can't protect against anything once a remote code execution exploit occurs. It also lacks similar JavaScript VM sandboxing and many other important protections.
Mar 24 at 5:56amWeb
Show threadHenningMar 27

@GrapheneOS
@vax_

Is that still true? While still not fully tested, there is support for #Zygote based isolation in #Firefox-based browsers like #Ironfox. See the screenshot.

It may be up to the browser build to enable this, it may be an about:config setting that they expose, it may be less secure than on Chromium, but it exists.

It is in the secret settings which afaik are not a modification of Ironfox.

I have not found a matching about:config yet.

Show threadvax_5d ago

@hen @GrapheneOS

Yeah I saw that, and NGL I miss Firefox; uBO specifically (their custom cosmetic filtering is amazing; everything else is pretty much doable with rethinkDNS), but the thought that 100s of tabs (yes I have a problem lol) aren't isolated make it impossible for me to switch back (on Android; on PC I still use LibreWolf exclusively)

Show threadHenning2d ago

@vax_

Well, most tabs are unloaded, but yes it is crazy.

Also, UBO has an expert mode which allows to filter a lot more and per domain. So you can allow google javascript on google.com but nowhere else for example.

It is way more rough than uMatrix but there is no active fork of that.

DNS based solutions are all badness enumeration and lack tight integration with the actually affected software. So I cannot exclude everything and allow it step by step (how I use Firefox)

Show threadHenning2d ago

@vax_

And neither can I exclude certain needed websites that break, not even on the same user profile, I need a separate one to bypass a DNS hardening issue.