Regular updates are all well and good for "known" security issues but there wil always be unknown issues so browsers are never truly secure so i dont understand this constant need to have the latest security patches in a browser.Let us not forget that chromium and chrome are major "privacy" issues in themselves.
@The Red Moon Chromium also has privacy issues? Which issues? There was one bad release, but I didn't hear about other issues.
A browser with the latest known security issues patched will more secure than one without them patched.
So when do you know when a patched Chrome is patched in Chromium? Or perhaps it's the other way around? Is it secure/safe to use Chromium, if so, how often do you need to update it? I'm downloading 64bit builds from woolyss and I think they recommend updating it once a month.
I know this question was not directed toward me, but I hope it doesn't bother anyone if I share my suggestions. Those are good questions and I am very curious about this as well since I primarily use vanilla Chromium builds as well. Generally, Chromium is patched ahead of Chrome. That is where the Google developers work directly from. Google Chrome takes that Chromium source code and adds their own patches which are mostly branding and API related. If you wanted to know if specific security related bugs are fixed within certain builds, you will find everything that you need here: (https://code.google.com/p/chromium/issues/list) Another useful resource here would be OmahaProxy CSV Viewer (http://omahaproxy.appspot.com/) where you can cross reference different builds, release dates, and much much more. Personally, I would recommend chrlauncher (http://www.henrypp.org/product/chrlauncher) which is linked off of Woolyss' site as well which is portable and gives you the option of starting local or portable versions of Chromium. You can also specify in the configuration file whether you want to update the Chromium build every X amount of days (7 days, 30 days, whatever you choose). It uses the same resources/builds that Woolyss' site downloads from. Updating Chromium once per month might be alright, but I typically update every week. I suppose the more important thing is updating the Flash PPAPI version often if you are using that. But I usually update Chromium once per week and if I get a buggy build, I often roll back the build to a few days prior.
Yandex, unlike most Chrome derivates, it uses its own sync service. Compatible with Chrome and Opera extensions. It has all Chrome security advantages, uses Kaspersky scanner to scan downloaded files and Sophos webpage filter. Unfortunately its auto-updater sucks big time and Yandex is always a few months behind Chromium stable release.
Thank you WildByDesign for the input and valuable links. I'm sure anyone is free to reply/comment on any posts if they'd like ^^ When you say Google devs work directly based on Chromium, these are bugs not security bugs per se and not related to the Google bug bounty program, as far as I can see looking at the link you posted - the bugs seem not be security related at all. I'm more concerned about the 0 days that Google discovers and patches (via their bug bounty program) and I'm not sure if these patches implemented into Chromium. Or did I miss something..? Thanks for the tip regarding automated updates. I don't mind updating it manually though, since it's a matter of unzipping the compressed content but it's good to know there's a neat solution to this. Btw, Chromium 64bit version hasn't been updated for 1 month, due to compilation failures. The chrlauncher doesn't change this fact right?
Yes, you did miss something. Chrome is Chromium. Google developers work on Chromium. They then take Chromium, add a bunch of extras (like flash player) into a package, and release it as Chrome.
That's correct, chrlauncher would also be affected by the current failure with those 64-bit builds. I don't know what's going on with that, but those builds have been failing since before Christmas.
That part I already know. But it isn't clear to me if : When a security bug is discovered in Chrome (e.g. via their bug bounty program), it's actually discovered in Chromium. And when Google patches the 0-days, the patches are readily available for Chromium since it's Chromium they're actually patching? If a security bug is found and patched in current Chrome version 47.xx, which Chromium version does the patching occur?
You still don't seem to understand. Nothing is changed in Chrome (with the exception of things like Flash) without first being changed in Chromium. Chrome is not open source, Chromium is, that is what is worked and hacked on. I think you're getting confused because you're viewing compiled versions of Chromium as some form of indicator that Chromium is patched. If you want to know when Chromium is patched, look at the Chromium code repository, don't look for compiled versions of Chromium.
Ok, thanks for the explanation. I think I got it this time. So one could conclude that Chrome is actually more secure because the compiled Chromium may be delayed for various reason(s). The recent Chrome update that gave us version 48.x. with several security patches has not yet been compiled yet for Chromium. Or not since Dec 20 for the 64 bit version.
I see Tor Browser on the list. When did Tor start using Chrome for it's browser? It was always Firefox in the past when I used it. Is there more than one Tor Browser?
I've been testing Slimjet lately and find it works better with certain sites than either Chrome or Chromium. The latest version is Version 7.0.5.0 (based on Chromium 47.0.2526.73) and it scored 16/17 at Browserscope security tests.
Only because Firefox (witch I liked better) does not work well with Adobe dependent games. I do not like the clear options in Chrome and wish they were better and more like Firefox. Always, Wildman
I'm not sure about that. My take is this: a particular Chromium build is selected and converted by Google to Google Chrome. That particular selected Chromium build gets no more attention. All focus is then on Canary, dev, beta and stable as and when one is converted to the next. Patches will be applied, as appropriate, to Canary, dev, beta or stable. Here too, once Canary is converted to dev, all modifications are made to dev and not to the Canary from which dev was derived and so on.
Ok, so it means whenever Google pushes out a patch for a 0-day, I should stop using the current Chromium and use the next (e.g. stable) version that hopefully has received the same patch. Question is when does the patch appear in Chromium stable?
Avira Scout browser https://www.avira.com/en/avira-scout http://blog.avira.com/avira-scout-early-access/
First, many times, browser developers don't disclose vulnerabilities they've patched. Here's an example From http://googlechromereleases.blogspot.com/2016/01/stable-channel-update_20.html Second, I'm not aware of anything being called "Chromium stable" at least by the Chromium developers. You may be interested in this: https://sites.google.com/a/chromium.org/dev/Home/chromium-security
From the link : "security bugs automatically become publicly visible 14 weeks after they are fixed" So it's virtually impossible to know if a Chrome patch has reached a specific Chromium version? In other words, and if the reasoning I'm making is correct, Chrome is more secure than Chromium unless you know exactly which Chromium version that got the Chrome patch?