Firefox vs Chromium - Is chromium a good alternative for security/privacy?

Discussion in 'other security issues & news' started by Overdone, Sep 9, 2014.

  1. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    So, I'm currently using Firefox. However, I find Chromium to be much faster and I kind of prefer it to be honest.

    Chromium has now a NoScript alternative, HTTP SwitchBoard, which greatly enhances one's security/privacy when using the chrome based browser.

    So my question is:

    What browser do you use? Do you think Chromium is safe to use, when it comes to security/privacy?

    If you disable everything in the Privacy settings of Chromium, does it still connect Google? According to this thread, it does. That thread is more than 1 year old though, does it still do it?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,060
    I use Google Chrome. I think it is secure and reasonably private if you disable privacy related settings.
    I don't know if connection mentioned on that site is still created. If I would have to guess, I would say it's still there. Maybe removing Google search engine would stop that check when Chrome is started?
     
  3. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    526
    360 Browser is a good alternative to Chrome.
     
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I think that you can be equally secure with using both Firefox and Chromium.

    From my experiments, it is possible to stop Chromium from doing any kind of unwanted network activity.
     
  5. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    Hey.

    360 Browser is definitely not a good alternative. It's closed source as far as I can tell, made by the chinese and it's probably not even available for Linux (which I use).
     
  6. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    526
    It's not available for Linux but is a customized version of Chrome with a lot of security and performance features added. Basically, it's made by Qihoo which is China's version of Google. It may not work for you but it is great for a Windows machine (http://www.360safe.com/browser.html).
     
  7. tlu

    tlu Guest

    Yes, if it comes to security. The Chrome sandbox is very strong, and the more so in the Linux version (with a SUID sandbox, a seccomp-bpf sandbox and Yama LSM support). Firefox doesn't have that. A good starting point is also this site.

    And yes, if it comes to privacy provided that you chose the appropriate settings. Read the Chrome documentation here, here, here and here. You should, e.g., definitely chose another default search engine (like startpage.com or ixquick.com), and it's also a good idea to block 3rd party cookies and allow 1st party cookies only until you quit the browser. To be sure, a large part of those recommendations also apply to Firefox.

    We discussed this in the HTTPSB thread already. HTTPSB blocks those connections, particularly if you block behind-the-scene requests. More privacy suggestions can be found here.
     
  8. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    Hey there tlu.

    Yes, we did discuss it. I was wondering if Chromium still makes the connection. Sadly, as you told me, HTTPSB also blocks extension updates and the likes when blocking behind the scene requests.. An absolutely wonderful extension though. Probably the best extension I've seen so far.

    My default search engine is DuckDuckGo. Its bang system is fantastic! I should probably get used to startpage though..

    I'm currently using the following add-ons with chromium:

    - mublock (with some additional filters checked)
    - HTTPSB
    - LastPass
    - Vanilla cookie manager
     
    Last edited: Sep 10, 2014
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Have they change the absurd ways to get & update Chromium?
     
  10. guest

    guest Guest

    Is Vanilla Cookie Manager really needed though? Chromium has a pretty decent cookie manager built-in. Just block all cookies by default and whitelist sites where you need to allow cookies.

    Since when Chromium can get updated in the browser itself? =P
     
    Last edited by a moderator: Sep 10, 2014
  11. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    What? I don't understand.
     
  12. guest

    guest Guest

    AFAIK there's no update manager in Chromium. So the only way to check for updates is by going to the Chromium dev website or download portals and see if you have the latest version. That or by using an update manager addon. Unless the updates are continuously being offered in Linux repo, that's the one I don't know.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    With Ubuntu-based Linux it's no problem getting Chromium updates with the added repositories...

    -http://ppa.launchpad.net/skunk/pepper-flash/ubuntu main

    -http://ppa.launchpad.net/skunk/pepper-flash/ubuntu main (source code)
     

    Attached Files:

  14. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    If you are concerned about Google, just use Iron. It's basically Chrome without Google crap.
     
  15. tlu

    tlu Guest

    No. it doesn't.

    Why "sadly"? That's one of the best features of HTTPSB because you have control over what your extensions are doing, e.g., if they regularly contact some 3rd party websites without a replicable reason. I'm afraid that you didn't read thorougly what I wrote in the HTTPSB thread. I pointed you to a post of mine where I explained step by step how to whitelist the relevant cells in the chromium-behind-the-scene matrix in order to allow legitimate requests by Chromium and other extensions (and HTTPSB itself). Save those rules with the padlock and all is well.
     
    Last edited by a moderator: Sep 11, 2014
  16. guest

    guest Guest

    Would people stop recommending Iron, please?
     
  17. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    Even with HTTPSB blocking all behind-the-scene requests, there will be requests by Chromium which can't be blocked: any security-sensitive net requests (extension updates, certificates, and whatever else) will bypass the webRequest API.

    But here is the thing: unless you block systematically all net requests to google.com (or affiliates) with your non-Chromium-based browsers, worrying about the few net requests by Chromium at start up is just silly. Do you systematically block all net requests to google.com (and affiliates) when you surf using Firefox?

    Given how ubiquitous is google.com et al., the few housekeeping net requests to google.com when launching Chromium are drops in the ocean compared to all net requests to google.com et al. when browsing the web casually, and these are the ones from which a profile can be drawn.

    I personally block globally all net requests to ubiquitous domain names (i.e. google.com, and all other which qualify as ubiquitous: twitter, facebook, etc.), and make scope-based exceptions.

    In short, worrying about a few housekeeping call to google.com when launching Chromium is pointless for those who do not systematically block google.com as a rule.
     
  18. tlu

    tlu Guest

    If my memory serves me right, I wasn't able to install and update extensions unless the "other" cell for clients2.googleusercontent.com was whitelisted.
     
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Not if there were something special about the "few housekeeping calls". For example, those types of calls passing a locally stored identifier vs other types of calls not being allowed to pass a locally stored identifier. Those types of calls passing information that significantly increases the risk of fingerprinting vs other types of calls. Whatever.

    Perhaps you have made a qualitative assessment of those few housekeeping calls, perhaps not, I can't tell. Just mentioning this.
     
  20. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    Yes, there is a PNG of the extension downloaded via `clients2.googleusercontent.com`, or something like that. If the image can't be downloaded, update/installation will fail. I don't know why this one request go through webRequest API.
     
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I like Chromium over Chrome. For one, the plugin footprint is smaller on it.
     

    Attached Files:

  22. tlu

    tlu Guest

    Are you sure? If you install, say, the Adobe Flash Plugin it doesn't make a difference compared to Chrome, IMHO. Besides, it's easy to deactivate plugins which you don't need/want, like the Chrome Remote Desktop Viewer. The main reason why I use Chrome on my Linux: I don't want the "normal" flashplugin (v. 11.2) but rather the PPAPI one because it's sandboxed. If I'd use Chromium, I would have to install the chromium-pepper-flash package which downloads Chrome, extracts the plugin and installs it for Chromium. In other words, I would have to download both Chromium and Chrome just to get pepperflash (and the PDF viewer). Too much trouble if you ask me ;) I mean, if there were convincing arguments why I should prefer Chromium for reasons of better privacy ... but so far I haven't found any provided that I use the right settings and command line switches in Chrome (and HTTPSB, of course).
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    All I know is I end up with fewer plugins on a fresh install of Chromium than I do with Chrome. Yes, I know about being able to deactivate plugins. Are you sure you need to have Chrome installed first before installing Chromium? You may be right because I already did have Chrome installed, but I used the method in the following link to install Chromium with the skunk pepperflash:

    -http://www.webupd8.org/2013/04/install-pepper-flash-player-for.html

    I don't think Chrome installed already is necessary but I could be wrong.
     
  24. tlu

    tlu Guest

    wat0114, I didn't say that you must have Chrome installed. But it's necessary to download Chrome. This is confirmed by the link you provided:

    -http://www.webupd8.org/2013/04/install-pepper-flash-player-for.html

    Quote from that site:
    This is exactly what, e.g., also the chromium-pepper-flash package (AUR) in Arch Linux does.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Ahhh, okay, got it. You're sharper than I ;) I guess I'm just more interested in the end result, so I tend to miss the details.
     
Loading...