Browser Security

So my mum’s Kubuntu laptop broke; the screen is completely kaput. You know that test pattern LCDs do when they are really not happy and they’re more liquid than crystal? Yeah, it’s doing that. I have it now to play with, but as a result my mum now has a shiny new Windows 11-based gaming laptop.

(Funny aside, I backed up everything from her old laptop onto an SD card, and went over yesterday to copy everything I’d recovered… completely forgot I’d formatted the SD card to ext4… whoops xD)

Anyway I was setting it up for mum and I asked her what browser she wanted to use. She said Firefox (woo!), which started a discussion with dad about how Edge was a much better and more secure browser than Firefox… which I’m sceptical about. He talked about its integration with the OS, which to me as an absolute layman again seems like a bad thing overall.

I don’t hate edge tbh. It’s just… Chromium at this point. Like, I knew it was the Chromium back end, but I wasn’t expecting it to be the Chromium front end as well now. I actually use it on Linux alongside Firefox and Konqueror, though naturally this doesn’t have the OS integration of the Windows version.

I was wondering what your thoughts on this were. I think on balance that whatever Microsoft’s best efforts may be I am always going to err towards open source over proprietary as far as security goes but most of this comes from irrational gut feeling rather than any real insight about the state of Edge these days. On the other hand, I guess if Edge is basically Chromium which is also open source presumably this means that Firefox doesn’t have the advantage there.

Chromium based browsers are the #1 target when browser exploitation comes to mind.

1 Like

I’d imagine so inasmuch as they have like 90+% market share

You might discuss the lack of privacy, and Microsoft’s track record on phoning home. Leading to trackers, browser fingerprinting, and the like.

I was impressed recently when Librewolf persuaded Google that I was using a vanilla Windows system. Freaked Google out a bit.

No shame in that…

I am not convinced there is that much integration; various parts of Windows appear to use Edge’s copy of the Blink renderer, but the browser itself does not appear to integrate in any substantial way, perhaps intentionally, so as to avoid any unwanted scrutiny. Notably, while a fresh install of Windows has the ~/Favorites folder, creating or moving files there does not affect Edge’s Favorites list (bookmarks).

The one clever feature that interests me with Edge is that its newest versions have controls for disabling JIT ECMAScript (javascript) execution for added security. Not disabling scripts, but reverting to interpreted execution; either entirely or for certain websites. I will still not use Edge, but I have hopes other browsers might adopt similar features.

The only other distinctive thing that comes to mind is the newtab page with its daily changing background image or video. I am not sure if these mirror the daily Bing picture, the daily Windows lockscreen photo (which differs from Bing), or sources a unique daily image.

As would I, though Chromium does still have some potentially unwanted network connections to Google from what I have heard; next time I need a Blink browser I might look at ungoogled-chromium again.

Is that mainly just changes to the useragent and the navigator DOM object? Is there an info page where it describes what the developer did?

I suppose, it could have just reused the modifications that Tor Browser used. I think recent versions of Tor Browser might not attempt to imitate different operating systems anymore, but I could be wrong.

I looked at the FAQ

Yes, librewolf uses stuff from the Tor_Uplift project.

1 Like

The biggest security risk on modern browsers is the user themselves, and most attacks aren’t targeting the browser - they’re targeting the user. Phishing scam, download image.jpg.exe and open it, stuff like that. So tell your dad that it’s the user that makes a difference, and no one’s smarter than your Mum :wink:

From a technical perspective I don’t have any hard data on what’s better than the other. What you hear is that chromium based browsers have more sandboxing features, but whenever I’ve tried to prove it I just find FUD. And honestly sandboxing is only a tiny part of a browser.

This. I don’t think there’s much difference in regards to security between the mainstream browsers like Firefox, Edge, Chrome, etc., the biggest security flaw is the user.

@cakeisamadeupdrug no sure how much this actually helps security, but I’ve told my mother to use two different browsers, one for online bank and other important stuff, and the other for everything else.

1 Like

I do actually do this, but for slightly different reason. I would never use my main browser for something I might show on stream or with students when online teaching. I use a separate browser for all of these.

Many power users I know use Edge, but only because they’re power users. IIRC, Microsoft provides a comprehensive list of almost all of their IPs and subdomains for Windows, which includes trackers and all, which one can block using a Pi-Hole.

But for a regular user, anything works and they’ll probably be the biggest vulnerability themselves. The only choice you might have is the varying telemetry.