Discussion:
current flash vulnerabilities - what to do?
(too old to reply)
Francis Gerund
2015-07-15 23:09:52 UTC
Permalink
Hello!

Run:
- Arch linux 64-bit
- 4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64 GNU/Linux
- Firefox 39.0-1
- flashplugin 11.2.202.481-1 (Install Date : Wed 08 Jul 2015)

What is best practice about the current flash vulnerabilites? Just
uninstall flashplugin? Can live without, but many websites still require
it.
D C
2015-07-15 23:22:15 UTC
Permalink
I've actually posted a thread on the forums about this. For youtube you can
just use HTML5. If you require flash there are alternatives: gnash,
lightspark, freshplayerplugin-git, shumway, etc...
Post by Francis Gerund
Hello!
- Arch linux 64-bit
- 4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64 GNU/Linux
- Firefox 39.0-1
- flashplugin 11.2.202.481-1 (Install Date : Wed 08 Jul 2015)
What is best practice about the current flash vulnerabilites? Just
uninstall flashplugin? Can live without, but many websites still require
it.
--
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFOa9oMBCACc0vf5MZEKqfyCWw3foRhYqM3zL9zmIuDpLxGZ11BM6dLvTKVG
xets5b2RZX+aPUbASnLFZWqANW2d5K+O7PNkvwKk7jJGu951WQkd1HGNHqQekb3Y
SC6AOIt5G4Iu3xuJdbh8vuSU0tRIU3YVKSIWFCxgdTWO3XukgNYB1ncl39x4VGPh
OsQ8ErsLfVMCwO7q4eTTv89HQZEzvCI+BhMlw0bjViBeMe+4ZfYuiFJp9SyZBcTY
rVkdnn5gVOeqhU1eAk4uieG1t/anGm3GQ6NVDnh/+k6in6SwSZ2jAUXQluCMmyNA
aCOCz7G4kytg8qel3VvT4YuI7hFQxcg17DMnABEBAAG0HURvcmlhbiA8Y2FtZW5z
Y2hpY0BnbWFpbC5jb20+iQE/BBMBAgApBQJTmvaDAhsDBQkFo5qABwsJCAcDAgEG
FQgCCQoLBBYCAwECHgECF4AACgkQugwP0JaXCVNyvAf/Z9gAtGh4SSxNv0/CWFxL
d5P6ikr8qGD9sVuH1QZa90zigmhAngfQyMF0DuPVnRTcVu0pwFObkvdI0/11UaSj
Rdst9sPFV5b4wfLfGw4MinO9vTD7RQoLisnggaroNk98I894lvgtVWECxHYdPnW+
VJWNONAfTOUjfqPVV7B2A35N4DxkgBM0VNdqpcd0Qj6acEaGRcGBlQUyssy+NYEr
5+nS9c58eM9wqxkcaWy2axrX2vvQth5PedGjZl53gsR3cSWLpFmyryyyVi2da4rv
IFLdhZaZfWyRG7y0MTnPdi8NRwBO33r2UX0W+BC8VvGBjob17EgCZT06QHGzAs9F
fLkBDQRTmvaDAQgA2p9RwuEWF16nWkc+z/5Vu6KlQh9paxw1zEHlmC+r103tWby8
27BLocuD7hKqcweuu17HL0LW1iSYfhr/iXDOTiJ5LsKXtBMYAVXbhamLKNOuHTO1
qFdA55f6vtY/eMdWQ8qM+q31cLX0WYiQdsGonuIzqeIXETnmq9rx7fRaxpvv6K4Y
0u9N1NFwrpz2eOuIX/KFicoZs1tGID5OjnL2QB897za8i56oKjHFwNzZCndESc3h
78HXNzu7XMjRQHN8QvwybpWhtDanLd/3ZFvHMViZT9Zo2KAMsCgPNkqDe9SXrrEC
vEYgZn0QO3Akrk1FmmzCCgMzP3F9l3czBNK7mwARAQABiQElBBgBAgAPBQJTmvaD
AhsMBQkFo5qAAAoJELoMD9CWlwlTfKQH/2UsN6WgoyMGgRFm+INdAT8/ew4r30l5
mTMKuAfpLs9lbIfeRJoq2+HtKsv8MNzYYCR595tdI9kTijhD0RKKhEfacBLIZFvZ
0j5SLaR+PC7Ky+KAIXIIZnrHsFAQR21Hup0POxuWeuvs0pfcFWTnNEb6cZHzTP7J
YnUA/khgamUK/uWWymKxOsgR5A/zzHrjnWgMws7vKi7Kd0gvr2t/X393iAxvfUqT
IGiSx+fq/bGB8uyTuQPFpaDRNMo7k2knzQzt4idSKz89tejWyimS71QdnmPWJP84
OTnHUaGQdQamnAQqh5g3GC6XqS57apLQZx+7Y7WUpPjeX/+vQ2GtzuE=
=RFjZ
-----END PGP PUBLIC KEY BLOCK-----
Sebastian Pipping
2015-07-15 23:37:42 UTC
Permalink
Post by D C
I've actually posted a thread on the forums about this. For youtube you can
just use HTML5.
To my best knowledge, it depends on the video / the compression
algorithm used. For some videos on YouTube HTML5 works just fine, for
some Videos you still need Flash.
Post by D C
If you require flash there are alternatives: gnash,
lightspark, freshplayerplugin-git, shumway, etc...
Post by Francis Gerund
Hello!
- Arch linux 64-bit
- 4.0.7-2-ARCH #1 SMP PREEMPT Tue Jun 30 07:50:21 UTC 2015 x86_64 GNU/Linux
- Firefox 39.0-1
- flashplugin 11.2.202.481-1 (Install Date : Wed 08 Jul 2015)
What is best practice about the current flash vulnerabilites?
I believe your options are:

* to enable Flash on a per-bideo basis for content you "consider
safe" or

* to switch to a version of Chrom(ium|e) running Pepper API Flash
18.0.0.209 or newer

(https://helpx.adobe.com/security/products/flash-player/apsb15-18.html) or

* freshplayerplugin-git with Chrom(ium|e) Pepper Flash 18.0.0.209
or newer in Firefox, may be be less safe than ussage from
Chrom(ium|e), due to

"This particular implementation doesn't implement any sandbox.
[..] This is the same level of security as NPAPI Flash have."

see https://github.com/i-rinat/freshplayerplugin or

* not using Flash until an update is released.
Post by D C
Just
Post by Francis Gerund
uninstall flashplugin? Can live without, but many websites still require
it.
Since you put it that way, uninstalling Flash has other benefits like
making your browser fingerprint "less unique". If it's an option to
you, maybe this is the best occasion to quit.

Best,



S
Bardur Arantsson
2015-07-16 16:18:29 UTC
Permalink
Post by Sebastian Pipping
Post by D C
I've actually posted a thread on the forums about this. For youtube you can
just use HTML5.
To my best knowledge, it depends on the video / the compression
algorithm used. For some videos on YouTube HTML5 works just fine, for
some Videos you still need Flash.
FWIW, I don't think I've ever encountered a non-HTML5-friendly video on
YouTube in at least 2 years. (Granted, this is just anecdata, but...)
Jens Adam
2015-07-15 23:38:48 UTC
Permalink
Post by D C
freshplayerplugin
Just to nitpick: even if it's more current (feature-wise) than
standard Adobe Linux 11.2 flashplugin, it's still Adobe Flash and
thus just as problematic regarding its security.

--byte
Daniel Micay
2015-07-16 00:42:28 UTC
Permalink
Post by Jens Adam
Post by D C
freshplayerplugin
Just to nitpick: even if it's more current (feature-wise) than
standard Adobe Linux 11.2 flashplugin, it's still Adobe Flash and
thus just as problematic regarding its security.
--byte
PPAPI Flash runs in a strong sandbox in Chromium. However, fresh player
throws away that advantage.
Francis Gerund
2015-07-16 00:45:35 UTC
Permalink
Okay.

Just uninstalled flashplugin (really should never have installed anyway).
can always try gnash later, but I'll try without to see how it goes.

Thanks.
Post by Jens Adam
Post by D C
freshplayerplugin
Just to nitpick: even if it's more current (feature-wise) than
standard Adobe Linux 11.2 flashplugin, it's still Adobe Flash and
thus just as problematic regarding its security.
--byte
Ralf Mardorf
2015-07-16 12:04:47 UTC
Permalink
Post by Francis Gerund
Just uninstalled flashplugin (really should never have installed
anyway). can always try gnash later, but I'll try without to see how
it goes.
Gnash can't replace the proprietary crap. I neither have the
proprietary, nor gnash installed. For "emergency" I've got Chrome
installed, but my usual approach is, that as soon as Chrome is needed,
I'm not interested in the content anymore. JFTR assumed you're using
Firefox with safe browsing and auto-updates e.g. for Cisco H264, with
prefetch and keyword enabled and geo information and reports enabled,
then you don't need to care about how evil a Google browser or Adobe
crap are, since your Firefox is bad too ;).
Ben Oliver
2015-07-16 12:10:33 UTC
Permalink
Post by Ralf Mardorf
Post by Francis Gerund
Just uninstalled flashplugin (really should never have installed
anyway). can always try gnash later, but I'll try without to see how
it goes.
Gnash can't replace the proprietary crap. I neither have the
proprietary, nor gnash installed. For "emergency" I've got Chrome
installed, but my usual approach is, that as soon as Chrome is needed,
I'm not interested in the content anymore. JFTR assumed you're using
Firefox with safe browsing and auto-updates e.g. for Cisco H264, with
prefetch and keyword enabled and geo information and reports enabled,
then you don't need to care about how evil a Google browser or Adobe
crap are, since your Firefox is bad too ;).
I have to agree with Ralf, you will be fine.

I have been flash-free for 18 months now and it's going absolutely fine.
Unless you have a penchant for flash games, there's very little reason to
have it installed any more.
Ralf Mardorf
2015-07-16 16:06:52 UTC
Permalink
Post by Ben Oliver
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely
fine. Unless you have a penchant for flash games, there's very little
reason to have it installed any more.
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-firefox-blocks-hacking
Daniel Micay
2015-07-16 16:20:48 UTC
Permalink
Post by Ralf Mardorf
Post by Ben Oliver
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely
fine. Unless you have a penchant for flash games, there's very little
reason to have it installed any more.
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-firefox-blocks-hacking
Mozilla blocked the vulnerable version, as they've done in the past. The
current release isn't blocked because there aren't yet disclosed
security vulnerabilities.

Google bundles the PPAPI Flash player with Chrome so they don't need a
comparable blacklist as it gets updated with the browser.
Ralf Mardorf
2015-07-16 16:32:43 UTC
Permalink
Post by Daniel Micay
Post by Ralf Mardorf
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-firefox-blocks-hacking
Mozilla blocked the vulnerable version, as they've done in the past.
The current release isn't blocked because there aren't yet disclosed
security vulnerabilities.
Google bundles the PPAPI Flash player with Chrome so they don't need a
comparable blacklist as it gets updated with the browser.
That's not why I posted this link. I posted it regarding the
quote of Facebook’s head of security Alex Stamos:

"It is time for Adobe to announce the end-of-life date for Flash and to
ask the browsers to set killbits on the same day."
Francis Gerund
2015-07-16 17:01:09 UTC
Permalink
Just noticed in Firefox 39.0-1 preferences an entry "Flash video". In the
drop down menu next to it, "Use mplayerplug-in is now gecko-mediaplayer
1.0.9 (in Firefox)" is selected.

Gecko-mediaplayer 1.0.9-1, Build Date: Tue 27 May 2014 is installed.

I could uninstall gecko-mediaplayer, but quite a few things in Firefox
preferences in (other than "Flash video") seem to be set up to use it
also.

So, unless I want to lose a lot of functionality in Firefox (and mplayer
37379-3, and elsewhere?), should I just switch the menu selection
in Firefox to "Always ask"?


Or is there a better idea?
Post by Ralf Mardorf
http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-firefox-blocks-hacking
Post by Daniel Micay
Mozilla blocked the vulnerable version, as they've done in the past.
The current release isn't blocked because there aren't yet disclosed
security vulnerabilities.
Google bundles the PPAPI Flash player with Chrome so they don't need a
comparable blacklist as it gets updated with the browser.
That's not why I posted this link. I posted it regarding the
"It is time for Adobe to announce the end-of-life date for Flash and to
ask the browsers to set killbits on the same day."
Ralf Mardorf
2015-07-16 17:32:36 UTC
Permalink
Post by Francis Gerund
Just noticed in Firefox 39.0-1 preferences an entry "Flash video".
Where exactly is this entry?

I heard that H.264 from Cisco phones home, resp. auto-updates, so you
might want to edit about:config to use gstreamer H.264. Perhaps this
automatically is done by installing the optional dependencies?

JFTR I didn't change something regarding H.264 and I kept several other
phone home crap of a default Firefox. I guess I only disabled "Block
reported..." by the preferences.

However, if I right click on a YouTube video there is "About the HTML5
player": https://www.youtube.com/html5
Francis Gerund
2015-07-16 18:10:47 UTC
Permalink
Post by Ralf Mardorf
Where exactly is this entry?
In the Firefox menu bar, click the "Open menu" icon (3 stacked horizontal
lines)

Then click the "Preferences" icon.

Then click "Applications" in the menu at the far left.

[Note: shows in the URL diplay area as: "about:preferences#applications"].

There are 2 columns: "Content type", on the left, and "Action", on the
right. Under "Content type" is the entry "Flash video". Next to that,
under "Action", is "Use mplayerplug-in is now gecko-mediaplayer 1.0.9 (in
Firefox)".

If that is clicked, other choices also appear:
- "Always ask"
- "Save file"
- "Use Videos (default)"
- "Use other . . ."
Post by Ralf Mardorf
Post by Francis Gerund
Just noticed in Firefox 39.0-1 preferences an entry "Flash video".
Where exactly is this entry?
I heard that H.264 from Cisco phones home, resp. auto-updates, so you
might want to edit about:config to use gstreamer H.264. Perhaps this
automatically is done by installing the optional dependencies?
JFTR I didn't change something regarding H.264 and I kept several other
phone home crap of a default Firefox. I guess I only disabled "Block
reported..." by the preferences.
However, if I right click on a YouTube video there is "About the HTML5
player": https://www.youtube.com/html5
Ralf Mardorf
2015-07-16 21:30:07 UTC
Permalink
Post by Francis Gerund
shows in the URL diplay area as: "about:preferences#applications"
Ok, my guess was that you were talking about those preferences. My
Firefox doesn't have an entry "Flash video".
Natu
2015-07-16 19:48:13 UTC
Permalink
Post by Ben Oliver
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine.
Unless you have a penchant for flash games, there's very little reason to
have it installed any more.
I totally support phasing out flash, however, I run firefox inside a
docker container and then I don't have to worry about these security
issues since I disgard the running container and reload from the saved
image daily.

Natu
Daniel Micay
2015-07-16 20:06:05 UTC
Permalink
Post by Natu
Post by Ben Oliver
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine.
Unless you have a penchant for flash games, there's very little reason to
have it installed any more.
I totally support phasing out flash, however, I run firefox inside a
docker container and then I don't have to worry about these security
issues since I disgard the running container and reload from the saved
image daily.
Natu
You do have to worry unless you don't care about it someone grabbing all
of your active login sessions (cookies), all of the entered form data,
etc. There's a reason for browser sandboxes being per-site-instance
instead of trying to wrap the browser as a whole. Most of the
information the attackers want is in the web browser, or can be obtained
there by grabbing passwords and other information like credit card
numbers as they're entered.

Anyway, local privilege exploits in the Linux kernel are as common as
remote Flash exploits. Docker exposes nearly the entire Linux kernel
attack surface to code in the container. It's not much of a sandbox.
Natu
2015-07-16 20:43:25 UTC
Permalink
Post by Daniel Micay
Post by Natu
Post by Ben Oliver
I have to agree with Ralf, you will be fine.
I have been flash-free for 18 months now and it's going absolutely fine.
Unless you have a penchant for flash games, there's very little reason to
have it installed any more.
I totally support phasing out flash, however, I run firefox inside a
docker container and then I don't have to worry about these security
issues since I disgard the running container and reload from the saved
image daily.
Natu
You do have to worry unless you don't care about it someone grabbing all
of your active login sessions (cookies), all of the entered form data,
etc. There's a reason for browser sandboxes being per-site-instance
instead of trying to wrap the browser as a whole. Most of the
information the attackers want is in the web browser, or can be obtained
there by grabbing passwords and other information like credit card
numbers as they're entered.
Anyway, local privilege exploits in the Linux kernel are as common as
remote Flash exploits. Docker exposes nearly the entire Linux kernel
attack surface to code in the container. It's not much of a sandbox.
Thanks for pointing this out.. What you say is true. I actually run
two different firefox browsers, one for secure uses and the other for
random browsing. One inside of a VM on my desktop (and I revert back to
the base image daily). The other web browser I run in a docker
container running on a tiny arm box. The one running on the arm box,
obviously doesn't support flash. I generally use the one running on the
arm box for online banking/credit cards etc.

I don't know that I even trust openssl anymore. I used to run chromium,
but got tired of it passing so much information back to google, so I
went back to firefox. What I run is not an ideal solution. I'm open to
other suggestions. I used to love chrome, but got tired of google
spying. And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your own
version of the source code.



Natu
Ralf Mardorf
2015-07-16 21:55:37 UTC
Permalink
Post by Natu
And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your
own version of the source code.
But we need to monitor Firefox. A minute ago I deleted 7 Yahoo entries
in about:config. Using Wireshark I noticed connections to a Yahoo
thingy. If you clean about:config from all unwanted entries, you might
automagically get new unwanted entries after a while. I consider my
machine as a digital audio workstation with less security and less
privacy. Pale Moon seems not to be (much) better. Maybe QupZilla is a
little bit better, at least the history is better usable :D.
Natu
2015-07-16 23:01:42 UTC
Permalink
Post by Ralf Mardorf
Post by Natu
And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your
own version of the source code.
But we need to monitor Firefox. A minute ago I deleted 7 Yahoo entries
in about:config. Using Wireshark I noticed connections to a Yahoo
thingy. If you clean about:config from all unwanted entries, you might
automagically get new unwanted entries after a while. I consider my
machine as a digital audio workstation with less security and less
privacy. Pale Moon seems not to be (much) better. Maybe QupZilla is a
little bit better, at least the history is better usable :D.
Tor browser, or Jondofox are another possibility. I'm pretty sure
jondofox can be easily configured to go directly out to the internet
without using their network (not that TOR or Jondo network's are bad,
just too slow for many uses. I do use both TOR and Jondo networks at
times) and the browsers (both Tor and Jondofox are based on firefox)
have been modifed and hopefully spy features have been removed.
Florian Pelz
2015-07-17 06:07:17 UTC
Permalink
Post by Natu
Post by Ralf Mardorf
Post by Natu
And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your
own version of the source code.
But we need to monitor Firefox. A minute ago I deleted 7 Yahoo entries
in about:config. Using Wireshark I noticed connections to a Yahoo
thingy. If you clean about:config from all unwanted entries, you might
automagically get new unwanted entries after a while. I consider my
machine as a digital audio workstation with less security and less
privacy. Pale Moon seems not to be (much) better. Maybe QupZilla is a
little bit better, at least the history is better usable :D.
Tor browser, or Jondofox are another possibility. I'm pretty sure
jondofox can be easily configured to go directly out to the internet
without using their network (not that TOR or Jondo network's are bad,
just too slow for many uses. I do use both TOR and Jondo networks at
times) and the browsers (both Tor and Jondofox are based on firefox)
have been modifed and hopefully spy features have been removed.
There's also GNU Icecat in AUR and Parabola's libre repositories. I
don't think it has spyware, but it's probably not better security-wise.
The releases seem to lag slightly behind the Firefox ESR releases it is
based on.
Ralf Mardorf
2015-07-17 06:13:35 UTC
Permalink
Post by Natu
Tor browser
Tor browser not necessarily is slow, but it is missing comfort such as
a history.

I need around 1½ hours to compile a kernel with a default Arch
configuration and around 3½ hours to compile Firefox.

In Western civilisations we seldom need TOR, what we need are less
bloated browsers, that still provide some comfort.
Christian Demsar
2015-07-17 15:20:14 UTC
Permalink
Post by Ralf Mardorf
In Western civilisations we seldom need TOR, what we need are less
bloated browsers, that still provide some comfort.
There are a few minimalist browsers out there. Gnome, KDE, and XFCE all
have them.

The basic comfort I require is cross-platform bookmark sync. None of
these small browsers have the manpower to do this unless they wrap
themselves into FF sync like icecat does.

Anyone have any ideas on how to sync bookmarks, history, and tabs across
FLOSS browsers on all platforms?


Aside, flash is still important. It should just be treated as if it is
riddled with 0-days (which it is) and an open door for malware. I've used
it more than a few times viewing .swf`s for college classes, for
instance, and I doubt the university is going to pay someone to convert
content that is still "functional".

There's a lot of legacy flash content that should be preserved and
accessible, but there definitely shouldn't be any new flash content
being created.
Daniel Micay
2015-07-17 00:50:27 UTC
Permalink
Post by Natu
I don't know that I even trust openssl anymore. I used to run chromium,
but got tired of it passing so much information back to google, so I
went back to firefox. What I run is not an ideal solution. I'm open to
other suggestions. I used to love chrome, but got tired of google
spying. And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your own
version of the source code.
Chromium doesn't have 'spying' code that's not optional. It supports
more Google services than Firefox and uses more of them out-of-the-box
since it's the basis of the browser Google uses to promote themselves.
Firefox is picking up support for non-Google proprietary services over
time anyway so it'll probably end up with more in the end.

User security is certainly much, much lower on Firefox's priority list.
They don't even enable ASLR yet, let alone robust sandboxing and
advanced exploit mitigations throughout the browser. Mozilla ends up
taking the same anti-user positions on issues like DRM after pretending
that they're different. I can't think of one issue where they've taken
the high road compared to Chromium. At least you know what you're
getting with Google: profit-oriented corporation. Mozilla may not be
accountable to shareholders, but they're even less concerned about the
users. Google will reverse course during a PR disaster... Mozilla will
just dig in and stonewall.

For just one of many examples, look at the difference in the handling of
the WebRTC IP leak:

https://code.google.com/p/chromium/issues/detail?id=333752
https://bugzilla.mozilla.org/show_bug.cgi?id=959893

Oh, and the developer making the calls at Mozilla on this WebRTC privacy
disaster developed the backdoored random number generation standard with
the NSA. Mozilla isn't interested in commenting on this at all, as is
usually the case (all discussion about it has been shut down).[1]

[1]
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

Google would have fired this guy ASAP because it's not in their
self-interest to make themselves look bad. Mozilla just coasts by on a
naive, trusting community as they always do... and yet of their
prominent developers think you should be groveling at their feet for all
the good they've done for FOSS.
David Kaylor
2015-07-17 02:15:25 UTC
Permalink
I don't know how exactly this thread morphed into a debate about
Chrome/Chromium vs. Firefox, or Google vs. Mozilla (Although I think Daniel
Micay makes some interesting points re Google vs. Mozilla.), but for now,
flashplugin-11.2.202.491-1 has finally been released. And while that's
great for linux firefox users who still need or want to use flash, take
note of the fact that it took a week for Adobe to release it. Three days
after the more recent versions (18 and 13). Extraordinary circumstances,
yes, but it shows Adobe's priorities. Users should also remember, they've
only committed to maintaining the NPAPI linux version until mid-2017.
Bottomline, time to start trying your daily firefox browsing without flash
and see how bad it is. I did it for a week in firefox and only one of my
regular sites (teamcoco.com) required it for actual content.

Also, re WebRTC issues, the latest uBlock Origin plugin has a settings
option, turned off by default, to prevent IP leaking.
Natu
2015-07-17 03:30:56 UTC
Permalink
Post by Daniel Micay
Post by Natu
I don't know that I even trust openssl anymore. I used to run chromium,
but got tired of it passing so much information back to google, so I
went back to firefox. What I run is not an ideal solution. I'm open to
other suggestions. I used to love chrome, but got tired of google
spying. And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your own
version of the source code.
Chromium doesn't have 'spying' code that's not optional. It supports
more Google services than Firefox and uses more of them out-of-the-box
since it's the basis of the browser Google uses to promote themselves.
Firefox is picking up support for non-Google proprietary services over
time anyway so it'll probably end up with more in the end.
Have you used something like tcpdump and verified that you can configure
chromium such that it doesn't connect to any google servers or any other
servers other than the ones that you've specified in the url or that are
referenced on web pages that you've opened? Maybe I'll have to try it
again. That wasn't my experience the last time I tried it.

Mozilla gets a large amount of their funding from google, so there's
alot of politics behind this. Google for "firefox funded by google".
Post by Daniel Micay
User security is certainly much, much lower on Firefox's priority list.
They don't even enable ASLR yet, let alone robust sandboxing and
advanced exploit mitigations throughout the browser. Mozilla ends up
taking the same anti-user positions on issues like DRM after pretending
that they're different. I can't think of one issue where they've taken
the high road compared to Chromium. At least you know what you're
getting with Google: profit-oriented corporation. Mozilla may not be
accountable to shareholders, but they're even less concerned about the
users. Google will reverse course during a PR disaster... Mozilla will
just dig in and stonewall.
For just one of many examples, look at the difference in the handling of
https://code.google.com/p/chromium/issues/detail?id=333752
https://bugzilla.mozilla.org/show_bug.cgi?id=959893
Oh, and the developer making the calls at Mozilla on this WebRTC privacy
disaster developed the backdoored random number generation standard with
the NSA. Mozilla isn't interested in commenting on this at all, as is
usually the case (all discussion about it has been shut down).[1]
I do agree that chromium is technically more advanced, but I don't
exactly trust google either. I'm not really sure where to find a web
browser that can be trusted. I do note that both tor and jondo have
chosen firefox, and I suspect there is a good reason for this, though
they do apply their own modifications. The security of TOR has been
touted as being very solid, though I haven't seen as many reviews of
jondo. By default flash is disabled in both of them, but easier to turn
on in jondofox.
Post by Daniel Micay
[1]
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
Google would have fired this guy ASAP because it's not in their
self-interest to make themselves look bad. Mozilla just coasts by on a
naive, trusting community as they always do... and yet of their
prominent developers think you should be groveling at their feet for all
the good they've done for FOSS.
Daniel Micay
2015-07-17 15:30:05 UTC
Permalink
Post by Natu
Post by Daniel Micay
Post by Natu
I don't know that I even trust openssl anymore. I used to run chromium,
but got tired of it passing so much information back to google, so I
went back to firefox. What I run is not an ideal solution. I'm open to
other suggestions. I used to love chrome, but got tired of google
spying. And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your own
version of the source code.
Chromium doesn't have 'spying' code that's not optional. It supports
more Google services than Firefox and uses more of them out-of-the-box
since it's the basis of the browser Google uses to promote themselves.
Firefox is picking up support for non-Google proprietary services over
time anyway so it'll probably end up with more in the end.
Have you used something like tcpdump and verified that you can configure
chromium such that it doesn't connect to any google servers or any other
servers other than the ones that you've specified in the url or that are
referenced on web pages that you've opened? Maybe I'll have to try it
again. That wasn't my experience the last time I tried it.
It will check for updates to extensions... so will other browsers. You
are claiming that spying code is there yet it's an open-source project
and no one has ever found any. Prove it instead of spreading FUD.
Post by Natu
Mozilla gets a large amount of their funding from google, so there's
alot of politics behind this. Google for "firefox funded by google".
Mozilla gets their money from other sources like Yahoo and the
in-browser advertising and proprietary services now.
Post by Natu
Post by Daniel Micay
User security is certainly much, much lower on Firefox's priority list.
They don't even enable ASLR yet, let alone robust sandboxing and
advanced exploit mitigations throughout the browser. Mozilla ends up
taking the same anti-user positions on issues like DRM after pretending
that they're different. I can't think of one issue where they've taken
the high road compared to Chromium. At least you know what you're
getting with Google: profit-oriented corporation. Mozilla may not be
accountable to shareholders, but they're even less concerned about the
users. Google will reverse course during a PR disaster... Mozilla will
just dig in and stonewall.
For just one of many examples, look at the difference in the handling of
https://code.google.com/p/chromium/issues/detail?id=333752
https://bugzilla.mozilla.org/show_bug.cgi?id=959893
Oh, and the developer making the calls at Mozilla on this WebRTC privacy
disaster developed the backdoored random number generation standard with
the NSA. Mozilla isn't interested in commenting on this at all, as is
usually the case (all discussion about it has been shut down).[1]
I do agree that chromium is technically more advanced, but I don't
exactly trust google either.
Yet you trust another American corporation (Mozilla) that has repeatedly
shown itself to place users and especially contributors in even lower
regard.
Post by Natu
I'm not really sure where to find a web
browser that can be trusted. I do note that both tor and jondo have
chosen firefox, and I suspect there is a good reason for this, though
they do apply their own modifications. The security of TOR has been
touted as being very solid, though I haven't seen as many reviews of
jondo. By default flash is disabled in both of them, but easier to turn
on in jondofox.
The Tor browser is quite insecure. It's nearly the same thing as
Firefox, so it falls near the bottom of the list when it comes to
browser security, i.e. below even Internet Explorer, which has a basic
sandbox (but not nearly on par with Chromium, especially on Linux) and
other JIT / allocator hardening features not present at all in Firefox.
What the Tor browser *does* have that's unique are tweaks to
significantly reduce the browser's unique fingerprint.

https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study

Tor would be a fork of Chromium if they were starting again today with a
large team. They don't have the resources to switch browsers. That would
only change if they can get Google to implement most of the features
they need.
Ralf Mardorf
2015-07-17 16:35:10 UTC
Permalink
Post by Daniel Micay
The Tor browser is quite insecure. It's nearly the same thing as
Firefox, so it falls near the bottom of the list when it comes to
browser security, i.e. below even Internet Explorer, which has a basic
sandbox (but not nearly on par with Chromium, especially on Linux) and
other JIT / allocator hardening features not present at all in Firefox.
What the Tor browser *does* have that's unique are tweaks to
significantly reduce the browser's unique fingerprint.
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study
Tor would be a fork of Chromium if they were starting again today with
a large team. They don't have the resources to switch browsers. That
would only change if they can get Google to implement most of the
features they need.
Vivaldi is based on Chromium. How does Vivaldi compare regarding
security and privacy to IceCat, Pale Moon, Firefox, QupZilla, Opera?

https://aur4.archlinux.org/packages/?O=0&K=vivaldi
https://aur.archlinux.org/packages/?O=0&K=vivaldi
Daniel Micay
2015-07-17 17:00:30 UTC
Permalink
Post by Ralf Mardorf
Post by Daniel Micay
The Tor browser is quite insecure. It's nearly the same thing as
Firefox, so it falls near the bottom of the list when it comes to
browser security, i.e. below even Internet Explorer, which has a basic
sandbox (but not nearly on par with Chromium, especially on Linux) and
other JIT / allocator hardening features not present at all in Firefox.
What the Tor browser *does* have that's unique are tweaks to
significantly reduce the browser's unique fingerprint.
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study
Tor would be a fork of Chromium if they were starting again today with
a large team. They don't have the resources to switch browsers. That
would only change if they can get Google to implement most of the
features they need.
Vivaldi is based on Chromium. How does Vivaldi compare regarding
security and privacy to IceCat, Pale Moon, Firefox, QupZilla, Opera?
https://aur4.archlinux.org/packages/?O=0&K=vivaldi
https://aur.archlinux.org/packages/?O=0&K=vivaldi
It's a proprietary browser built on Chromium. It's not interesting from
a security / privacy perspective.

If you want Chromium without Google integration then you can use
Iridium. It doesn't remove any tracking / spying code though. There
wasn't any to remove. Their redefinition of tracking just means support
for any service hosted by Google (like adding a warning message when a
dictionary would be downloaded from them). Most of what it does is
changing the the default settings to be more privacy conscious.

https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/
Jagannathan Tiruvallur Eachambadi
2015-07-17 17:14:59 UTC
Permalink
Post by Daniel Micay
If you want Chromium without Google integration then you can use
Iridium. It doesn't remove any tracking / spying code though. There
wasn't any to remove. Their redefinition of tracking just means support
for any service hosted by Google (like adding a warning message when a
dictionary would be downloaded from them). Most of what it does is
changing the the default settings to be more privacy conscious.
https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/
We don't have it in the AUR though.
Daniel Micay
2015-07-17 17:38:15 UTC
Permalink
Post by Daniel Micay
We don't have it in the AUR though.
Well, I don't really think it's useful. It was just a suggestion for
people who can't tolerate Chromium downloading things like dictionaries
from Google.
Ralf Mardorf
2015-07-19 17:00:29 UTC
Permalink
Post by Daniel Micay
Post by Daniel Micay
https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/
We don't have it in the AUR though.
Unfortunately it needs more than just an "averaged" git-PKGBUILD, IOW
it's much work. I started writing a PKGBUILD, but for my taste it's too
much work to finish it.

There's https://aur4.archlinux.org/packages/inox/ , but this fails to
build with "error: target not found: python2-ply<3.5
==> ERROR: 'pacman' failed to install missing dependencies."

Even writing a comment seems not to be worth the effort.

Continue reading on narkive:
Loading...