Chrome or Firefox

[stanl]

Froma security/privacy point of view, which does OpenBSD consider a better choice?

Thanks

[Head_on_a_Stick]

For security use www/chromium, for privacy use www/lynx

[shep]

There is also www/iridium which is an ungoogled chromium. Some of chromium's security comes from reporting your browsing habits to Google. Unfortunately Google does more with that information than warn you about malicious web sites.
Iridium actively searches for code that contacts Google and disables it.

Presently there is a newer release available in -current that has not been back-ported to 6.6stable.

[stanl]

Thanks to both of you for the information. I'll look into iridium.

[Prevet]

Quote:

Originally Posted by stanl

Froma security/privacy point of view, which does OpenBSD consider a better choice?

Thanks

For privacy: I use tor-browser for general surfing. For security: When I want to log in to a website or buy something, I use Chromium or Iridium if its updated.

Unfortunately tor-browser isn't available on OpenBSD at the moment, so if you want to use it you will have to use another OS. Tails is easy to put on pen drive so there is that.

[ibara]

The tor-browser bundle just needs updating; all the infrastructure is there.

[CiotBSD]

In fact, it's not so easy.

- Chromium is the first delivered with pledge and unveil. OK, good point.
- But, the team works hard to build Firefox with both securities. (Complete for 6.7)?
- And, the new libfido, on -current (perhaps, for 6.7), run with only Firefox. (FIDO: to support 2FA)
- Google has rejected request for patch fido, with tags "WontFix" and "this plateform is not supported"!

Boo, for Google, and Chrome! And, up for FF…

Now, Tor-Browser is available as package: v8.0.9 on stable 6.6

[acampbell]

Pledge and unveil in Firefox are a mixed blessing for me. I can't access any local files, including those in ~/Downloads and /tmp which are supposed to be available. Putting the unveil config files in /etc/firefox makes no difference.

[jggimi]

Are your $HOME/Downloads and /tmp directories symlinks? If so, that is why they are failing for you.

[jak3b]

Ive found Firefox-71 unuseable. I use Firefox-esr. but lately Ive been using Chromium more. Its really snappy these days.

[acampbell]

Quote:

Originally Posted by jggimi

Are your $HOME/Downloads and /tmp directories symlinks? If so, that is why they are failing for you.

No, neither of these is a symlink.

Incidentally Chrome does provide access to these directories but it has its own problems, notably I can't increase the size of the (tiny) toolbar font.

[gustaf]

I'm having the same problem with file access as acampbell (see post #8, above). I've started a new thread to address this issue.

[LeFrettchen]

Chromium for me, until it crashes and don't wanna relaunch.
Then, Firefox

[newtowndaemon]

Both for me. Also lynx for those times when all I've got is a text console. It's the usual problem: some sites won't render properly in firefox but do in chromium and vice versa.

For the most part, I find the browser wars pretty much an OK thing these days as the browsers are cross-platform and open source. I can remember a time in the browser wars when sites would only work properly on the Windows version of IE (ie and not the Mac version of IE) so having choice and the opportunity to run 2 different browsers is OK with me.

I suppose you do need to weigh in how much you worry about the Google tracking. I've heard others say they can block Chromium phoning home completely but I've never seen any evidence of that. Iridium is probably the only way but lags behind Chromium with security updates etc. Last I checked it was some weeks but if it got down to a couple of days then it might be worth a spin.

Simon

[CiotBSD]

FYI: The patch to Chromium for libfido is upstream on current!

Quote:

Fixes: https://bugs.chromium.org/p/chromium...tail?id=451248

Uses /dev/fido via libfido2 bundled with the system. Due to an
abstraction level mismatch only the discovery phase is done via
libfido2.

The port was verified to work with demo.yubico.com, google.com,
github.com on amd64 6.6-current. 4 different devices from Yubico
and a couple other manufacturers work fine.

Known limitations:
* the u2f device needs to be plugged into the USB port before
starting authentication as the devices aren't discovered dynamically;
* kernel crashes are possible without patching a problem showing up
in filt_uhidrdetach https://marc.info/?l=openbsd-tech&m=157812352913919

[e1-531g]

I think one of the most important thing is decent anti-tracker and ad-blocker such as uBlock Origin (general purpse content blocker). Unfortunately Chrome (with exception for enterprise customers) and Chromium will remove Web Request API which is required for this.

[CiotBSD]

or, better : one liste managed by un(bou|wi)nd which handles all network requests and not just the web browser.
Because, just on the web browser, just gives you the illusion of being "protected", when only requests from the web browser are "filtered"... not all others network requests.

[e1-531g]

Quote:

Originally Posted by CiotBSD

or, better : one liste managed by un(bou|wi)nd which handles all network requests and not just the web browser.
Because, just on the web browser, just gives you the illusion of being "protected", when only requests from the web browser are "filtered"... not all others network requests.

It depends whether other programs in the system or system itself tracks you or shows ads.
Browser extension also allows for the most fine-grained filtering. Some domain may host both tracking script and content you want to see. There may be page which you want to support by turning off ad-blocker or be forced to disable it by anti-ad-blocking measures.

[bradley]

Quote:

Originally Posted by newtowndaemon

I suppose you do need to weigh in how much you worry about the Google tracking. I've heard others say they can block Chromium phoning home completely but I've never seen any evidence of that.
Simon

How?

Well, that's a short question but others mentioned uBlock Origin in the thread - it's possible to block connections via this extension but it will NOT block the connections to evil G (meaning the connections by the browser to the mothership).

This is why I'm wondering what might be the best way to block the browser's connections (if someone knows which IPs to block). One way is using the hosts file (but this will not work for me because of the setup here). The other way might be via firewall I suppose. Or maybe using a proxy, which makes it possible to block certain connections.

[IdOp]

I can't say about best, but one other approach is to use a DNS server that purposely tries not to resolve any google hosts properly. An example is DeCloudUs. I once tried their free DNScrypt server for a few days. It was OK but I didn't like being completely unable to use Google search, e.g., with lynx. So I stopped using it.