This article serves as an unofficial update to madaidan's article on Firefox, updated last in 2022. Check it out here!
I think it's safe to say that the Chromium vs. Firefox meme has officially reached the status of 'beating a dead horse'. Even before Manifest V3 the Firefox vs. Chromium debate had been going on for a while, however Chromium was easily handing Firefox losses, as Chromium was rolling out security features like:
However it's been a few years, and with Manifest V3 around the corner we need to see if we can seriously consider Firefox a secure option to be used alongside browsers like Brave, Cromite, Vanadium, and Ungoogled-Chromium.
Site Isolation is important for browser security; when a page gets exploited the exploit is contained within the process for that page, rather than immediately having access to other tabs, history, passwords, etc. Site Isolation can effectively prevent the browser from being completely owned, requiring another exploit to fully take control of the browser instead of just one tab. It is a necessary part of browser security.
Firefox officially included Site Isolation via the Fission subproject with Firefox 95, but it is unfortunately not as comprehensive as Chromium's approach. According to security researcher madaidan, and Mozilla themselves, there have been numerous cross-site leaks with the Fission project.
But that was two years ago right? How are things now?
What we are seeing now is a degradation in Fission on desktop as a result of Mozilla trying to get Fission to work on Android. At the moment, Firefox on Android has no multi-process architecture for Firefox and no cross-site isolation, while Chromium already has a multi-process architecture and strict cross-site isolation on both desktop and mobile. The Gecko renderer on mobile already lacks many of the features its desktop version has, and to add insult to injury it cripples the hardening work done by AOSP and the Graphene OS project. While Gecko on desktop still seems to have a future, we're watching the sacrifice in real time in favor of the inferior mobile version. I genuinely can't overstate how much of a mistake this is, as Tor Browser is based on Gecko, and has some of the world's most vulnerable people using it. By shooting themselves in the foot, Mozilla has also shot the Tor Project in the foot.
Compared to Chromium's multi-process architecture, Firefox is a straight-up meme. Chromium has clear documentation on their multi-process architecture on their website. In comparison, finding any information on Mozilla's "Electrolysis" is like pulling teeth. Their own website is broken, and I generally had to rely on madaidan's site and my own observations for any information about Electrolysis. Opening up Chromium's task manager, I saw about 7 processes total excluding tabs: A browser process, a process for sandboxing uBlock Origin, the GPU process, a separate renderer process, audio process, network process, and storage process. In comparison Firefox has about 4: the Firefox process, the extensions process (it lumps all extensions together in one process), the vaguely defined utility process, and the newly introduced network process. Chromium, like many Google products, follows the principle of least privilege; a security architecture where no process has more permissions than it needs. Looking at Chromium's processes in the task manager it is fairly easy to understand what they do, and there is a lot of documentation regarding this architecture. Firefox does not follow this architecture, in fact the only meaningfully sandboxed processes are the network process and the different tabs I had open, and the latter is effectively being nerfed until Fission can be ported to Android!
Looking at madaidan's article as updated in 2022, it seems the situation was mostly the same except for the network process, which was limited to nightly builds. Congrats Mozilla, 2 years and the only meaningful work you did was add a network process.
This isn't just some minor issue either, Chromium on Linux has had vastly less sandbox escapes as a result of it's multi-process architecture. Firefox, to this day, has sandbox escapes via X and PulseAudio, which were only fixed via Wayland and Pipewire. On systems still using X and PulseAudio, Firefox might as well not even be sandboxed.
The desktop situation is still light years ahead of what the Geckon on Android team has accomplished in their multi-process architecture, which is nothing. Desktop Gecko at least has a multi-process architecture.
Some people say that Firefox on desktop is getting better, I'm here to say NO. Firefox is falling very far behind, and somehow Mozilla thinks that degrading their site isolation feature is a good idea. Mozilla PLEASE rethink this decision, Firefox is not nearly as competitive on mobile as it is on desktop. I think you need to scale back development on Android, and refocus your efforts on desktop where you have a chance to make a good product.
This section makes a lot of references to the madaidan article, which can be accessed by clicking on this link
Personally speaking, I am more a believer in secure architecture than having the latest exploit mitigations. Though seeing as Firefox doesn't have a secure architecture, let's see if they have implemented the latest exploit mitigations. Security researcher madaidan (link above) has rightly criticized Firefox for not including Control Flow Integrity, Arbitrary Code Guard, and Code Integrity Guard. In layman's terms, these mitigations prevent arbitrary code execution, which is a big deal. Firefox has also been criticized for not blocking untrusted fonts, and missing Win32k lockdown (a set of Windows-exploit mitigations). In the last two years, what progress has Firefox made in comparison to Chromium?
Firefox is not only lacking a secure architecture, which makes their browser more vulnerable to exploitation, they also lack comprehensive exploit mitigations, which makes the situation a whole lot worse.
I genuinely want Firefox to be better, Firefox was one of the coolest browsers around before Chrome hit the scene, and it is one of the only browsers preventing Chrome from having a monopoly on the internet. However, Mozilla has a lot of catching up to do, and every day they fall further behind. The most important security feature they've integrated in recent years, Site Isolation (Fission), is purposefully being degraded so that they can try to port the feature to Android. The most annoying part is that Firefox on Android lacks a multi-process architecture, meaning Fission won't be nearly as useful a feature on Android as it is on desktop. Firefox needs to be better, and I think part of getting there is knowing when to quit a project that is obviously failing.
What does all of this mean for the end-user? Manifest V3 is around the corner and we need to block ads! Firefox is not a secure option for most end-users out there; they are in the process of nerfing their site isolation feature to port it to Android, their multi-process architecture is a joke that leaves sandbox escapes through X and PulseAudio, and they lack comprehensive exploit mitigations. That being said, what are valid options?
The first and most obvious one is Ublock Origin Lite, a Manifest V3-compliant ad blocker. Ublock Origin Lite is still perfectly fine at blocking ads, even if pages look a little worse after. Unfortunately, Ublock Origin Lite lacks the more advanced features and cosmetic filtering that users crave, but it's a basic ad blocker that'll work in all Chromium browsers.
Another option is to switch to a browser with built-in ad blocking, such as Brave Browser (desktop & mobile), Cromite Browser (desktop & mobile), and Vanadium (Graphene OS only). These are all Chromium-based browsers that feature ad blocking with cosmetic filtering.
Finally, there is some harm reduction that can be done with Firefox. On Windows, users already have a better sandbox, but can further improve security by running Firefox in a Virtual Machine. A Virtual Machine is like a virtual computer running in tandem with your normal operating system, sort of like Virtual PC for Mac back in the day. On Linux, you can sandbox Firefox using SELinux, AppArmor, or Bubblewrap. It is also recommended to use Wayland or Pipewire on your desktop, or to run Firefox in a nested X session with access to PulseAudio denied. You can further sandbox Firefox by running Firefox in a Virtual Machine. Firefox on Linux might as well not have a sandbox, so sandboxing Firefox yourself is a hard-requirement. There is no harm reduction that can be done for Gecko on Android, Firefox on Android should not be used.
That's all for now, keep an eye out for my next article!
return to home return to mobile site