I came across these articles that are quite interesting to read. They compare Brave to Firefox, and Gecko vs Chromium. The comparison are about the privacy and security of the engines and browsers.
The articles are written by gnukeith on đť•Ź and include some great citations:
Brave vs Firefox Article
What is Brave, and what is Firefox?
Brave:
Brave is a free, open-source web browser developed by Brave Software, Inc., co-founded by Brendan Eich and Brian Bondy in 2015. It is based on a
version of Chromium, Brave has made big changes to the Chromium source code both in terms of security and privacy, but more in the privacy department. For example, Brave has an
issue captured for pulling in relevant patches from the ungoogled-chromium project
.
Firefox:
Mozilla Firefox is a free, open-source web browser developed by the Mozilla Corporation, a subsidiary of the Mozilla Foundation. Its development began in 2002 under the code name “Phoenix,” and it was officially released as Firefox 1.0 on November 9, 2004.
What happens when you download Brave or Firefox by default?
This is not talked about much, but this is important.
Each Firefox download has a unique identifier
.
When you download Firefox from the official Mozilla website, the installer file comes with a unique code called “dltoken.” This code is sent to Mozilla when you install and first run Firefox.
The purpose of this code is to help Mozilla understand how many downloads lead to actual installations and to analyze trends.
Brave’s Use of Referral Code
Brave uses referral codes to track where their browser downloads come from.
Referral codes are not personally identifiable and are not unique to a user unless they are the only person who has downloaded Brave from a particular source.
When you install Brave, the code helps Brave understand which marketing efforts or partnerships led to the download.
If this concerns you, you can download Firefox
and with Brave you just need to remove the numbers before executing the file.
Brave Shields vs Enhanced Tracking Protection (ETP)
Brave Shields can also do things no extension can do, and it doesn’t rely on API’s since it’s a
and not an extension.
Brave shields can block network requests from extensions, which uBO cannot do as an extension.
Implements
directly at the browser level for better tracking protection.
Features
to defuse anti-adblock scripts more effectively.
is not just your average adblocker. Brave Shields - by default:
-
Block third-party ads and trackers
-
Resource replacement
-
CNAME uncloaking
-
Cookie partitioning
-
Ephemeral storage
-
Block browser-language and font fingerprinting
-
Block crypto miners
-
Block connections made by other extensions
This is how Brave Shields works by default:
Ads & Trackers? Who?
Firefox’s Enhanced Tracking Protection by default:
-
Social media trackers
-
Cross-site cookies in all windows
-
Tracking content in Private Windows
-
Cryptominers
-
Includes
This is how Firefox’s ETP works by default:
Bonk
If you set Firefox ETP to strict it does significantly more, but still less than Brave Shields by default. On the other hand, this is what happens when you put Brave Shields to Aggressive mode:
Real footage of Brave Shields fighting ads & trackers on the web.
Features in each browser
Brave:
-
More secure and private by default.
-
Native vertical tabs.
-
Picture in Picture mode (PiP)
-
Brave Leo
-
Brave Rewards
-
Wayback Machine integration
-
Memory saver
-
Group tabs
-
Pin tabs
-
Brave Sync
Firefox:
-
Better Picture in Picture mode (PiP) implementation.
-
Firefox
.
-
Better proxy implementation.
-
Firefox labs - Chatbot
-
Firefox Sync
-
Way better
.
For a more detailed comparison check out
site at
.
Sidenote:
Firefox Chatbot is not private by design and not particularly good either.
For example, Brave Leo doesn’t know anything about you, while the provider you use with Firefox Chatbot does. Another note: The Firefox version of uBlock Origin is the only version that supports CNAME-uncloaking, but brave also supports CNAME-uncloaking via Brave Shields. uBO on Chromium based browsers is less effective than on Gecko based ones.
Another another note: Vertical tabs and group tabs are being worked on in Firefox as should be available soon, which is really cool.
How is Google Safe Browsing handled in both browsers.
Can you really have your cake and eat it too? The answer is yes, but how?
How Google Safe Browsing is implemented into a browser is really important both for security and privacy.
Brave’s Implementation:
-
Enhances privacy by proxying Safe Browsing requests through Brave’s servers.
-
Prevents Google from seeing users’ IP addresses.
-
Limits data sent to Google by excluding identifiers and batching requests.
-
Frequently updates local Safe Browsing lists for efficient protection.
For more information about Google Safe Browsing and how Brave handles it, check out
it goes way more in-depth. Here’s how Firefox
:
-
Local List Updates: Downloads harmful URL lists from Google for offline checks.
-
Privacy-Focused URL Checks: Sends obfuscated URL portions to Google through privacy servers.
-
Limits Data Sent to Google: Uses partial URLs or hash prefixes to protect privacy.
Firefox/Brave implementation of Google Safe Browsing is largely similar.
Companies’ directions.
We have all seen the direction Mozilla is heading in, it all began when they started calling for
, Mozilla doesn’t even spend that much
money on improving the engine itself
.
Firefox Has 9 Months of Income Left (Possibly Less)
,
they laid off 30% of their staff which included the entirety of their advocacy division.
Which is just insane, not only that but they just did an entire rebrand!
Firefox Maker Rebrands as “Global Crew of Activists”
. This is not a promising direction especially considering how Mozilla
then later on
(
).
?
There aren’t as many concerns with Brave when it comes to their direction, it looks like they are still committed to keeping the browser alive and being user/privacy first. Brave recently have been announcing
which are built from the ground up with privacy and security in mind, so that is really cool to watch.
Brave has
but nothing in comparison to what is going on at Mozilla. What will happen to Mozilla in the future?
Security aspect of each browser:
Sandboxing
Firefox sandbox
FireFox in a sandbox - by
Firefox’s sandbox is much weaker than Chromium’s on desktop Linux. The main difference is that Firefox doesn’t have fully implemented site isolation, so it only defends the overall OS from compromise rather than properly protecting individual sites and their associated browser data (
,
).
Skills have issues??
Site Isolation
Firefox introduced Fission in Firefox 95 (
), but it remains less mature than Chromium’s site isolation and will require years to reach parity. Fission inherits the security weaknesses of Firefox’s content process sandbox (
,
) and is not a comprehensive solution. This prevents renderer exploits from accessing data from other websites and is essential for mitigating side-channel attacks like
.
Site Isolation - Firefox by
Firefox
complete
Additionally, cross-site leaks in Fission allow compromised processes to bypass site isolation and access data from other sites (
).
If TikTok is open in a Firefox tab and there’s a vulnerability in the browser or in the site itself, another site might potentially access information from TikTok or other tabs due to the lack of complete site isolation.
Firefox’s sandboxing on platforms like Linux is significantly weaker. The restrictions are relatively lenient, leaving it vulnerable to various sandbox escape exploits that have persisted for years.
Furthermore, it exposes a substantial attack surface even within the sandbox environment.
is a Linux sandboxing technology that enables the restriction of system calls available to a process, significantly reducing the kernel’s attack surface and serving as a fundamental component of most Linux sandboxing mechanisms. Firefox is not utilizing it the same way Chromium is (
,
).
This is the main way out of the sandbox and is leveraged in most real-world browser exploits.
It’s easier to exploit the kernel than the browser broker process in practice.
Brave (Chromium) sandbox.
Brave (Lion) in a sandbox - by
Site Isolation
Chromium
introduced site isolation in 2018
, assigning each website its own renderer process. This means that if a user visits multiple websites, each site runs in its own isolated process.
Image by the Chromium project.
Each renderer process runs in a restricted sandbox, limiting its access to the system’s resources.
Site Isolation - Brave (Chromium) by
In Brave, if TikTok were vulnerable, the sandboxing and process isolation would make it much harder for other tabs to directly access or see data from the TikTok tab.
What about hardened Firefox?
There’s not truly such a thing as a hardened Firefox
, only minor modifications which often undermine privacy and security rather than enhance them. It fundamentally doesn’t even provide site isolation or basic allocator and JIT protections. It’s missing entire layers of sandboxing.
Firefox’s content sandbox is weaker than Chromium’s, and it lacks fully implemented site isolation, meaning that websites and your browsing data aren’t adequately protected.
There’s no counterpart to the additional layer of the
, which is a completely separate JavaScript sandbox layer in Chromium.
Firefox lacks allocator hardening comparable to
,
,
, etc. It lacks comparable JIT hardening too. It has far less fuzzing, auditing and hardening being done.
Images in this article were made with <3 by my bestie
Gecko vs Chromium
Firefox is often recommended as a more secure browser due to the privacy practices of its parent company; however, this article challenges that perception by highlighting several security weaknesses in Firefox’s model compared to Chromium, including weaker sandboxing, a less granular process model, and outdated exploit mitigations, focusing solely on security rather than privacy. Firefox is the least secure of the mainstream browsers. It has a much weaker sandbox and dramatically weaker exploit protections.
Smaller market share and lack of monitoring for exploits means fewer exploits are caught in the wild, which doesn’t mean it’s safer or more secure. Firefox has a much weaker content sandbox across platforms. Their sandbox also doesn’t have a full site isolation implementation so it can’t fully defend sites from each other yet. Firefox is even less secure on Android and Linux.
Firefox sandbox does less and is much weaker but there are other weaknesses. Firefox sandbox is much weaker than Chromium on desktop Linux. The main difference is that Firefox doesn’t have completed site isolation, so it only defends the overall OS from compromise rather than properly defending sites and browser data from sites (
,
)
Sandboxing
Sandboxing isolates applications and restricts their resource access, preventing vulnerabilities in one program from compromising the entire system. Modern browsers use sandboxing extensively: they run multiple processes (content, GPU, RDD, etc.) each with
, processing untrusted input while minimizing attack surface. Without a sandbox, a browser exploit could hijack the entire system. With one, attackers need a second vulnerability to escape the sandbox, raising the bar significantly.
Still, sandboxes vary in quality. A poorly implemented sandbox provides little real protection. For instance,
has several known weaknesses, only some of which are listed below.
Site Isolation
, introduced in Chromium in
, revamped its multi-process architecture by assigning each website its own sandboxed renderer process. This prevents renderer exploits from accessing data from other websites and is essential for mitigating side-channel attacks like
. OS-level protections only isolate at the process boundary, making process separation the most effective defense (
,
,
Chromium Side-Channel Threat Model
). Current mitigations, like reducing JavaScript timer accuracy, are insufficient and fail to address the root issue (
). Firefox introduced Fission in Firefox 95 (
), but it remains less mature than Chromium’s site isolation and will require years to reach parity. Fission inherits the security weaknesses of Firefox’s content process sandbox (
,
) and is not a comprehensive solution. Additionally, cross-site leaks in Fission allow compromised processes to bypass site isolation and access data from other sites (
). If TikTok is open in a Firefox tab and there’s a vulnerability in the browser or in the site itself, another site might potentially access information from TikTok or other tabs due to the lack of complete site isolation. In Chromium, if TikTok were vulnerable, the sandboxing and process isolation would make it much harder for other tabs to directly access or see data from the TikTok tab.
Windows
As of
, released in May 2022, Mozilla has implemented Win32k Lockdown for content processes on Windows. This security feature restricts access to certain system calls, reducing the attack surface and making sandbox escapes more difficult.
While Chromium implemented Win32k Lockdown earlier,
, Firefox has since adopted similar measures to enhance its sandboxing capabilities on Windows.
Linux
Firefox’s sandboxing on platforms like Linux is significantly weaker. The restrictions are relatively lenient, leaving it vulnerable to various sandbox escape exploits that have persisted for years. Furthermore, it exposes a substantial attack surface even within the sandbox environment.
, a widely used sound server on Linux,
was not designed with isolation in mind
, making it possible to bypass sandboxes. Similar to X11,
Firefox exposes PulseAudio directly to the content process
, allowing for another straightforward sandbox escape. In contrast, Chromium restricts access to a
, addressing this issue.
is a Linux sandboxing technology that enables the restriction of system calls available to a process, significantly reducing the kernel’s attack surface and serving as a fundamental component of most Linux sandboxing mechanisms. Firefox is not utilizing it the same way Chromium is (
,
).
This is the main way out of the sandbox and is leveraged in most real world browser exploits. It’s easier to exploit the kernel than the browser broker process in practice.
For X11 on Linux,
Firefox does not have a separate GPU process
, and therefore, no GPU process sandboxing is implemented. Firefox lacks a separate audio process, unlike C
hromium which has a dedicated audio service
. In Firefox, audio functionality is integrated directly into the content process, leading to vulnerabilities such as the PulseAudio sandbox escape on Linux systems. This is still the main browser on Linux btw.
Android
Avoid using Gecko-based browsers like Firefox on Android due to:
- Increased Vulnerability: Gecko lacks
, unlike Chromium which uses Android’s
for strong isolation.
- Sandboxing Deficiency: Even on desktop, Firefox’s sandbox is weaker, particularly on Linux, with limited site isolation compared to Chromium. Android version lags further in sandbox improvements.
Firefox doesn’t deploy basic mitigations like type-based CFI anyway. Since it doesn’t even use Clang CFI yet, it really says a lot about it (
). Similarly far less
hardening in Firefox. One of the major differences is that Chromium has a massive level of fuzzing, auditing, etc. compared to Firefox. Google also monitors for in the wild exploits so they get often caught to both fix the bugs and learn from the exploits. They probably don’t catch the majority of exploits used in the wild but they catch enough to regularly learn from how attackers are actually exploiting the browser and then implement defenses against the real world attacks. There are other major advantages of Chromium: Oilpan + MiraclePtr + PartitionAlloc defending against the main sources of heap corruption, no real equivalent in Firefox. Oilpan (garbage collection for C++ objects) and MiraclePtr (use-after-free protection for non-Oilpan objects) are massive defenses against the main forms of memory corruption bugs in browsers (use-after-free). PartitionAlloc is also a major upgrade over jemalloc in Firefox. For jemalloc to approach the security characteristics of Oilpan + MiraclePtr, it would need to transform from a conventional allocator into a full-fledged memory safety runtime. This means embedding garbage collection or reference tracking mechanisms, implementing pointer validation infrastructure, quarantining freed memory, integrating closely with compilers and language runtimes, and accepting significant performance and complexity overheads. V8 sandbox providing a whole other layer of sandboxing for most JS bugs. Chromium recently added the
which is a whole extra layer of sandboxing for the overall majority of attacks on browsers targeting the JavaScript runtime.
Firefox does not employ a hardened memory allocator; it currently uses
, which is derived from
. Jemalloc focuses primarily on performance rather than security, making it
. While mozjemalloc does introduce some security enhancements to jemalloc,
these are insufficient to address the fundamental architectural vulnerabilities
. On the other hand, Chromium has implemented
across its entire codebase through the "
" initiative. PartitionAlloc is significantly more secure than mozjemalloc.
I decided to take this format from Madaidans and update it, so you can think of this as a updated version of the
article. So shout out to Madaidans.
- thegrugq -
Criticizes Firefox’s security model
.
- PaXTeam -
Points out security issues with Firefox
.
- Daniel Micay -
Prefers alternatives to Firefox for security reasons
.
- Matthew Garrett -
Highlights security flaws in Firefox
.
- Dan Guido -
Critiques Firefox’s security architecture
.
- Theo de Raadt -
Comments on Firefox’s security from the perspective of OpenBSD
.
- Thomas Ptacek - Shares security critiques of Firefox on multiple occasions (
,
,
).
- qwertyoruiopz - Known for exploits, has criticized Firefox’s security (
,
).
- The Tor Project -
Investigated Firefox’s security
, finding it challenging to harden compared to Chromium.
- Madaidans -
- GrapheneOS -
.