Marc Espie <es...@nerim.net> wrote: > Chrome is a relative newcomer to browser land, and it was designed from > the start from a security point of view, so it got a headstart there.
In a browser, there are 2 main security components you want: The main security advantage is privsep. The other is W^X jit. Other security effects will follow from those design choices, especially if you have privsep. For instance, the chrome privsep is nicely refined and pledge enforcements could be added. chrome was designed to be privsep. sshd was the first major privsep program on everyone's machine, and chrome was second. For instance, smtpd had it designed-in from the start, and it is very strong. We have added privsep to software after the fact, but it isn't always a success. As an example of this, privsep was added to dhclient and probably isn't as strong. Only because it is difficult pasting the concept in afterwards. > It's been my understanding that firefox is finally catching up. Namely, > they've put a reasonably secure architecture in place. And they are getting > rid of their old large extension language to try and use the same > architecture as chrome. It is my understanding that firefox says they are catching but, but all I see is lipstick on a pig. It now has multiple processes. That does not mean it has a well-designed privsep model. Landry's attempt to add pledge to firefox, shows that pretty much all processes need all pledges. >From where I stand, I think it fails to be privsep because the various process initializations still need way too much, and tasks aren't being done in the right process. I think firefox is still only 2 process classes, whereas chrome is 6 or 7. > The gap is much smaller than it was a year ago. I don't think so. > In short, I feel that most of chrome's focus is on making things reasonably > secure (as far as confidentiality and attacks go) so that people trust the > browser, whereas firefox's focus is waaay more dispersed. I doubt firefox will ever focus on security. The security mechanisms we are talking about require breaking compatibility or performance. This isn't the stuff one rearranges deck chairs for. BTW, the jit in chrome isn't W^X. So chrome is behind in one sense, because the jit in firefox is W^X [well not truly, it uses two mappings of the same object, and if the attacker can find the shadow he can play, but it is still raising the bar] I'm replying becuase I think the picture is being painted too rosy. I think firefox is YEARS behind, unless they change their strategy.
