> Privacy is a fundamental part of Apple's selling proposition and personal to Tim Cook given that in many cases gay and other minorities are killed due to privacy leaks.
I love the privacy aspect, but is privacy really part of Apple's core strategy or are we just seeing them make use of the good position they were always in? Is there enough drive at Apple (Cook or otherwise) to keep privacy a focus, or is the topic just going to fall by the wayside when it suits the business?
Look at the implementation of Secure Enclave, FaceID, Apple Pay and ML models.
They build these very carefully to keep your data secure, on-device and inaccessible to third parties. They definitely could've implemented these much quicker and arguably better (e.g. ML models) if they had a device-cloud hybrid.
Would you expect Google's API to change often? My biggest concern with something like this is their /collect endpoint changing and analytics data stops being tracked.
I've been using Keepass on Windows for several years now since I switched from LastPass. I like it a lot and as long as you are using it alone, syncing works great :)
There's no questioning that Chrome's sandbox implementation is ahead of Firefox: they've been shipping it for several years, whereas Firefox only got its first one out in Firefox 50 (for content! They had a Flash sandbox and DRM/media decoder sandbox for longer), with the more strict ones being in the Nightly/Dev Edition branches. It's possible the real Firefox is not vulnerable to this exploit because of that, but we'll have to see.
None of this would have helped Tor/TBB, because it's based on an older Firefox branch, with no sandbox at all. This means most vulnerabilities are exploitable and lead to a total compromise. There's relatively few of those and they get fixed very quickly, but if you use Tor you are likely specifically targeted so any hole is very serious.
Parent sounds so bad because he seems to grade security by seeing how many CVE's the developer publishes, ignores the fact that browser exploits are often done by exploiting attack surface outside the browser (because all browsers are - relatively speaking to other software - secure), and conflating Chrome vs Chromium.
This particular bug is bad (it's a 0day - a security exploit found by bad guys before Mozilla or security researchers found it) but a lot of the buzz here is because such problems are rather rare these days, and because it's targeting Tor.
> Parent sounds so bad because he seems to grade security by seeing how many CVE's the developer publishes, ignores the fact that browser exploits are often done by exploiting attack surface outside the browser (because all browsers are - relatively speaking to other software - secure), and conflating Chrome vs Chromium.
By counting CVEs alone, Chrome would be the least secure since it has more CVEs than any other browser thanks to Google's bug bounty and fuzzing, most of them harmless.
What I counted were real-world browser exploits which is an excellent measure of security.
> such problems are rather rare these days
In Chrome, yes. They happen rather often with Firefox.
> conflating Chrome vs Chromium
Their security features are identical. It's the same code.
In Chrome, yes. They happen rather often with Firefox.
Shrug, I disagree. The fuss made here illustrates it: 0-days are rare enough that "rather often" is a serious mischaracterisation.
Their security features are identical. It's the same code.
You said: "And it being open source means that I can use without worrying about backdoors or data leakage." Which has nothing to do with security. Inspecting Chromium tells you nothing about what Chrome does, and using Chromium means you miss features that Chrome has (H264, Netflix, ...)
> The fuss made here illustrates it: 0-days are rare enough that "rather often" is a serious mischaracterisation.
A RCE in a browser is literally the worst possible case and Firefox had multiple of them, most trivially exploitable with JavaScript. This simply doesn't happen with Chrome.
> Chromium means you miss features that Chrome has (H264, Netflix, ...)
Google made an effort to open-source everything, including their PDFium PDF reader.
The only remaining bits are the Pepper flash player and the Encrypted Media Extensions. Both are closed source in Firefox as well. You can use them with Chromium just fine and both are sandboxed. They cannot be distributed with Chromium for licensing reasons, but nothing prevents you from downloading the Chrome package and extracting those two files. Many Linux distros have scripts which automate this.
I specifically pointed out H264 support (and you ignored it) because it's an annoyance when using Chromium. And yes, that's due to licensing reasons as well.
Looks base64 encoded to me, but running it through a decoder isn't giving me anything intelligible. Here's a OCR of the text in the image, maybe you can figure it out:
Edit: Full text is in sibling comment.
Btw. Looks like the message is not PGP encrypted. The line lengths are different and gpg complained the message wasn't valid when trying to read the signature.
