Debian 11 includes both chromium and chromium-sandbox.

It's my understanding that, while on the one hand, chromiums-sandbox prevents some attacks, it also increases other risks by being setuid.

What's the net effect? Is there a consensus on this?

===

I also noticed, by running aa-status, that AppArmor is running, and it confines some apps, like evince and man, but it does nothing for firefox-esr and chromium. Isn't this odd, considering that browsers are probably the most dangerous things you run?

Chrome gets 200+ CVEs/year, and Firefox gets 100 CVEs/year (some say the latter number is only smaller because Firefox gets less attention).

Probably not.
If you MUST run something chromium based, go straight and simple if you can.
Beyond that it depends upon what you do with and in your browser, and what features are important to you.

1 members found this post helpful.

Security researchers seem to very strongly favor Chrom(ium) over Firefox: https://madaidans-insecurities.githu...-chromium.html (See the last section for references to 9 others)

But on the other hand, Debian is about 3 months behind in fixing Chromium vulnerabilities in Debian Stable: https://security-tracker.debian.org/...ckage/chromium

Maybe this makes it a wash. IDK.

chromium is technically superior from a security standpoint. But that's all about it's design - not the number of CVEs.
No. Wrong.

A self styled "security researcher" who authors some random blog and is anonymous (roughly translated - "college kid"). His main contributions on github are to his own website and some sparse contributions to a project called "whonix" (from his blog you'd imagine he was one of the key developers...). Check for yourself - yes always check your sources before reposting them.

He put up a typically sensationalist, skewed and narrow focused, not to mention ill-researched, article on OpenBSD - the usual attempted destruction, laden with rhetoric and security buzzwords.

His articles read like compilations of other material from other sources. Someone posted to openbsd-misc quoting that one and it, rather unsurprisingly, attracted little interest among software developers who actually understand security and actually write code.

We need to see Mr Anonymous' code contributions first... and of course his patches to address all of these issues he found in OpenBSD and other OS and web browsers - to date there haven't been any. The poster of the article on OpenBSD misc was a clear troll - he addressed mailing list users as "fans" from the off, then when failing to get a bite, resorted to a tangential attack regarding cryptography, before exposing himself completely, and going off on more tangents trolling about Linux and systemd, etc. He was only individual who reposted that worthless article on OpenBSD's mailing list.

Mr Anonymous' biggest success had been in finding willing dupes to quote and repost his agenda driven FUD all over the web. How naive do you have to be, to have your opinions and personal choices continually swayed by random bloggers...?

So only the misinformed and obvious trolls are reposting links to this particular blogger's articles.

3 members found this post helpful.

That's precisely my point (and what the security researcher wrote). Read more carefully next time, would you?

Let me get this straight. This person writes a long post explaining in much technical detail how Firefox is inferior to Chrom(ium) from the security perspective. While you agree with the statement, and can't refute any of the statements, you claim (anonymously) that this person's writing is worthless because he's anonymous, and doesn't have enough contributions on github (under his account)? He also links 9 other security researchers writing on this topic, which you ignore.

if you are really paranoid use a VM, run whatever browser you want and browse whatever site you want and destroy the full VM when you are done. Or just open every page/site in another VM. That is definitely safer than a sandbox.
Anyway, security always depend on the user [and usage, configuration] and must not rely only on any tool (and default settings).

You're either trolling (badly) or you have reading comprehension problems, or both.

Read and digest what the "security researcher" wrote as many times as you like. Knock yourself out - if you want to get your information from random anonymous blogs, probably posted by college kids, then be my guest. Once again: That "blog" did not get a single response when posted by a troll on the OpenBSD mailing lists. Most could see it for what it was - click bait for the fickle and gullible. IlJa Van Sprundel's actual research, did and resulted in patches and vulnerabilities being fixed.

I've seen and read enough of the sources, most being reddit, twitter (two corporate reps) and other troll's blogs from between 2015 to 2017, the last "researcher" admits he doesn't know the difference between firefox and chromium from a security perspective. I don't care to read any more of it. Ironically, the most relevant citation about firefox and chromium is Theo de Raadt's posting from 2018 (ironically that's the lead developer of the OS he set out to defame and debase in another blog entry). The others are mostly one liners and all are about the "tor browser bundle" - the tor browser bundle is primarily about privacy, which is why it uses firefox and not a product from the biggest data mining and telemetry shop in the world... did you honestly read any of the sources?

I know which of the sources are legit and which are on the payroll of some interested party and which are just skewed opinion pieces from random individuals. I've also come across numerous other sites over the years (one of which is his main source for the OpenBSD posting) - they deploy weasel words, cherry picked "facts" and are completely worthless. They set out to reach a conclusion and then proceed to fill in the blanks around that, then throw a bone, as a footnote to give the illusion of fairness.

You have descended through a chain of attacking firefox in Debian, supposedly considering moving to chromium, then attacking Debian after you supposedly discovered that chromium is unmaintained and has all those CVEs listed against it. You're brought this incredible material into it in an attempt to bolster your case. The material would have some merit if your focus was on firefox insecurity and comparisons with chromium - that is not the case. Your intent has been to attack Linux and these threads of yours are just you laying the foundations for those attacks.

//edit:

Your original intent was to simply attack Debian and other Linux distributions, as you have been doing in your now numerous troll threads at this site:

https://www.linuxquestions.org/quest...re-4175703471/
https://www.linuxquestions.org/quest...ml#post6300572

In those two recent ones, you've now played your hand and it's up to others here to decide if they actually want to continue wasting their time making legitimate responses...

1 members found this post helpful.