I agree, and this is no easy task. For now, I am hoping I can gather information and let some of the pieces fall together before I can begin making hard decisions.
I don't know if this was intentional or not, but I found it humorous.
In my drafts of the article I have made sure to include sections specifically pointing out that this is not a be-all-end-all, and it doesn't tell you what to do or what you can and can't use. In the end, people are free to use whatever they want. I am simply here to document and clarify some perceived issues.
The answer to this is a bit complicated: I had a list of sources, but many of them were not primary sources, and so I am currently in the process of recollecting sources and better categorizing them. I'm currently collecting as many different types of sources as I can, and I will find out what is actually useful later.
You mentioned you want more, but where are you looking to start? For example are you looking at the CVE database?
CVE databases will be some of the primary sources I will use in the article, and I may even try to get in touch with the individuals who documented some of the CVEs. I can't make any promises about that, though.
Are you looking at competitions like Pwn2Own? Or detailed project group like Google Project Zero?
I am not familiar with these yet, so I will look into them.
Is it fair to compare Chromium, which is not an end user product, to Firefox which is? Do you plan to look at or compare forks of the software?
For the sake of clarity in this post I used "Chromium" and "Firefox" to simplify what I am doing for users who aren't as aware of the fine details. I will be comparing a wide variety of projects, such as Chromium, Vanadium, Brave, ungoogled-chromium, whatever hardened Chromium Secureblue uses, etc. to a variety of Gecko-based projects such as Firefox, the Tor Browser, Mullvad Browser, and other varieties I may be unfamiliar with. These will be compared on their various platforms, such as Windows, macOS, various Linux distros (where available), iOS, Android, and special cases such as Qubes, Tails, and Firejail. Essentially, I want to compare what the most and least secure varieties of each browser pose, and make observations from there.
As an example both Google Chrome and Mozilla Firefox enable “Google Safe Browsing” by default, however the fork “ungoogled-chromium” does not include “Google Safe Browsing” (and they provide their reasoning).
As far as I currently know (and please note I am still in the early research stages), Google Safe Browsing is a feature that primarily affects privacy and is more of a failsafe. For one, it warns you about malicious websites. This is a failsafe for users who are not aware of which websites are malicious. This isn't directly a security protection, but rather a security "suggestion" for non-advanced users. It also sends data to Google to report websites, which mainly affects privacy. I'm pulling most of this from my head, and so I may be off base with this. Either way, it will not be the main focus of this, as it doesn't matter if Google Safe Browsing is safe or not if it can simply be disabled. I plan to mainly focus on sandboxing issues with Firefox and any related topics that sprout up from that.
What makes Firefox desirable over Chrome is that it’s not beng developed by massive corporation that gets the majority of its profits selling user data and delivering targeted adverts.
This is a separate issue of being able to trust developers, which is not being covered here. Projects like ungoogled-chromium exist, after all. I will be inspecting the software as a whole, and not any future interference that may happen.
Google Chrome is not the same as Chromium, and protection from Google is not what this topic is covering. It is covering protection from malicious websites, and mainly claims about site isolation.
Also, no. A commit log or version control system does not show information about security issues that have not been fixed yet.
I'm going to mostly copy paste a similar reply I made in this thread: A fork of Audacity was made called Tenacity. They explain in their history why it was made. Yes, Audacity was bought by Muse Group. There were talks of adding trackers, but nothing ever actually got added. They changed the privacy policy at one point, but reverted it after backlash. The reason I am keeping Audacity there is because I believe it is better to have quick security/feature updates from upstream (Audacity) so long as the upstream project does not have any current code issues that warrant a fork (Tenacity). If Audacity ever does add any telemetry, etc. I will absolutely change it to Tenacity.
I will be creating an FAQ section that answers this question in more depth.
Ah. I was always good about backups, but I never tested them. I used Timeshift for backups, and when I needed to recover a backup whoops! No user data. I fixed it to backup user data, and whoops! Still no user data.
Another time I used a proper backup client, but when I went to restore it it overwrote itself and so it failed and I lost the backup. Always test your backups.
Firefox is less private than some forks (Librewolf, etc.) and less secure than Chromium-based browsers due to a lack of Per-Site Process Isolation. Mullvad Browser and the Tor Browser are the only two Firefox-based browsers I can recommend due to their high privacy standards.
I'm still on the fence about adding KeePass, since I don't see anything it provides over KeePassXC. Notepad++ I will definitely look into, as well as ShareX and Greenshot. Thanks so much for the suggestions!
Yes.