update web browsing section
This commit is contained in:
Daniel Micay
parent
e1b98c436f
commit
7fc564c245
@ -409,75 +409,68 @@
|
|||||||
<section id="web-browsing">
|
<section id="web-browsing">
|
||||||
<h2><a href="#web-browsing">Web browsing</a></h2>
|
<h2><a href="#web-browsing">Web browsing</a></h2>
|
||||||
|
|
||||||
<p>GrapheneOS includes a Vanadium subproject providing privacy and security enhanced
|
<p>GrapheneOS includes our Vanadium subproject providing privacy and security
|
||||||
releases of Chromium. Vanadium is both the user-facing browser included in the OS and
|
enhanced releases of Chromium. Vanadium is both the user-facing browser included
|
||||||
the provider of the WebView used by other apps to render web content. The WebView is
|
in the OS and the provider of the WebView used by other apps to render web
|
||||||
the browser engine used by the vast majority of web browsers and nearly all other apps
|
content. The WebView is the browser engine used by nearly all other apps embedding
|
||||||
embedding web content or using web technologies for other uses.</p>
|
web content or using web technologies for other uses. It's also used by many minor
|
||||||
|
web browsers not forking Chromium as a whole. These apps using the WebView benefit
|
||||||
|
from a subset of the Vanadium hardening.</p>
|
||||||
|
|
||||||
<p>Using Vanadium is highly recommended. Bromite is a solid alternative and is the
|
<p>Vanadium was previously primarily focused on security hardening but we plan on
|
||||||
only other browser we recommend. Bromite provides integrated ad-blocking and more
|
adding assorted privacy and usability features. In the near future, we plan to add
|
||||||
advanced anti-fingerprinting. For now, Vanadium is more focused on security hardening
|
support for always incognito mode, content filtering (ad blocking, etc.), improved
|
||||||
and Bromite is more focused on anti-fingerprinting. The projects are collaborating
|
state partitioning, backup/restore, native autofill and many other features.</p>
|
||||||
together and will likely converge to providing more of the same features. Vanadium
|
|
||||||
will be providing content filtering and anti-fingerprinting, but it needs to be done
|
|
||||||
in a way that meets the standards of the project, which takes time.</p>
|
|
||||||
|
|
||||||
<p>Vanadium is designed for use on GrapheneOS and does not duplicate the OS privacy
|
<p>Chromium-based browsers like Vanadium provide the strongest sandbox
|
||||||
and security features such as the hardened malloc implementation. This leads to some
|
implementation, leagues ahead of the alternatives. It is much harder to escape
|
||||||
of the differences from Bromite, such as relying on OS support for encrypted DNS
|
from the sandbox and it provides much more than acting as a barrier to
|
||||||
rather than enabling Chromium's DNS-over-HTTPS support.</p>
|
compromising the rest of the OS. Site isolation enforces security boundaries
|
||||||
|
around each site using the sandbox by placing each site into an isolated sandbox.
|
||||||
|
It required a huge overhaul of the browser since it has to enforce these rules on
|
||||||
|
all the IPC APIs. Site isolation is important even without a compromise, due to
|
||||||
|
side channels. Browsers without site isolation are very vulnerable to attacks like
|
||||||
|
Spectre. On mobile, due to the lack of memory available to apps, there are
|
||||||
|
different modes for site isolation. Vanadium turns on strict site isolation,
|
||||||
|
matching Chromium on the desktop, along with strict origin isolation.</p>
|
||||||
|
|
||||||
<p>Chromium-based browsers like Vanadium and Bromite provide the strongest sandbox
|
<p>Chromium has decent exploit mitigations, unlike the available alternatives.
|
||||||
implementation, leagues ahead of the alternatives. It is much harder to escape from
|
This is improved upon in Vanadium by enabling further mitigations, including those
|
||||||
the sandbox and it provides much more than acting as a barrier to compromising the
|
developed upstream but not yet fully enabled due to code size, memory usage or
|
||||||
rest of the OS. Site isolation enforces security boundaries around each site using the
|
performance. For example, it enables type-based CFI like Chromium on the desktop,
|
||||||
sandbox by placing each site into an isolated sandbox. It required a huge overhaul of
|
uses a stronger SSP configuration, zero initializes variables by default, etc.
|
||||||
the browser since it has to enforce these rules on all the IPC APIs. Site isolation is
|
Some of the mitigations are inherited from the OS itself, which also applies to
|
||||||
important even without a compromise, due to side channels. Browsers without site
|
other browsers, at least if they don't do things to break them.</p>
|
||||||
isolation are very vulnerable to attacks like Spectre. On mobile, due to the lack of
|
|
||||||
memory available to apps, there are different modes for site isolation. Vanadium turns
|
|
||||||
on strict site isolation, matching Chromium on the desktop. Bromite enables strict
|
|
||||||
site isolation on high memory devices, including all the devices that are officially
|
|
||||||
supported by GrapheneOS.</p>
|
|
||||||
|
|
||||||
<p>Chromium has decent exploit mitigations, unlike the available alternatives. This is
|
<p>We recommend against trying to achieve browser privacy and security through
|
||||||
improved upon in Vanadium by enabling further mitigations, including those developed
|
piling on browser extensions and modifications. Most privacy features for browsers
|
||||||
upstream but not yet fully enabled due to code size, memory usage or performance. For
|
are privacy theater without a clear threat model and these features often reduce
|
||||||
example, it enables type-based CFI like Chromium on the desktop, uses a stronger SSP
|
privacy by aiding fingerprinting and adding more state shared between sites. Every
|
||||||
configuration, zero initializes variables by default, etc. Some of the mitigations are
|
change you make results in you standing out from the crowd and generally provides
|
||||||
inherited from the OS itself, which also applies to other browsers, at least if they
|
more ways to track you. Enumerating badness via content filtering is not a viable
|
||||||
don't do things to break them.</p>
|
approach to achieving decent privacy, just as AntiVirus isn't a viable way to
|
||||||
|
achieving decent security. These are losing battles, and are at best a stopgap
|
||||||
<p>We recommend against trying to achieve browser privacy and security through piling
|
reducing exposure while waiting for real privacy and security features.</p>
|
||||||
on browser extensions and modifications. Most privacy features for browsers are
|
|
||||||
privacy theater without a clear threat model and these features often reduce privacy
|
|
||||||
by aiding fingerprinting and adding more state shared between sites. Every change you
|
|
||||||
make results in you standing out from the crowd and generally provides more ways to
|
|
||||||
track you. Enumerating badness via content filtering is not a viable approach to
|
|
||||||
achieving decent privacy, just as AntiVirus isn't a viable way to achieving decent
|
|
||||||
security. These are losing battles, and are at best a stopgap reducing exposure while
|
|
||||||
waiting for real privacy and security features.</p>
|
|
||||||
|
|
||||||
<p>Vanadium will be following the school of thought where hiding the IP address
|
<p>Vanadium will be following the school of thought where hiding the IP address
|
||||||
through Tor or a trusted VPN shared between many users is the essential baseline, with
|
through Tor or a trusted VPN shared between many users is the essential baseline,
|
||||||
the browser partitioning state based on site and mitigating fingerprinting to avoid
|
with the browser partitioning state based on site and mitigating fingerprinting to
|
||||||
that being trivially bypassed. The Tor Browser's approach is the only one with any
|
avoid that being trivially bypassed. The Tor Browser's approach is the only one
|
||||||
real potential, however flawed the current implementation may be. This work is
|
with any real potential, however flawed the current implementation may be. This
|
||||||
currently in a very early stage and it is largely being implemented upstream with the
|
work is currently in a very early stage and it is largely being implemented
|
||||||
strongest available implementation of state partitioning. Chromium is using Network
|
upstream with the strongest available implementation of state partitioning.
|
||||||
Isolation Keys to divide up connection pools, caches and other state based on site and
|
Chromium is using Network Isolation Keys to divide up connection pools, caches and
|
||||||
this will be the foundation for privacy. Chromium itself aims to prevent tracking
|
other state based on site and this will be the foundation for privacy. Chromium
|
||||||
through mechanisms other than cookies, greatly narrowing the scope downstream work
|
itself aims to prevent tracking through mechanisms other than cookies, greatly
|
||||||
needs to cover. Bromite is doing a lot of work in these areas and Vanadium will be
|
narrowing the scope downstream work needs to cover. The focus is currently on
|
||||||
benefiting from that along with this upstream work. The focus is currently on research
|
research since we don't see much benefit in deploying bits and pieces of this
|
||||||
since we don't see much benefit in deploying bits and pieces of this before everything
|
before everything is ready to come together. At the moment, the only browser with
|
||||||
is ready to come together. At the moment, the only browser with any semblance of
|
any semblance of privacy is the Tor Browser but there are many ways to bypass the
|
||||||
privacy is the Tor Browser but there are many ways to bypass the anti-fingerprinting
|
anti-fingerprinting and state partitioning. The Tor Browser's security is weak
|
||||||
and state partitioning. The Tor Browser's security is weak which makes the privacy
|
which makes the privacy protection weak. The need to avoid diversity
|
||||||
protection weak. The need to avoid diversity (fingerprinting) creates a monoculture
|
(fingerprinting) creates a monoculture for the most interesting targets. This
|
||||||
for the most interesting targets. This needs to change, especially since Tor itself
|
needs to change, especially since Tor itself makes people into much more of a
|
||||||
makes people into much more of a target (both locally and by the exit nodes).</p>
|
target (both locally and by the exit nodes).</p>
|
||||||
|
|
||||||
<p>WebView-based browsers use the hardened Vanadium rendering engine, but they can't
|
<p>WebView-based browsers use the hardened Vanadium rendering engine, but they can't
|
||||||
offer as much privacy and control due to being limited to the capabilities supported
|
offer as much privacy and control due to being limited to the capabilities supported
|
||||||
@ -495,15 +488,16 @@
|
|||||||
used alongside the Chromium-based WebView rather than instead of Chromium, which means
|
used alongside the Chromium-based WebView rather than instead of Chromium, which means
|
||||||
having the remote attack surface of two separate browser engines instead of only one.
|
having the remote attack surface of two separate browser engines instead of only one.
|
||||||
Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS
|
Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS
|
||||||
hardening work for apps. Worst of all, Firefox runs as a single process on mobile and
|
hardening work for apps. Worst of all, Firefox does not have internal sandboxing
|
||||||
has no sandbox beyond the OS sandbox. This is despite the fact that Chromium semantic
|
on Android. This is despite the fact that Chromium semantic sandbox layer on
|
||||||
sandbox layer on Android is implemented via the OS <code>isolatedProcess</code>
|
Android is implemented via the OS <code>isolatedProcess</code> feature, which is a
|
||||||
feature, which is a very easy to use boolean property for app service processes to
|
very easy to use boolean property for app service processes to provide strong
|
||||||
provide strong isolation with only the ability to communicate with the app running
|
isolation with only the ability to communicate with the app running them via the
|
||||||
them via the standard service API. Even in the desktop version, Firefox's sandbox is
|
standard service API. Even in the desktop version, Firefox's sandbox is still
|
||||||
still substantially weaker (especially on Linux, where it can hardly be considered a
|
substantially weaker (especially on Linux) and lacks full support for isolating
|
||||||
sandbox at all) and lacks support for isolating sites from each other rather than only
|
sites from each other rather than only containing content as a whole. The sandbox
|
||||||
containing content as a whole.</p>
|
has been gradually improving on the desktop but it isn't happening for their
|
||||||
|
Android browser yet.</p>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="camera">
|
<section id="camera">
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user