Linux Mint 19.3 OS, open-source Chromium browser. Is this browser safe?
February 9, 2020 7:05 PM Subscribe
Older Lenovo laptop, running Linux Mint 19.3, Chromium web browser (open-source version of Google Chrome browser.) Chromium Extensions: DuckDuckGo Privacy Essentials. HTTPS Everywhere. AdBlock Plus. Linux Mint Update manager runs every time I boot the machine, so all browser software is up to date. I still use FireFox browser also. But Chromium has become my go-to. Should I head on back to Firefox Land?
Best answer: Chromium Security
Every complex piece of software has bugs.
I agree with jbz, what are you asking? Are you worried about someone
* tracking your browsing
* stealing your personal information
* stealing financial data
* determining who you are by usage patterns
or something else?
There are complex answers to most of these questions.
For which problem do you believe "head[ing] on back to Firefox Land" will achieve a better result?
posted by blob at 7:42 PM on February 9, 2020 [2 favorites]
Every complex piece of software has bugs.
I agree with jbz, what are you asking? Are you worried about someone
* tracking your browsing
* stealing your personal information
* stealing financial data
* determining who you are by usage patterns
or something else?
There are complex answers to most of these questions.
For which problem do you believe "head[ing] on back to Firefox Land" will achieve a better result?
posted by blob at 7:42 PM on February 9, 2020 [2 favorites]
Best answer: I've got a conflict of interest here - I work at Mozilla - so feel free to take this with a grain of salt, but let's get into it.
Adblock Plus lets advertisers buy their way past their blocking lists, which I find distasteful; my personal preferred adblocker is uBlock Origin.
HTTPS Everywhere is... maybe a moot point now that Let's Encrypt has driven the price of certificates to zero, I think? 80% or so of the world's 100k biggest sites default to HTTPS now, so I don't know how much additional value it provides, but it can't hurt to stick with it. The DDG essentials are perfectly good.
More holistically, Google is getting pretty stingy about what they'll let addons do these days, particularly around content modifying and blocking, so if you'd prefer to support a browser that errs on the side of user agency, you might consider sticking with Firefox as an expression of that preference.
To jzb's point, "it is safe" isn't really a question you can answer in general. The only answers to "is it safe" are "sometimes, it's complicated" and "no", so more information here would be helpful.
The question is, if I'm using it to do X, will it protect me from Y risks; you need specific risks in order to make actionable choices. If you don't want your girlfriend to see your browsing history, use strong passwords on your computer and get on with your life. If, on the other hand, you don't want the Mossad to Mossad you (to borrow a phrase), well, you'd better get all the way off the internet or you're gettin' Mossaded, there's not much to be done about that.
I suspect you're somewhere in the middle. Can you tell us a bit more about your threat model and what you perceive your risks to be? Personally, absent a nation-state-level risk model I think most modern web browsers you can keep up to date would likely be reliable enough, and setting up a password manager, strong and unreused passwords and a 2FA token wherever possible is a better use of your time. Gotta keep it up to date though.
(def. use Firefox, btw, it's good)
posted by mhoye at 7:54 PM on February 9, 2020 [7 favorites]
Adblock Plus lets advertisers buy their way past their blocking lists, which I find distasteful; my personal preferred adblocker is uBlock Origin.
HTTPS Everywhere is... maybe a moot point now that Let's Encrypt has driven the price of certificates to zero, I think? 80% or so of the world's 100k biggest sites default to HTTPS now, so I don't know how much additional value it provides, but it can't hurt to stick with it. The DDG essentials are perfectly good.
More holistically, Google is getting pretty stingy about what they'll let addons do these days, particularly around content modifying and blocking, so if you'd prefer to support a browser that errs on the side of user agency, you might consider sticking with Firefox as an expression of that preference.
To jzb's point, "it is safe" isn't really a question you can answer in general. The only answers to "is it safe" are "sometimes, it's complicated" and "no", so more information here would be helpful.
The question is, if I'm using it to do X, will it protect me from Y risks; you need specific risks in order to make actionable choices. If you don't want your girlfriend to see your browsing history, use strong passwords on your computer and get on with your life. If, on the other hand, you don't want the Mossad to Mossad you (to borrow a phrase), well, you'd better get all the way off the internet or you're gettin' Mossaded, there's not much to be done about that.
I suspect you're somewhere in the middle. Can you tell us a bit more about your threat model and what you perceive your risks to be? Personally, absent a nation-state-level risk model I think most modern web browsers you can keep up to date would likely be reliable enough, and setting up a password manager, strong and unreused passwords and a 2FA token wherever possible is a better use of your time. Gotta keep it up to date though.
(def. use Firefox, btw, it's good)
posted by mhoye at 7:54 PM on February 9, 2020 [7 favorites]
I'd replace Adblock Plus by UBlock Origin, and add PrivacyPossum. As per the above, I can't tell you that would make it safe, but it would make things safer.
posted by Too-Ticky at 12:23 AM on February 10, 2020 [1 favorite]
posted by Too-Ticky at 12:23 AM on February 10, 2020 [1 favorite]
You might consider migrating to the Brave browser, which is specifically trying to occupy the as-safe-as-can-be niche. It's based on Chromium but has a ton of security features built-in and on-by-default. It's available for Linux.
posted by mcstayinskool at 8:27 AM on February 10, 2020
posted by mcstayinskool at 8:27 AM on February 10, 2020
Be warned: Brave has its own controversies.
posted by suetanvil at 9:07 AM on February 10, 2020 [1 favorite]
posted by suetanvil at 9:07 AM on February 10, 2020 [1 favorite]
Also: I've been using Firefox as my daily driver for years now and I've found it to be the least bad of the browsers. As mhoye said above, it appears to be the one most focused on keeping the users in control.
(I also have a Chrome installation that I use occasionally for sites that break on Firefox and/or my collection of extensions but that tends to be a last resort.)
posted by suetanvil at 9:16 AM on February 10, 2020 [1 favorite]
(I also have a Chrome installation that I use occasionally for sites that break on Firefox and/or my collection of extensions but that tends to be a last resort.)
posted by suetanvil at 9:16 AM on February 10, 2020 [1 favorite]
Response by poster: I agree with jbz, what are you asking? Are you worried about someone
* tracking your browsing
* stealing your personal information
* stealing financial data
* determining who you are by usage patterns or something else?
posted by blob at 9:42 PM on February 9
My personal information, that's everywhere — I just did a re-fi of my condo and they got a copy of *everything* and would have liked more, just because. Google will tell you my last three addresses, going back over 30 years. Financial data not as easy to get but damn sure easy for any bank or what-have-you.
I am not worried, I am incredibly annoyed that I am being tracked by remarkably competent tech people so they can sell me cat litter by some stupid jingle sung by festive, smiling toilets. This annoyance shot to high blood pressure annoyance after watching Edward Snowden on Joe Rogan's podcast, which pointed out to me (to us) how cell phones have made it increasingly easy for these trackers to find my fingerprints anywhere / everywhere. (Sting: every step you take / every move you make) Plus ol Jeff Bezos @ Amazon knowing my shirt size, he knows that I lean toward black shirts, knows that I like and then lose pocket knives, knows what is my preferred lube, knows what movies I like, on and on. Snowden pretty much assured me (us) hat I'm in a losing battle, but I can do a few things to maintain a shred of dignity.
I suspect you're somewhere in the middle. Can you tell us a bit more about your threat model and what you perceive your risks to be?
posted by mhoye at 9:54 PM on February 9
No way can I hide out from nation states, Snowden pretty much laughed that off — if any law enforcement agency "needs" to know pretty much anything, any move I've made in the past ten years, "they" can buy it, or more likely be given it freely, should they say that I'm "a terrorist, probably, or something" so that's gone. But I try to do what I can to not be tracked/fingerprinted by say WalMart, because I walked into their store.
So what I do:
a) LastPass password manager: With an impossible to break password to get to the stack of other impossible to break passwords in the vault.
2) Incognito: Pretty much any time I go from one site to another it's in an incognito window.
3) Google Voice (hangs head in shame) in one incognito window.
4) Hotmail (hangs head in shame) in another incognito window.
5) VPN purchased after long-ass head-scratching and contemplation at That One Privacy Guy's site. I've got the VPN on both browsers but it breaks almost *everything* through Firefox, so it is currently turned "Off" (hangs head in shame). That is one reason I've gone from Firefox. Also, Firefox has some other weird things going on on Linux Mint, and it's frustrating as hell to use it. (I have loved Firefox since The Dawn Of Time, I am one of the 29 people who actually *paid* 30 bucks to buy Firefox, when Microsoft was strangling and then burying them. Microsoft has done many good things and I'm too lame to leave a HoTMaiL address I've had with them for well over 20 years. Still, I wish them ill.)
6) Three times a week I clear both browsers, all cookies, all everything. (I wonder if Flash still has those cookies set for every youtube video...)
7) I've removed microsoft Outlook app from my cell, and use a shortcut to just to go hotmail address, without the whole Outlook thing tracking my every move.
8) Use VLC on cell and laptop, because I love what they stand for (or what it seems to me they stand for)
9) Removed Googles monstrosity and have only Google Voice on the cell. If that could be done on the laptop I'd do it but I can't find a way.
10) Looked pretty extensively for a replacement for Google Voice but have found nothing near as good, much less free. (Yep, I know, it's not free -- I'm the product.)
11) After the trouble(s) I've had using the VPN on this laptop, I look at my cell phone (iphone 7+) and shiver and shake, quiver and quake.
12) As I remember it, AdBlock Plus gave me an option to opt in to some sites that they did not find objectionable. Is it just naivete on my part to assume that they were telling the truth?
13) I have an old chromebook, considering loading that real lightweight Linux (Gallium OS) on it and using it exclusively for Google. Then using this laptop exclusively for Microsoft. Buying an el-cheapo Amazon tablet and use it for all of my Amazon jive.
(I did look into Brave but they seemed a bit tricky for my tastes, coming back to the same old same old -- wanting to harvest and sell our info.
If I could cut by half the finger-printing done on me I'd have lower blood pressure. (Actually my blood pressure is fine. It's just annoyance, and loathing, and hatred that I feel for these people, nothing that bounces up the ol' blood pressure.)
So I want just a little bit of privacy. I don't want anyone creepy-crawling up my machine and I don't want to be fingerprinted (probably by now it's past fingerprinting, and on a DNA level.)
Long winded — sorry. Your answers prompted me to consider a lot of things, not least how to correctly frame an AskMe w/r/t tech items.
posted by dancestoblue at 8:18 PM on February 10, 2020
* tracking your browsing
* determining who you are by usage patterns or something else?
posted by blob at 9:42 PM on February 9
My personal information, that's everywhere — I just did a re-fi of my condo and they got a copy of *everything* and would have liked more, just because. Google will tell you my last three addresses, going back over 30 years. Financial data not as easy to get but damn sure easy for any bank or what-have-you.
I am not worried, I am incredibly annoyed that I am being tracked by remarkably competent tech people so they can sell me cat litter by some stupid jingle sung by festive, smiling toilets. This annoyance shot to high blood pressure annoyance after watching Edward Snowden on Joe Rogan's podcast, which pointed out to me (to us) how cell phones have made it increasingly easy for these trackers to find my fingerprints anywhere / everywhere. (Sting: every step you take / every move you make) Plus ol Jeff Bezos @ Amazon knowing my shirt size, he knows that I lean toward black shirts, knows that I like and then lose pocket knives, knows what is my preferred lube, knows what movies I like, on and on. Snowden pretty much assured me (us) hat I'm in a losing battle, but I can do a few things to maintain a shred of dignity.
I suspect you're somewhere in the middle. Can you tell us a bit more about your threat model and what you perceive your risks to be?
posted by mhoye at 9:54 PM on February 9
No way can I hide out from nation states, Snowden pretty much laughed that off — if any law enforcement agency "needs" to know pretty much anything, any move I've made in the past ten years, "they" can buy it, or more likely be given it freely, should they say that I'm "a terrorist, probably, or something" so that's gone. But I try to do what I can to not be tracked/fingerprinted by say WalMart, because I walked into their store.
So what I do:
a) LastPass password manager: With an impossible to break password to get to the stack of other impossible to break passwords in the vault.
2) Incognito: Pretty much any time I go from one site to another it's in an incognito window.
3) Google Voice (hangs head in shame) in one incognito window.
4) Hotmail (hangs head in shame) in another incognito window.
5) VPN purchased after long-ass head-scratching and contemplation at That One Privacy Guy's site. I've got the VPN on both browsers but it breaks almost *everything* through Firefox, so it is currently turned "Off" (hangs head in shame). That is one reason I've gone from Firefox. Also, Firefox has some other weird things going on on Linux Mint, and it's frustrating as hell to use it. (I have loved Firefox since The Dawn Of Time, I am one of the 29 people who actually *paid* 30 bucks to buy Firefox, when Microsoft was strangling and then burying them. Microsoft has done many good things and I'm too lame to leave a HoTMaiL address I've had with them for well over 20 years. Still, I wish them ill.)
6) Three times a week I clear both browsers, all cookies, all everything. (I wonder if Flash still has those cookies set for every youtube video...)
7) I've removed microsoft Outlook app from my cell, and use a shortcut to just to go hotmail address, without the whole Outlook thing tracking my every move.
8) Use VLC on cell and laptop, because I love what they stand for (or what it seems to me they stand for)
9) Removed Googles monstrosity and have only Google Voice on the cell. If that could be done on the laptop I'd do it but I can't find a way.
10) Looked pretty extensively for a replacement for Google Voice but have found nothing near as good, much less free. (Yep, I know, it's not free -- I'm the product.)
11) After the trouble(s) I've had using the VPN on this laptop, I look at my cell phone (iphone 7+) and shiver and shake, quiver and quake.
12) As I remember it, AdBlock Plus gave me an option to opt in to some sites that they did not find objectionable. Is it just naivete on my part to assume that they were telling the truth?
13) I have an old chromebook, considering loading that real lightweight Linux (Gallium OS) on it and using it exclusively for Google. Then using this laptop exclusively for Microsoft. Buying an el-cheapo Amazon tablet and use it for all of my Amazon jive.
(I did look into Brave but they seemed a bit tricky for my tastes, coming back to the same old same old -- wanting to harvest and sell our info.
If I could cut by half the finger-printing done on me I'd have lower blood pressure. (Actually my blood pressure is fine. It's just annoyance, and loathing, and hatred that I feel for these people, nothing that bounces up the ol' blood pressure.)
So I want just a little bit of privacy. I don't want anyone creepy-crawling up my machine and I don't want to be fingerprinted (probably by now it's past fingerprinting, and on a DNA level.)
Long winded — sorry. Your answers prompted me to consider a lot of things, not least how to correctly frame an AskMe w/r/t tech items.
posted by dancestoblue at 8:18 PM on February 10, 2020
Firefox has some other weird things going on on Linux Mint, and it's frustrating as hell to use it.
You don't have to use the pre-installed Firefox. You can install it straight from Mozilla if you prefer that. Here you go: https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US
posted by Too-Ticky at 12:14 AM on February 11, 2020 [2 favorites]
You don't have to use the pre-installed Firefox. You can install it straight from Mozilla if you prefer that. Here you go: https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US
posted by Too-Ticky at 12:14 AM on February 11, 2020 [2 favorites]
In my opinion the guides "Basic security precautions for non-profits and journalists in the United States, early 2019." and "Security Guidelines for Congressional Campaigns", which are very similar and from the same highly respected group of experts, are the starting points for any security conversation. Any variation from them should be the result of a conscious, reasoned decision.
Fingerprinting is often not about cookies but about stuff like the uniqueness of your browser configuration or your IP address. For example if you visit Google from IP 1.2.3.4 while logged into one browser, and then five seconds later Google detects another request from an "anonymous" browser also at 1.2.3.4, they can guess it's you. Panopticlick has some information and an online test you can take.
You should be aware that Linux users are rare, Linux Mint is a niche within a niche, and Chromium a niche within that. That setup is not the way to go if you are trying to blend in.
I'd be careful about using a VPN. Here are some specific concerns. This comment on Hacker News by the extremely well respected security expert Thomas Ptacek has the wonderful quote "VPN services give you all the security of coffee shop wifi, but in the cloud."
posted by bright flowers at 1:42 PM on February 16, 2020
Fingerprinting is often not about cookies but about stuff like the uniqueness of your browser configuration or your IP address. For example if you visit Google from IP 1.2.3.4 while logged into one browser, and then five seconds later Google detects another request from an "anonymous" browser also at 1.2.3.4, they can guess it's you. Panopticlick has some information and an online test you can take.
You should be aware that Linux users are rare, Linux Mint is a niche within a niche, and Chromium a niche within that. That setup is not the way to go if you are trying to blend in.
I'd be careful about using a VPN. Here are some specific concerns. This comment on Hacker News by the extremely well respected security expert Thomas Ptacek has the wonderful quote "VPN services give you all the security of coffee shop wifi, but in the cloud."
posted by bright flowers at 1:42 PM on February 16, 2020
« Older I need an elegant solution to my bag problems . .... | Is there a mobile tech solution for event planners... Newer »
This thread is closed to new comments.
posted by jzb at 7:37 PM on February 9, 2020 [4 favorites]