The goal of this project is to provide information (and maybe an extension/policy) to setup Chromium/Chromium to get the best out-of-the-box application security & privacy.
Chromium was not made by Google, it's a web browser 'developed' (based on parts of the original source code from Chrome) by volunteers and released under FLOSS. There exist bunch of alternative forks of it with additional features in it.
Most core developers are Google employees, you can easily see this in their bug reports (eMail/name) etc, that they work for the Chromium project as 'volunteers' and release the source code but in reality they work for the mother Google, that said not all of them.
A fork means that Google takes the original source code of Chromium and they adding some bits of code and tools (like for example Flash Player (now removed), RLZ etc) Google Chrome itself is either open-source nor proprietary, it's freeware under Google Chrome's Terms of Service. Googles Privacy policy can be reviewed here.
| Feature | Chrome | Firefox Quantum | Description |
|---|---|---|---|
| Startup Memory | Chromium consumes overall more memory than Firefox, but starts up faster - Chromes kernel requires more resources | ||
| Multi-core system integration | Chrome ones is older and more reliable because it's longer tested | Firefox isolation feature is (by default) limited | Both perform equal, depending on the used API |
| JavaScript performance | // | // | Equal? (depending) |
| Synthetic Octane benchmark | 45169 Points | 43246 Points | |
| ARES-6 Browser Benchmark | ~ 21 sec | ~ 50 sec | Test link |
| WebXPRT Test | ~ 275 | ~ 300 | Several API tests |
| Basemark | ~ 1420 | ~ 810 Points | Lots of different tests (encryption etc) |
- Firefox browser trusts DarkMatter CA certificate to cause security industry controversy (see here how it could be abused) However, this one is questionable and controversial because there is no audit or sign that this was abused
- Firefox Users Cry Foul Over 'Mr. Robot' Ad Installed As Research Program [2017]
- Firefox Shield Studies - these studies are separate from the normal telemetry
- Cliqz acquired by Mozilla
- Firefox tracks users with Google Analytics in the add-on settings [2017]
- Most concerns can be destroyed using about:config.
- Firefox has forks in order to (by default) opt-out (without any need of altering about:config). E.g. Waterfox.
- Mozilla responds to Booking.com Snippet Concerns; “It was not a paid placement or advertisement. We are continually looking for more ways to say thanks for using Firefox."
Isn't it funny that Firefox Wikipedia page has not any section related to Mr. Robot and safebrowsing privacy concerns while Chrome has this mentioned?! Remember Firefox (by default) has also in fact more studies and telemetry integrated in his browser! They even call telemetry in the article as security feature. Is this objective written - I very much doubt it.
- ZERO no additional studies or additional telemetry. The stuff which is send back is exactly the same like Mozilla does. Safebrowsing, Malware (Phishing filter updates etc).
- Google sells (officially) only ads.
- Most concerns can be destroyed using about:flags.
- Chrome has forks (Chromium) in order to (by default) opt-out (without any need of altering about:flags). E.g. Cent Browser.
- Chromium generally supports the latest HTML features sooner
- Firefox generally supports the latest Javascript features sooner
- Both have mobile versions
- Both manage bookmarks
- Both have a useful dashboard startpage
- Firefox is more extensible
- There are countless themes and extensions, and there's an advanced Customize mode to change the placement of anything on the screen.
- Firefox has an advanced user profile system that's easy to backup
- Both support syncing browser data and preferences between multiple installations, including on mobile
- Firefox allows non-tabbed mode, Chromium does not
- Firefox allows traditional style menus, Chromium does not
- Chrome was the first browser which by default introduced adblocking without any extension (Android Chrome version got it first)
- Some extensions like e.g. Ghostery lacks features compared to the Mozilla version
- Chromium has a Downloadbar and limited support for Greasemonkey, Tapermonkey Userscripts by default
- The Firefox extension API is far more powerful than Chromium's; every part of the browser can be customized
- Mozilla adopted WebExtension API which technically can run Chrome/Firefox extensions but it's messy (atm)
- Both extension/theme/plugin stores getting daily scans to avoid malware
- WebKit/WebExtension seems the today's default
- Firefox uses Yahoo as its default search engine in North America, and other search engines in other regions
- Chromium uses 'Google' as its default search engine
- Firefox Sync can be hosted on your own server, and uses a zero-knowledge architecture. Chrome Sync only syncs to Google servers but's encrypted.
- Both support private sessions where there is no history saved (private/incognito modes)
- Chromium natively supports WebRTC, just like Edge and Firefox do as well. WebRTC basically can return your IP info if queried, but your browser's usual HTTP headers return IP info and a wealth of other metadata anyway. The potential privacy concern is WebRTC providing IP info if located behind e.g. a VPN or anonymous proxy, so if either apply, block the WebRTC query (among other things) with an extension. If neither apply, then it is pretty much no point of talking about security (no matter which browser).
- Both Firefox and Chromium extensions may send private/usage data to somewhere (with prior warning)
- You can change the default search engines of both to services like DuckDuckGo
- Users can easily disable features of Chromium that remotely use Google-services
- You can selectively enable Chromium's extensions for private sessions
- You can use NoScript in Firefox and µMatrix (formerly HTTP Switchboard) in Firefox and Chromium to greatly enhance your privacy
- Both support the HTTPS Everywhere extension from the Electronic Frontier Foundation
- Both can be configured to use TOR, but the TOR project recommends configuring Firefox or using the Firefox-based Tor browser
- Firefox allows extensive control over which elements of the browser run and transmit data. These can be changed in the about:config page
- Newer versions of Chromium require you download extensions from the Chrome web store or manually install from a local file
- None browser is perfect this is due -> we still using outdated protocols and usability
See this documentation for more details regarding to the default profiles.
Windows: C:\Users<username>\AppData\Local\Google\Chrome\User Data
MacOS X: ~/Library/Application Support/Google/Chrome/
Linux: ~/.config/google-chrome/
The MEI is determined by a ratio of visits to significant media playback events per origin, determined by these four factors:
- Consumption of the media (audio/video) must be greater than 7 seconds.
- Audio must be present and unmuted.
- Tab with video is active.
- Size of the video (in px) must be greater than 200×140.
Google is evaluating sites based on the Better Ads standards and then rating them as a pass, warning, or failing. Site owners can access these evaluations using an API, and sites can be re-reviewed after bad ads have been addressed.
I'll explain in short the privacy concerns and if it's true or already outdated or already fixed.
The official Wikipedia privacy concerns (User tracking concerns) is outdated.
| Privacy concern | Explanation |
|---|---|
| Chrome sends details about its users and their activities to Google through both optional and non-optional user tracking mechanisms. | Google already explained this right from the beginning since 2008 with a Blog post. The privacy settings can also be manually controlled as explained over here. This is in the meantime an common technique in all current Browser starting from Firefox over Opera and even Edge has some kind of safebrowsing mechanism, safebrowsing itself doesn't contain any personal information which can expose you or your browser habits. The only critical thing someone can find here is that these data are stored locally into your Browser Data folder. |
| Every URL you even begin to type in the address bar is sent to Google, in whole or in fragments, for auto-completion purposes. | It's called Omnisearch and can be disabled since many years in Chrome via about:flags. Google explained how you disable it. The Google URL Search prediction (or link prefetching) can be disabled, after that and clearing the Browser Cache it will only show results based on your Offline Browser History. |
| Connects to Google every 30 minutes to download a list of malicious URLs, so the fact that you even have Chrome open is transmitted to Google. | This is a protection mechanism in order to protect you from malware. You can disable it in the options since many years. |
| Asks you to login to your Google account, so your browsing tabs, history, etc. is stored on Google servers. | Login is optional since forever and always will be. Every Browser nowadays have a login function. |
| Connects to websites in the background before you are even finished typing them in, without your explicit instruction. | This is a prefetch option to predict stuff to load content more quickly. This doesn't expose you and is not relevant to any privacy aspect. If you don't like it disable it via about:flags. |
| Contains an RLZ identifier, an encoded string sent together with all queries to Google. | RLZ source code was released exactly one week after it got integrated. RLZ will never be send when you install Chrome from official sources. It's however true that on Android it's more problematically but you can use a Chromium based Browser (fork) which doesn't include the RLZ source code. |
| clientID | The clientID (unique one) was removed already since Aug. 2009 due privacy concerns but no one ever add any proof that this exposes you or fingerprint/track you. |
| Page not found | This is not even a tracking method, it's a 404 which are displayed in order to inform the user that the URL/Domain is not reachable. You however can change this behavior with a cached version since Chrome 55. |
| Google Update | This is also not a privacy concern, every Browser has an integrated update mechanism. Using the latest versions which contains security bug fixes is important and the opposite of an privacy concern. Since Android P Google even started to force OEMs to push more frequently security updates for normal users which should help to get less vulnerable. |
| Other features like Do not Track & Co. | Can all be controlled (disabled/enabled) within settings. |
Privacy related issue tickets can be found here.
About Ungoogled-Chromium
Ungoogled-Chromium project has major weaknesses too so before you recommend this browser as alternative think about the following:
Update as of September 2016:
I, Eloston, am in a period of time where I do not have as much time as I had before to work on this project...
~~~
Update 9/29:
Our favorite infosec expert (whom we’ve cited before on a few matters) SwiftOnSecurity, let us know today that Ungoogled Chromium is a student project and doesn’t have the ability to update itself (and likely hasn’t been updated.) In that regard, we can’t recommend it...
In other words it has no auto-updater mechanism integrated, this is for advance users no problem they can use some tools/scripts or manually download and install it but the normal user will never do this. However, in the meantime some things has changed, it more often gets updates now which is a good sign but this is no guarantee for code quality which applies to every Browser or Fork. The release page by itself mostly only provides the source code until the project manager decide to release a new version which is then always behind other forks because it needs to be reviewed over a long(er) time period.
Using scripts and updater tools can be dangerous when they suddenly starting to download official Google builds, as shown here which the user is only aware of after everything happened. and Windows Users now need such an updater/downloader in order to get the binaries, read here basically this means you must trust someone else because most users will blindly install it and not compile it themselves. I see this as very critical.
The following integrations are "controversial"
- Anchor ping attribute - often called "Hyperlink auditing" or Hyperlink ping
- Features wich sends data back to google, such as safe browsing & spell check
- URL tracker (chromium_src/chrome/browser/google/chrome_google_url_tracker_client_browsertest.cc)
- Background sync
- Battery API, WebUSB API, WebBluetooth API
- Cloud Messaging, Firebase, Push Client
- DNS prefetching
- Domain reliability service
- Google GAIA Login
- Metrics reporting
- Network Time Tracker
- RAPPORT
- Remote debugging
- Report Uploader
- WebRTC log uploading service -
chrome://webrtc-logs
Conclusion
Chrome is not more or less tracking anyone then all other Browsers on the market. Other Browsers in fact trying to imitate Chrome and his features such as Chromecast detection which is often misleading called as background spying because it sends every X minutes requests in order to check if the service is available or not among other features such as Captive portal checks.
Browser Forks mostly only removing integrated functions which is maybe the best way to prevent from a privacy perspective additional damage. An global opt-out for certain integrated features is definitely the better method, you can read about how you do this (with examples) here.
Statement 2019
I write this as neutral as possible based on the research I did over the couple years.
Okay now, in 2019 I checked the Wikipedia link again and compared it with the Firefox Wikipedia article. It is (still) beyond me why the Firefox article never got a "criticism" section like almost all other listed browsers on Wikipedia. Mozilla made several serious mistakes (same like Opera, Chrome, etc.) and all of the incidents are nothing but past. They got on both sides fixed - Mozilla responded and Google did the same. In fact Mozilla had more security & privacy incidents over the couple years (see research) which are not even mentioned on Wikipedia (Mr. Robot etc.). In my point of view Wikipedia has the responsible for an "objective" article and apparently there are huge interest to suppress Google (or to push Mozilla) with facts which are years old (and outdated) or even wrong. I already debunked all myths above and now I'm going to mentioned the so called "spying" code, which is in fact documented since day one. Are they controversial? Sure, no doubt about it.
Assuming Google abuses these APIs is nothing but wrong since there is zero evidence. The only real evidence you can find is the location story which also affected iOS, the problem here is that no one finally could say if it was a bug or on purpose. The Google Play Services file is huge, commplex and controls several security and privacy related API's. The service also updates itself in the background and it's difficult to say if the location tracking was maybe only an incident or a result of an outdated APK file, the topic is complex and there are both sides (not only one).
The API's are designed (and documented) in order to help developers & webmasters to improve/track their extensions/websites, nothing more and nothing less, the rest of the rumours are in 99% without any real evidence.
Misunderstanding on purpose?
Some people constantly "WANT Chrome to spy", there are developers which need/want those mentioned API's (see Google's "spying code") and on one hand it makes sense to integrate them while other people might arguing that they don't need them or raising their own privacy concerns. Keep in mind that the Browser itself contains not only the "Browser part" it also includes other projects to e.g. render PDF's & more. The question in my opinion isn’t whether someone is collecting data, it’s whether someone is able to, which means if you distrust corp. X you have to automatically distrust corp. Y too.
Does Chrome spy?
NO, from a developer perspective the Browser does not spy. As said above, the integrated APIs could be abused but other Browser also including them (for example the Battery API is also included in FF to name only one example which could be used against you to track you) and you might be able to disable them via settings/options or flags, sadly not all can be disabled or only with "huge" effort. This is more a general question what "the web" should allow and what not. However, there is no evidence of a "keylogger" or other stuff which people usually excusing Google.
In the last 6 years whenever I read something in the news about "Chrome spying" I saw zero, right zero (!) evidence for such claims. I see clickbait articles (Chrome has more market shares than Firefox -> higher interests) with strange arguments, like that Chrome would collect all your files, this is incorrect, there was in this case an advance option to enable/disable it. So what, Firefox does the same to improve their products. There are many other examples like this. I think we can agree that every such controversial toggle should be opt-in my default and not opt-out but this is most likely not going to happen.
Can security be archived without tracking?
I say no, in fact I log everything whats going on on my PC, Router and my devices otherwise how could I ever know if I'm compromised or not? I guess that's why Google created the dashboard to review your options. Apparently, some people never heard of it or never reviewed their options, as a result we get a lot "why google tracked me" topics. It's a feature because your login is used for many websites and Google products. Or how else do you guarantee that no one broke into your account if you can't see when you where logged in the last time with which device?
Does Google has an interest in collecting data?
YES, of course and that's what people complaining about, it's controversial. The real problem here is that people which want opt-in/opt-outs do not get everything what they want and this is maybe the biggest point you can find when it comes to the privacy discussion. This is basically the reason why forks exists, to address exactly this. The question we should ask is if a Browser should be allowed to collect any data (debug, tracking etc.) because we can assume that everything can be abused - this is the real question and not only affects Chrome. Browser development and bug bounty programs are also not really cheap. and most people have no interest to search for holes in your program when there is no reward, because you basically "waste" your lifetime in order to improve the product. Open Source is not really an argument because open source is in general not meant to be a "money making machine", of course there might bbe some whiteheads but that's not the norm. Speaking of how they get money, mostly ads, donations or search engine deals. You see, you can't destroy the web and remove ads or search engines, at some point they all need mooney to survive, this is okay and not really an argumentation point.
Real problems
- Transparency
- Trust - it is not a renewable resource which affects all, Firefox, Opera, Google & others.
- Cookies and its pervasive advertising network and partnerships
- Login? No one in the world, not Google or Mozilla forces you to login into the Browser to sync your stuff. You still can backup everything offline in every browser.
- Private modes are pointless, not Firefox nor Chrome providing a "maximum secure" Browser out of the box because this would destroy the web and break many many websites.
- Are ads etc bad? What about the people which actually need the clicks/ads to survive? Blogger etc.
- Google, Firefox made mistakes - it's simply a learning process, you never did any mistakes right?! The market is hard and you can't satisfy each an everyone.
- Every blogger or website can decide to use Google Analytics (Mozilla bzw uses Googletagmanager) or not. No one is forcing you to do that. Brave uses rewards which is a cool and "fresh" idea.
- Misunderstanding from non-technical persons. Just because there is a background connection doesn't automatically mean something is "spying". There are legitimate things like Chrome Cast support which are implemented in order to make your life easier. The criticism point here can only be that there should be an option to disable it.
- Ignorance, stupidity & laziness - That's why most of the mentioned stuff exist, people expect to get everything as easy as possible without thinking about the consequences. The browser is much more than a Browser, it's a PDF reader, media player and much more.
- Control, maybe the biggest point when it comes to Google & privacy. They are in a good position to dictate the web (if you check the page Chrome is not mentioned with any word) and this is dangerous.
My personal note
I think both browsers terrible failed, Firefox and Chrome. Both are trying to gain user trust by implementing more and more "privacy gimmicks" and the changes are slowly going "mainstream". However, I constantly ask myself why we need configuration tweaks, extensions X in order to gain the privacy which all of these Browser promising us. That said here is what ever Browser should integrate, adopt or change (in my opinion).
- Listen to your own community, this is maybe the biggest and most important point, the community always knows best because they are the ones which at the end using your product.
- If you're unsure, don't hesitate and ask. It's no shame to ask your community if you lost your way or if you want input on a good idea.
- Get rid of idiotic modes like incognito, or private modes. This is a terrible idea, if you promise a secure and private browser then you don't need it and implement it by default for everyone straight from the beginning.
- Several forks already started to implement ad-blocking, HTTPSE & other "gimmicks". Which are helpful when it comes to giving the user control (privacy) back. The correct way should be to get such developers on board and adopt these into the browser, so that everyone can get the same benefits.
- Find a balance! Ads are okay unless they are malware or annoying. I think most people would not enable ad-blockers for page x if they know the ads they seeing are not annoying, possible dangerous or can compromise your security somehow. There are pages which placing their ads so that they are not bothering you while you read or click on the website.
- Think about alternatives and out-of-the-box. Do you really need Google tracking on your website?! How about a donation system or merchandise. No ads, no ad-blocker or script-blocker needed! It's that easy!
- Be open! Don't integrate telemetry in daily builds! You have a dev/beta/canary/RC version? So why not implement it there?! Most people simply don't want and like telemetry on their daily browsing habits because it makes them feel like they are the product.
- Provide Installers/Options for "power-users". Every browser installer I've seen so far are stuck in the 90's. There is no setup which gives you the ability to use pre-made configurations/profiles or to remove/install feature X.
- None of the Browser was able to implement an simple extension to integrate Tor functionality. Maybe a hint...
- Privacy "blah", just do it! Don't promise. DO IT!
- Check the priorities and get a identity, don't change like a flag in the wind.
- Adopting features from other Browser is okay, but don't overdue it not every change Browser X does has to be copied, especially not if it#s bugged (autoplay ... hm).
MS did a good job with Edge, however the new Edge (Chromium based) seems even better compared to the original Chrome Browser. It adds a lot of "requested" features into it and some functions are quite unique. Privacy wise it's a step forward compared to Chrome.
- MS Edge has, overall the better privacy & performance
- MS Edge provides built in tracking protection like in Firefox has
- DRM (4K Netflix) works (compared to Firefox and Chrome) really good
- The advanced safe download protection (Windows Defender) function is unique compared to other Browsers (Google mentioned such a function will be introduced only for Enterprise users).
- MS Edge does not "care" about Google's Manifest which means ad-blocking will always be possible
- The sync between mobile option is not bad, compared to other solution, this one offers ad-blocking support (on Android).
- Baselines of Web Browsers
- Browser Sec Whitepaper
- Cent Browser
- Chrome Browser for enterprise
- Chrome Profiles
- Chrome Security FAQ
- Chrome Vs. Chromium
- Chrome removed the enable_webrtc=false flag (which means no more No-WebRTC builds)
- Chromium Updater Script by mkorthof
- Chromium WPAD detection
- Compile Chrome on Windows
- Custom DNS names in Chromium
- DNS caches can be used as cross-domain persistent cookies
- How Chromium works
- Microsoft Edge Insider Channels + (Source Code)
- NoScript whitelist
- Official Chromium Security tracker
- Official Google Chrome Group Policy Templates & Guidance
- Official System Hardening Guide
- Opt-out/opt-in selective on every Google Service
- POTARC
- Privacy disrespected (by default)
- The Private Life of Chromium Browsers
- The story of why Chrome and Firefox will soon block sites with certain SSL certificates
- Transitioning from SPDY to HTTP/2
- Why isn't passive browser fingerprinting (including passive cookies) in Chrome's threat model? *ref
- https://bugs.chromium.org/p/chromium/issues/detail?id=795526
BetterFirefox
- PowerShell script to get the latest build of Chromium directly from the Chromium Project
- CRXcavator - Submit a Chrome Extension ID in order to inspect it
- Web Developer's Guide to Prerendering in Chrome
- Google Chrome Privacy Whitepaper updated frequently by me & other people