Mozilla Firefox and Chromium in the new threat landscape: electron, browser security, forks, and Rust

tldr; Mozilla Firefox is the most secure desktop browser out there. If you are concerned, do your own research to harden Mozilla Firefox before installing exotic Firefox forks, as Firefox still is the most secure “out-of the box” browser without the problems of the V8 JavaScript engine. The most relevant Firefox fork from a security perspective is Librewolf, and hardening with Firefox Profilemaker and user.js modifications will be the highest security you can get.

You can read and contribute to my list “tools and services for the nomad nerd”, where you can also support research and writing like this.

The worst of times: identity theft and cyber-threats are real

We are living in worrying times — COVID-19, war, and global cyber threats are in the news. With the rise of digitization and daily lives moving online, a new wave of online “cyberthreats” is on the rise. Forbes described that money is the motivation of attackers, and valuable data targeted are banking accounts, online credentials and cryptocurrency such as Bitcoin or Ethereum. But even if you are not into crypto you are a target. On the platform “have i been pwned” you can check if your data has been obtained through a leak —and chances are you are reading this article from a browser with back-doors.

In a report released by Aite Group, 47% of US citizens experienced financial identity theft in 2021. Another statistic quantifies that every year 15 million Americans become victims of identity theft.

You should possibly start thinking about browser security.

Getting a more secure browser

Most often the browser is the weakest part of the chain, and Project Zero publicly tracked all known in-the-wild “zero day” bugs in browsers from 2015–2021. What is evident in the graphs: only the most common browsers (and Flash) have been looked at. In reverse you cannot conclude that browsers and tech not listed here are more secure.

exploitation of browsers between 2015 and 2018.

WebKit, Blink and Gecko

Safari and Apple iOS browsers are based on WebKit. Chrome, Chromium, Microsoft Edge, Vivaldi and Opera are based on Blink (technically Blink is a WebKit fork, but already diverged). Firefox uses the Gecko engine.

Comparison of browser engines, en.wikipedia.org.

The world runs on Blink, and the V8 JavaScript engine

Over 85% of the world runs Blink (Chromium, Opera and Microsoft Edge, according to latest browser market share reports), which is a rather high attack surface. The rest is divided between Safari and Firefox.

Nick @ The Linux Experiment wrote a great article in 2019 “Why every browser switching to Blink could be bad news for the web” outlining the risks of such a monopoly. He argues that Vivaldi and Epiphany, as well as other Chromium based browsers are often overlooked.

Chromium is primarily written in C++, including the V8 JavaScript engine. V8 is also part of the node.js runtime system, which is in turn part of the Electron framework, also dubbed the “JavaScript Desktop”.

Here is the problem with that: if there is an exploit in the V8 JavaScript engine, browsers as well as applications are affected. So your Desktop is effectively vulnerable: Electron apps such as Slack, WhatsApp, Skype, Slack, Discord, Tusk and Visual Studio Code (VS Code) are all based on Electron (and therefore NodeJS/v8).

Usage share of web browsers (2021), en.wikipedia.

The V8 JavaScript engine has been hit with exploits many times, and here is a list of the exploits of 2021, as well as CVE-2022–1096 from March 2022.

• CVE-2022–1364: Type confusion in v8. (reported by Clément Lecigne of Google’s Threat Analysis Group on April 13, 2022.)
• CVE-2022–1096: Type Confusion in V8. 2022–03–23
• CVE-2021–4102: a use-after-free bug in V8. 2021–12–13
• CVE-2021–38003: an inappropriate implementation in V8. 2021–10–28
• CVE-2021–37975: use-after-free bug in V8. 2021–09–30
• CVE-2021–30633: an out-of-bounds write in V8. 2021–09–13
• CVE-2021–30563: another type-confusion bug in V8. 2021–07–15
• CVE-2021–30551: a type-confusion bug within V8 (also under active attack as a zero-day). 2021–06–09
• CVE-2021–21224: an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. 2021–04–20
• CVE-2021–21148: an unnamed type of bug in V8. 2021–02–04

Google knows about these issues, and is stating that “‘memory safety’ bugs account for 70% of the exploitable security bugs [.] we aim to write new parts of Chrome in memory-safe languages” on their Google Security Blog.

The main information is put together in the Google Blog post titled “An update on Memory Safety in Chrome” from September 2021. There it is described that a lot of resources go into making the C++ part of Chromium safer — with different descriptions on their attempts. They are also mentioning Mozilla directly (which is not uncommon, as Google is the main sponsor of the Mozilla Foundation).

“In parallel, we’ll be exploring whether we can use a memory safe language for parts of Chrome in the future. The leading contender is Rust, invented by our friends at Mozilla.” (Google, 2021)

Firefox, Rust, and memory safety.

Rust has been with Mozilla and Firefox since a while: in Firefox 56 the first major Rust components have been shipped with Firefox 56 (encoding_rs) and 57 (Stylo). The Mozilla project Oxidation keeps the history of Rust code in and around Firefox. First appearing in 2010, Rust was designed by Graydon Hoare at Mozilla Research, and Mozilla was the first investor for Rust.

In August 2020 Mozilla cut some jobs, and stopped development of the Servo render engine. In 2022, still more than 10% of Mozilla Firefox is based on Rust, and it makes the browser much safer, capturing most of the exploits.

How much Rust in Firefox? mozilla/gecko-dev repository statistics on Mar 2022. In March 2022, 3,415,930 lines of code in Mozilla Firefox are written in Rust. That accounts to 10.2% of the total codebase of Firefox. Source: /r/rust

Why Firefox is secure

Besides having over a tenth of their code-base written in Rust, Firefox is not using the V8 JavaScript engine, but it’s own JavaScript and WebAssembly Engine called SpiderMonkey. It is used in Firefox, Servo and various other projects and written in C++, Rust and JavaScript.

There has been only one type confusion vulnerability in Spidermonkey in 2019 (CVE-2019–11750).

Don’t base your security on obscurity!

There are a lot of other browsers built on Firefox — this is possible because Mozilla Firefox has been released under Mozilla Public License, a free and open-source software license. Forks can be found via a web-search, and there are lots: Cyberfox, PXCFirefox, Librefox, IceWeasel, IceCat, CometBird, and the list goes on. Wikipedia lists only 18 browsers based on Mozilla Firefox, and from this list only 5 are relevant today:

• Tor browser
• Ghostery Dawn (formerly Cliqz)
• TenFourFox (a browser for Power Macintosh PPC)
• Waterfox (it received a lot of critique after acquisition from System1, who also operate Startpage)
• Pale Moon

A common saying is that if you are using systems which are exotic, the attack surface is reduced. The basic rationale takes into account that it’s more expensive for malware authors to write code for systems not many people are using. This is true, but don’t forget that there are other bugs in software as well — just because they are not reported does not mean they are not there. Software supply chain attacks tripled in 2021, and you remember Log4Shell?

In 2022 The developer behind popular open-source NPM libraries colors.js on and faker.js intentionally introduced mischievous commits in the libraries to protest the Open Source Revolution (and the exploitation of open source through big businesses).

But there are not only supply chain attacks, as other attacks through browsers are code execution exploits (in the browser and through plug-ins), advanced persistent threats, man-in-the-middle attacks, DNS poisoning, SQL injection, cross-site scripting (XSS), UI-redress attacks, adware, browser-based crypto mining, and others.

From January 2019 to April 2020: Web-based attacks, ENISA Threat Landscape

Secure browsers

Mainstream browsers are secure, until they are not. There is a lot of incentive in finding zero-days, and in recent discussions about Pegasus Spyware and NSO group it has been made clear that the market for these exploits is roaring. Zero-day prices can go as high as $300,000 depending on severity of the vulnerability, complexity of the exploit, how long the vulnerability remains undisclosed, the vendor product involved, and the buyer.

Still, you should be using mainstream browsers where you can, that is ungoogled-chromium (Google Chromium, sans dependency on Google web services) or LibreWolf (Firefox stripped of telemetry, included uBlock origin and enhanced privacy).

LibreWolf is an independent fork of Firefox, with the primary goals of privacy, security and user freedom. This is the only relevant fork which is actively maintained. There are other web browsers based on Firefox, but these usually suffer from later updates and introduce new security risks.

Conclusion: remove Electron, use hardened Firefox where you can

I am strongly suggesting you use Firefox where you can, and replace Electron apps such as Slack and Whatsapp with their web versions running in a LibreWolf tab. You can utilize Firefox Profilemaker and check user.js modifications to match your threat level for your regular Firefox installation.

• Best Practices: Firefox Hardening
• Browser security and hardening article on Wikipedia
• Firefox configs: Fastfox, SecureFox, PeskyFox, SmoothFox and other user.js essentials (by yokoffing)
• Five EFF Tools to Help You Protect Yourself Online

You can read and contribute to my list “tools and services for the nomad nerd”, where you can also support research and writing like this.

Please follow me on medium & on twitter @audiores and let me know in the comments if you have any other feedback or additions to this writeup. Please support me by ordering your Trezor 2FA and cryptographic assistant via this link.