Submitted by [deleted] in Tech (edited )

13

Viewing a single comment thread. View all comments

quandyalaterreux wrote

Reply to comment by !deleted24215 in by !deleted24215

Pale Moon is a security train wreck, it doesn't even have a basic sandbox. (Let's not even speak about your browser fingerprint under Pale Moon)

3

mima wrote

I know this is 3 months old, but to call PM a "security train wreck" is not justified. Pale Moon separates application from content in its code. The "sandboxing" aka e10s applied by Firefox is the real security train wreck. Most of the security bugs in Firefox are actually in e10s. Ironic how a security feature becomes insecure. That's what happens when you complicate the code. If you want to sandbox Pale Moon, use firejail.

I agree with the browser fingerprint argument though. If you want a privacy-oriented browser, then neither Firefox nor Pale Moon is for you. Use Tor Browser, and stick with its defaults.

Relevant reading: https://forum.palemoon.org/viewtopic.php?f=65&t=22399&p=169753

2

quandyalaterreux wrote

I know this is 3 months old, but to call PM a "security train wreck" is not justified. Pale Moon separates application from content in its code. The "sandboxing" aka e10s applied by Firefox is the real security train wreck. Most of the security bugs in Firefox are actually in e10s. Ironic how a security feature becomes insecure.

The point of a sandbox is so that a single exploit to your browser tab doesn't lead to an RCE. With e10s you need both an exploit to the browser AND the sandbox for you to get an RCE. Firejail is of course not sufficient.

The other elephant in the room is that modern browsers are millions of lines of codes with a big list of dependencies, and to provide any meaningful security requires full teams to just keep up with the pace. Unfortunately I don't think Pale Moon has enough people to handle that and they should be honest about it.

3