Just compare the amount of code execution CVEs found on a yearly basis and the level of severity of each. Then think of how Firefox has much less marketshare than Chrome (FF sits around 8% and its share keeps going down year by year), so Chrome should be a more interesting target for hacking.
Then come back and tell us which browser has the lesser amount, and when some are found, which is most likely to have the more severely exploitable vuln.
FWIW, though I'm an avid supporter of Firefox and use it, my very consistent observation is that security experts believe,
* Chrome/Chromium is more secure against attacks by governments or criminals (i.e., attacks against the integrity of the system; I can't think of the right word).
* Firefox may be more secure against advertising and corporate confidentiality attacks.
* Firefox with certain add-ons, too technical for most users, may be as secure as Chrome/Chromium.
The fundamental difference is that Google is a gigantic engineering organization that dedicates enormous resources to security, benefiting Chrome directly and indirectly. Over the years, lots of work has been done to ensure and improve its security at a design and architectural level.
Firefox, as this announcement shows, is just getting around to freeing itself from design decisions which may have made sense over a decade ago when Mozilla had 'software suite' ambitions but we now know are a liability for something with the security demands of a browser.
> design decisions which may have made sense over a decade ago when Mozilla had 'software suite' ambitions
It doesn't change your overall point, but I think this part is incorrect. AFAIK abandoning those ambitions was the reason they left Seamonkey behind and developed Firefox.
Firefox started well before Seamonkey was spun out, and they continued with Thunderbird anyway. But the details of the history of the ambitions don't matter, what matters is that these architectural decisions were made a long, long time ago but their consequences are still there. You can decide you're not going make an app suite, that doesn't magically re-architect the internals of the product you have. Take a look at this announcement from Netscape, in 2000 (AD):
> You can decide you're not going make an app suite, that doesn't magically re-architect the internals of the product you have.
I'm not sure how that applies. Firefox wasn't magic; Mozilla rewrote their browser intentionally and put a lot of resources into it.
> Firefox started well before Seamonkey was spun out
My understanding of that statement is that they didn't drop the old product until the new one was succeeding in the marketplace. I'm not sure how that impacts what I said.
Firefox wasn't magic; Mozilla rewrote their browser intentionally and put a lot of resources into it.
No no, they didn't. Firefox and Mozilla (and even later versions of Netscape) share the same architectural underpinnings. That's sort of the intent and cleverness of it, it's really an entire system for writing cross-platform apps, with its own 'language independent' component model, gui layer, etc. The things that made Firefox possible also made all-powerful Firefox extensions possible. Much of that architecture is still around. In the intervening years, it's become obvious this is not necessarily a good way to build a browser. Which is why they are dropping XUL/XPCOM extensions. If they'd 'rewritten' it, they wouldn't need to do that.
My understanding of that statement is that they didn't drop the old product until the new one was succeeding in the marketplace.
I'm talking about common architecture, not products. If you're unfamiliar with it, just scroll through this
> It's the most secure browser available. That's a not a 'might be legitimate' use case.
It may be Jesus on a popsicle, but I'm not going to trust something distributed via drive-by-installers, marketed through SPAM and made by the world's biggest data-hoarder and privacy-invader no matter what.
It's adware/malware short and simple.
Make it 100% FOSS. Remove any technical connection to Google. Don't require Google-logon to sync. Only distribute it to users who actually asked to have it installed. Etc etc.
At that point I might consider starting trusting it. Not before.
No, not at all but by the vehemence of your reply, you make it sound like Chrome or Chromium force you to give these things to google. And I don't think they do.
