this post was submitted on 22 Mar 2025
297 points (83.7% liked)

Technology

67474 readers
4139 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
297
Zen browser had a backdoor enabled by default (github.com)
submitted 4 days ago* (last edited 4 days ago) by cyrano@lemmy.dbzer0.com to c/technology@lemmy.world
79 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] priapus@sh.itjust.works 60 points 4 days ago* (last edited 4 days ago) (2 children)

I'm not sure why you linked to this irrelevant 3 week old issue while referring to something that was fixed a year ago. Referring to it as a backdoor also implies that it was malicious, when it was simply incompetence. Have there been any security issues since? (Not trying to imply that not having any would make it safe, just wondering).

Zen is an amateur hobbyist project, expecting it to be something else is silly. It isn't backed by a company, so you take on these risks when you use the project. The same thing goes for all community run browser forks, and unfortunately, using upstream browsers will 100% be more secure. If you don't want to take those risks, just use Firefox (preferably hardened).

Security costs money, open source browser forks generally don't have much of that.

Edit: I'm not trying to shit on this browser, or even say that nobody should use it. Be aware of your attack surface and know what risks you're taking on when using any piece of software. I'm probably still going to play around with Zen, but I probably won't be doing my banking on it.

[–] Wildly_Utilize@infosec.pub 16 points 4 days ago* (last edited 4 days ago) (1 children)

I'd like to take this opportunity to say Mullvad browser is maintained by Mullvad and Tor Project which in my eyes sets it way apart from these hobby forks (including librewolf)

[–] priapus@sh.itjust.works 7 points 4 days ago (1 children)

I agree, Mullvad is the only fork that I have confidence in the security of (ignoring Tor ofc since it's not really for general use).

[–] pastermil@sh.itjust.works 2 points 3 days ago (1 children)

I'll bite: what's wrong with LibreWolf?

[–] priapus@sh.itjust.works 3 points 3 days ago (2 children)

It just lacks manpower unfortunately. Going with a browser that has the funding for a security team is the safer option.

[–] michaelmrose@lemmy.world 1 points 2 days ago (1 children)

Librewolf is firefox with different settings how does it not already benefit from Firefox's security team

[–] priapus@sh.itjust.works 1 points 2 days ago (1 children)

It does, but less than Firefox does. Their lack of manpower means delayed updates to fix zero days compared to Firefox. It also means less eyes on any patches introduced, so I'd be more concerned about malicious code being introduced.

[–] michaelmrose@lemmy.world 1 points 2 days ago (1 children)

Their lack of manpower means delayed updates to fix zero days compared to Firefox

From their site:

LibreWolf is always built from the latest Firefox stable source, for up-to-date security and features along with stability.

As soon as firefox pushes a release, for instance to fix a security vulnerability, librewolf can immediately rebuild It is literally just firefox with different setting. Delay between firefox release and librewolf release should be negligible. You can verify this by noting that 136.0 was offered on the same day.

https://codeberg.org/librewolf/source/commit/2b90daeb5aa5a80443f4f7655393f610fb16418a

https://www.mozilla.org/en-US/firefox/136.0/releasenotes/

The difference in time between firefox and librewolf security updates is less than the variance between users updating their machines.

[–] priapus@sh.itjust.works 1 points 2 days ago* (last edited 2 days ago)

I'm not saying Librewolf is insecure, I'm just saying its a bit less secure. They generally do a good job keeping up to date, but there can be delays if an update conflicts with their changes.

Librewolf is not just a Firefox config. You can look at the repo and see a number of patches. Without a paid security team to review these patches with every update, it is less secure.

I'm not saying not to use Librewolf, the likelihood of a zero day specifically targeting it and effecting a significant number of users is very unlikely, simply based off of the size of its userbase compared to more mainstream browsers.

[–] pastermil@sh.itjust.works 1 points 2 days ago

Thanks! Makes me wonder if there's a chance all this separate effort can come into one.

[–] priapus@sh.itjust.works 6 points 4 days ago* (last edited 4 days ago)

Also want to add that this was caused by a configuration issue. If you want security, don't use Firefox (or its forks) default configs, look into Betterfox. Apparently Zen also uses this as the base for its default preferences, which is a good decision.