Hacker News new | ask | show | jobs
by jl6 1690 days ago
Sure, I could review the source code. And then review it again next week when a change is released. I don’t want to have to though.

Trust matters.

I don’t trust Mozilla not to push ads, but I do trust them not to build in intentional backdoors and steal my personal data, because there’s a whole public organization there, with a reputation and responsibilities and heads that will roll if they are caught doing nefarious things.

You might ask why I trust thousands of other open source community led projects? Largely because they have built rep and get at least a minimal vetting via distro package management.

I’m not saying this fork is malware. But I don’t know it isn’t, and the browser is the #1 critical component that handles all my most sensitive data.
1 comments
GhettoComputers 1690 days ago
Or just trace it’s network activity without a code audit.
link
jl6 1690 days ago
Doesn’t help if the exfiltration only occurs monthly and you only monitored for a week, or if there’s something locally malicious, or if side channels are involved, or if it’s manipulating data sent to legitimate sites (e.g. instructions to your bank, while logged in as you).
link
GhettoComputers 1690 days ago
Keep it on, you can keep a firewall on, locally malicious files can be seen on your machine and if they aren't transmitted what is the worry?

If its manipulating data sent to legitimate sites you'd notice while you used it. These concerns aren't absent in other official browsers either.

link
jl6 1690 days ago
Quite right that these concerns apply to any software, but they are significantly mitigated by sourcing software from organizations you trust.

There’s no way I would be able to spot the operation of malware-masquerading-as-browser without committing totally to a forensic examination of every system call it makes. Imagine how much attention you’d have to pay to stop it capturing your bank credentials and then making transactions in an invisible tab (the browser doesn’t have to render a site in order to interact with it).

link
GhettoComputers 1690 days ago
But trust is just assumed and not a real security measure, trust just means you are not going to audit it.
link