Comment by Imustaskforhelp

Comment by Imustaskforhelp 10 months ago

7 replies

View on Hacker News

I agree & disagree.

Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.

And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)

Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc

On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states

- Firebase allows for easy misconfiguration of security rules with zero warnings

- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information

So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.

firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,

Also , you say that you have been convinced to never use arc again.

Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?

nine_k 10 months ago

I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.

And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".

With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.

Reply View 1 reply
  • Imustaskforhelp 10 months ago

    hmm interesting. Other thing to add is if we treat it as a ssh server , we actually won't try to go out and break things.

    But I think that was the whole point of arc , to break the convention and be something completely new

    and I have a reason why

    They were competing with the giants called google , safari , firefox which have insanely large funding and their whole point was trying to sell something later built on this arc browser.

    and since chrome , firefox etc. don't try to come up with these ideas because well security reasons (which I agree to / as seen in the post)

    I think arc wanted to seperate itself from chrome / firefox and that's why they became a bit reckless you could say since this exploit was available.

    Also the other thing I want to convey , is that "With that, I don't see much exploit potential in learning stats like the number of cores on your machine"

    this was only recently discovered. Just imagine the true amount of exploits in these proprietory solutions which we don't know about.

    Yeh. Just like a ssh server , I would personally like the source code to be available but developing browsers is time consuming and money intensive for developers but ladybird exists , but its in beta.

    that being said , not open source is also that private , (xz) , but atleast it got discovered way quickly and was able to mitigate it quickly

    Reply View 0 replies
prmoustache 10 months ago

You do know that there are more than chrome and arc right?

Reply View 1 reply
  • Imustaskforhelp 10 months ago

    I understand. I use firefox / earlier used librewolf

    But a lot of people use chrome so I wanted to atleast try to give justification on why / how arc messed up so hard.

    Reply View 0 replies
IggleSniggle 10 months ago

> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

That's pretty interesting. Where can I learn more about this?

Reply View 1 reply
jaharios 10 months ago

>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?

Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.

Reply View 0 replies