Given that Chrome (and Google in general) has possibly the best defensive security team in the world, it's hard for me to take these security-oriented forks too seriously. Indeed, the last "secure Chromium fork" I heard about, WhiteHat Aviator, turned out to introduce a bunch of new vulnerabilities:
Even if the fork doesn't add bugs, you are now relying on the fork's maintainer to push security updates. Will they be as good at this as Chrome's team? This is unfair, of course: no startup or small project is ever going to have Chrome's resources. But when it comes to security, speed of updates really does matter.
> Given that Chrome (and Google in general) has possibly the best defensive security team in the world, it's hard for me to take these security-oriented forks too seriously.
I think it depends on who and what you most eager to secure yourself from. If you think hackers are the greatest online threat, perhaps you should go with Chrome (if you chose between these two browsers). If you don't trust Google to stay classy when it comes to privacy and data collection, perhaps you could consider running a one or two versions old Iridium version of Chrome. Personally, I use Firefox. I prefer not to use a browser from a company that lives on data collection.
Chrome might be kosher now (to be honest, I don' know), but a decision at the headquarters can change that at the next automatic update.
Hmm, on a second look I see that Iridium appears focused on privacy, not security. In that case they should call it "private browser", not "secure browser". These words mean very different things.
Google's _security_ record is ridiculously good. Their _privacy_ record is at best questionable, and I can certainly see where people might be interested in a privacy-centric fork of Chrome.
That said, I was under the impression that all of Chrome's "phone-home" features can be turned off via settings.
I seem to recall a recent hn post that made FF sound like a bit of a privacy disaster in its own right - specifically on the topic of addons (they all seem to phone home).
Yeah, the extension situation is supposedly questionable. I think you should always be wary with extensions. I usually limit myself to popular and open-sourced extensions.
Except that the browser is missing a lot excepted features and historically positioned itself as "just pile extensions on top of FF to get features we won't add or have removed".
adblock ? disable javascript ? mouse gestures ? download manager ? privacy protection ? duplicate tab ? and so on all are extensions because mozilla refused to implement or removed those features.
Apart from the obvious (it's branched off Chromium 41, whereas stable is 42 and contains security fixes), they turn off automatic updates, so it certainly doesn't seem like it could be a "secure browser". I agree with your other comment that it could be a "private browser", although (of course) those are not entirely orthogonal.
> Given that Chrome (and Google in general) has possibly the best defensive security team in the world
That may be true now that Mozilla has utterly destroyed Firefox Sync's security, but it didn't used to be.
And it's still true that most of Sync's design at least tries to keep your privacy…private, whilst Chrome firmly believes that Google is all-loving, all-trustworthy and all-dependable, and thus deserves to have everything about you.
https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z
Even if the fork doesn't add bugs, you are now relying on the fork's maintainer to push security updates. Will they be as good at this as Chrome's team? This is unfair, of course: no startup or small project is ever going to have Chrome's resources. But when it comes to security, speed of updates really does matter.