[split] What Chromium browser?

[HeffeD]

I would have to disagree. I would not go with Dragon or SRWare over Chrome.

I think you are confusing Chrome's rapid release schedule with security improvements. Just because a Chromium based browser is a release or two behind the core code does not make them less secure. All too often, core releases are made that are minor improvements that have nothing to do with security. There is really no point to keep up with an update that gives little improvement over the last release. If an important security breach is fixed, you can guarantee that updates aren't far behind from Dragon or SRWare Iron.

Yes, you can turn off things in Chrome to avoid the privacy issues, but why should you have to do that?

 

[Hungry Man]

RE: Moose’s World

I would have to disagree. I would not go with Dragon or SRWare over Chrome.

I think you are confusing Chrome's rapid release schedule with security improvements. Just because a Chromium based browser is a release or two behind the core code does not make them less secure. All too often, core releases are made that are minor improvements that have nothing to do with security. There is really no point to keep up with an update that gives little improvement over the last release. If an important security breach is fixed, you can guarantee that updates aren't far behind from Dragon or SRWare Iron.

Yes, you can turn off things in Chrome to avoid the privacy issues, but why should you have to do that?

Yes, many updates will not effect security. But some will and you'll be missing out on those. Bugs from V8 and WebKit will be fixed more quickly and those can effect the security of the browser -- though at a very minimal and hypothetical level. And the fact is that while updates from Chrome will be instant you'll have to wait at least a little while for updates from another browser is still an issue.

That was only from the security standpoint. Your browser isn't just meant to be secure it should also be fast and stable. You'll likely be missing out on the incremental performance and stability updates with anything other than pure Chromium/ Chrome. At the least they'll be delayed and at the worst you won't even get them until they've built up/ there's a major release that SRWare/ Comodo think is worthy of compiling. I'm unfamiliar with SRWare and Comodo's release schedules though.

As for SRWare... why should anyone have to install a new browser to get privacy when they can simply uncheck 5 boxes in "Under the Hood?" And as my article points out even at default your privacy isn't exactly as violated as many people believe.

My recommended browser in terms of security and performance is Chrome Beta. And I don't believe SRWare or Comodo compile beta releases. The beta usually has new security features (currently 13 has quite a few new ones) and often outperforms the stable.

 

[HeffeD]

RE: Moose’s World

As for SRWare... why should anyone have to install a new browser to get privacy when they can simply uncheck 5 boxes in "Under the Hood?" And as my article points out even at default your privacy isn't exactly as violated as many people believe.

My recommended browser in terms of security and performance is Chrome Beta. And I don't believe SRWare or Comodo compile beta releases. The beta usually has new security features (currently 13 has quite a few new ones) and often outperforms the stable.

You're assuming someone knows they should alter the default config.

Dragon does have its own beta releases, but these are for Comodo changes. The beta's aren't built on Chromium beta releases.

 

[Hungry Man]

RE: Moose’s World

I figure if someone knows to download SRWare they should be able to change Under the Hood settings. Also the default config doesn't have crash reports enabled by default, only some of Google's web services. As the article I posted shows those web services don't give nearly as much information as people assume they do.

Good to know about Dragon's beta releases. But I find that Chrome Beta is exceptional.

I can also assume that Dragon and SRWare don't contain a PDF viewer and don't package Flash. I can also assume that they don't patch Flash, which is something you get in Chrome... a patched and sandboxed Flash.

That's a big deal for me. Flash is a very big part of the average users attack surface unless they use Chrome, which greatly reduces the risks.

 

[illumination]

RE: Moose’s World

I figure if someone knows to download SRWare they should be able to change Under the Hood settings. Also the default config doesn't have crash reports enabled by default, only some of Google's web services. As the article I posted shows those web services don't give nearly as much information as people assume they do.

Good to know about Dragon's beta releases. But I find that Chrome Beta is exceptional.

I can also assume that Dragon and SRWare don't contain a PDF viewer and don't package Flash. I can also assume that they don't patch Flash, which is something you get in Chrome... a patched and sandboxed Flash.

That's a big deal for me. Flash is a very big part of the average users attack surface unless they use Chrome, which greatly reduces the risks.

You are correct, Dragon does not patch flash. You have to install and maintain the same plugin of flash that is used for firefox,ect. Dragon is however without the privacy issues of Chrome, as well as having other security features incorporated, such as, Domain Validation technology that identifies and segregates superior SSL certificates from inferior ones, the ability to block websites from knowing where you came from (suppress HTTP Referrer header), you can start the browser in incognito mode, which eliminates the cookie problem, and you have it's phishing and malware protection. Here recently, Site Inspector was implemented.
So personally, if i had to chose between Chrome and Dragon, my choice would be with Dragon.

 

[Hungry Man]

RE: Moose’s World

I figure if someone knows to download SRWare they should be able to change Under the Hood settings. Also the default config doesn't have crash reports enabled by default, only some of Google's web services. As the article I posted shows those web services don't give nearly as much information as people assume they do.

Good to know about Dragon's beta releases. But I find that Chrome Beta is exceptional.

I can also assume that Dragon and SRWare don't contain a PDF viewer and don't package Flash. I can also assume that they don't patch Flash, which is something you get in Chrome... a patched and sandboxed Flash.

That's a big deal for me. Flash is a very big part of the average users attack surface unless they use Chrome, which greatly reduces the risks.

You are correct, Dragon does not patch flash. You have to install and maintain the same plugin of flash that is used for firefox,ect. Dragon is however without the privacy issues of Chrome, as well as having other security features incorporated, such as, Domain Validation technology that identifies and segregates superior SSL certificates from inferior ones, the ability to block websites from knowing where you came from (suppress HTTP Referrer header), you can start the browser in incognito mode, which eliminates the cookie problem, and you have it's phishing and malware protection. Here recently, Site Inspector was implemented.
So personally, if i had to chose between Chrome and Dragon, my choice would be with Dragon.

What privacy issues with Chrome? Also, I believe Chrome 13 uses very similar techniques when it comes to SSL certificates.

You can read more about Chrome 13's security features here:
http://www.searchenginejournal.com/google-chrome-13s-sexy-new-security-features/30570/

In terms of segregating the "good" certificates from the bad we see

The CSP (Content Security Policy) is being added. First introduced in Firefox 4, this new standard is aimed at securing web applications.

and

Authoriziation is being re-worked for sub-resources. Images or other content on a domain that require authorization but originate from a domain other than the URL the user is currently visiting will no longer be able to get authorization; the HTTP basic auth for the subresource is simply blocked.

And I've posted a link explaining the "privacy issues" of Chrome earlier in the topic. While Google's other services may have privacy issues (gmail, adsense, doubleclick) Chrome should not be lumped in with that group.

Dragon may provide slight security improvements over Chrome... however you do lose the incremental speed, feature, and stability updates. You also lose out on being able to install the beta, which often has many security features implemented.

 

[HeffeD]

RE: Moose’s World

I can also assume that Dragon and SRWare don't contain a PDF viewer and don't package Flash. I can also assume that they don't patch Flash, which is something you get in Chrome... a patched and sandboxed Flash.

No, Dragon doesn't come with Flash or a PDF viewer since these aren't part of Chromium. Not sure what you mean by patched and sandboxed Flash. All plugins are sandboxed in Chromium.

 

[Hungry Man]

The Flash version in Chrome is patched by Google. That's why the Flash version in Chrome often has a slightly higher version number than other plugins.

I wasn't aware that all plugins are automatically sandboxed. Are the sandboxes for Chromium and Chrome's flash the same?

 

[HeffeD]

Oh that... No, that isn't Google patching Flash. Adobe has a deal with Google where they immediately send updated builds to the Chrome team for testing. If the developers like what they see, they can release an updated Chrome with the new version of Flash. Sometimes it can be several days before the new version is hosted on Adobe's site because Adobe still needs to test all of their compatible platforms, while the Chrome team is only testing it with Chrome.

Yes, any separate process is subject to the sandbox. I can't imagine that Chrome's sandbox is any different than Chromium's. I have yet to read anything that suggests differently.

 

[Hungry Man]

Oh, interesting. I haven't seen anything to indicate that they would be different.

The articles I've read about the Flash in Chrome seemed to indicate that it was Google doing the patching and not Adobe.

Like this:
http://www.theregister.co.uk/2011/03/18/google_chrome_update/

 

[HeffeD]

These articles mention the arrangement between Google and Adobe.

Google's Chrome now silently auto-updates Flash Player - Computerworld
Google first to patch Flash bug with Chrome update - Computerworld

 

[illumination]

RE: Moose’s World

Dragon may provide slight security improvements over Chrome... however you do lose the incremental speed, feature, and stability updates. You also lose out on being able to install the beta, which often has many security features implemented.

This is the part i am mainly addressing. It is the illusion that Dragon is not up to par with Chrome in speed,features,and stability. Not only does it have the security enhancements, but it is not lacking in speed,features,or stability. I have used Chrome,and now have Dragon as my default browser, i notice no difference in any of these issues. Everyone has their opinion here and or choice of browser, but with thoughts in mind of others outside this forum, reading these posts, it is essential to have accurate information for them to chose by.

 

[Hungry Man]

What is Dragon's release schedule?

I'm not saying Dragon is a poor browser choice.

@HeffeD

I don't see where it says that they're Adobe development builds. It just says that Google released a patched version. Either way the result is the same.

 

[HeffeD]

I don't see where it says that they're Adobe development builds. It just says that Google released a patched version. Either way the result is the same.

Relevant quotes from the articles.

Adobe will build customized binaries of Flash Player for Google to include with Chrome downloads; the browser will install the plug-ins as part of its own installation process. Adobe will also hand binaries of Flash updates -- major upgrades as well as the more frequent security updates to patch vulnerabilities -- to Google, which will feed them into its update mechanism.

"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Adobe spokeswoman Wiebke Lipps today. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."

 

[Hungry Man]

Ah, that second quote explains it perfectly. Thank you.

edit: Oh, and thanks for splitting this. I was worried I was getting too off topic.

 

[illumination]

What is Dragon's release schedule?

I'm not saying Dragon is a poor browser choice.

@HeffeD

I don't see where it says that they're Adobe development builds. It just says that Google released a patched version. Either way the result is the same.

To my knowledge, there is not a set release schedule of Dragon.

 

[Hungry Man]

Well, typically how long is the wait?

 

[illumination]

Well, typically how long is the wait?

Well, as far as Beta's like you mentioned, from Feb 10,2011 to June 23rd, 2011 there have been 6 versions released. From March 17th to July 28th,2011 there have been 5 official releases.

 

[Hungry Man]

So about once a month it sounds like.

 

[Deleted member 178]

So what is the difference between the actual Dragon and Chrome?