Back

The only other browser we can currently recommend is Brave. It preserves most of the security of mobile Chromium while adding more state partitioning, anti-fingerprinting and the most advanced content filtering engine. Vanadium is more secure but needs to catch up in those areas.

@GrapheneOS Really, Brave?
Please comment something on Tor Browser and Cromite. I'm pretty sure they love feedback.

@lyyn Firefox doesn't even have a content sandbox on Android, let alone site isolation.

We don't agree with a lot of the changes in Cromite including integrating the very sketchy Eyeo filtering engine to provide content hiding. It's a huge amount of poorly audited/hardened C++ code exposed to sites. Eyeo is the company behind pay-for-play Acceptable Ads and purchased uBlock to continue duping people with a brand which should belong to the developer who created the project, not grifters.

@lyyn Brave has great work on state partitioning and anti-fingerprinting too, among other things. Brave's content filtering engine is written in Rust and is also much more advanced than the one made by Eyeo. It's similar to the uBlock Origin static filtering built into the browser in a very efficient, low-level way that's still memory safe. They use the same filters as uBlock Origin along with their own extensions including automated neutering of scripts. We'd like to have that, not Eyeo SDK.

@pewnack We'd prefer it if Vanadium had a better implementation of these features already but it doesn't yet. For users who want those features, it's the only option we can recommend. Other options have security problems.

We'll be working towards providing the features from Vanadium so that there's no need to recommend anything else for GrapheneOS users. The main thing it's still missing is state partitioning, which we could do better than Brave but we'll need to put significant work into it.

@GrapheneOS

What? You'd prefer if Vanadium had a better implementation of a cryptocurrency scam?

@pewnack More complete state partitioning, more anti-fingerprinting features, a more advanced content filtering engine with content hiding and extensions from uBlock Origin + AdGuard to support their filter sets, options for people who want to do backups/sync and so on.

@MediaActivist @pewnack We're talking about the technical aspects, not the people involved in the companies. If you rule out Brave then there's no mobile browser alternative to Chrome or Edge we can recommend due to lack of basic security.

Brave does add some attack surface for their extra features but it's not a huge problem especially since they wrote their content filtering engine in Rust so the main added attack surface is unlikely to be adding more remotely exploitable security bugs.

@dot_______166 It's not cleanly separated and we need to consider whether it's truly the right approach. We also need to consider licensing. Including patches from Brave will add more licenses to Vanadium and we need to make sure they're compatible with what we currently have.

@bartavi

-ftrivial-auto-var-init=zero for automatic variable initialization.

-fwrapv for well-defined signed overflow, but be careful with this because it can reduce security if -fsanitize=signed-integer-overflow or flags including it such as -fsanitize=undefined or -fsanitize=integer are passed because the signed-integer-overflow checker only applies to undefined signed overflows, unlike the unsigned-integer-overflow checks. Therefore, don't ever set -fwrapv without checking for those.

@bartavi It's better to use -fsanitize=signed-integer-overflow -fsanitize-trap=signed-integer-overflow if you control the code. For each intended signed overflow, mark it as intended with the __builtin_add_overflow, etc. intrinsics by simply using it to perform the operation without checking for overflow with it. That marks it as intended / well-defined. We may be able to switch to enabling overflow checks for Chromium since they test with UBSan but it likely still has too many issues left.