/e/ uses all of Bromite's patches as well; I asked them to mention this in the About section, since it is basically a rebranded Bromite that they are shipping.

ungoogled-chromium[1] and Bromite[2] have had a patch to disable this for a while now

[1] https://github.com/Eloston/ungoogled-chromium/blob/14fb2b0/p...

[2] https://github.com/bromite/bromite/blob/410fc50/build/patche...

Nobody can uncritically take his side but what you are implying here is that we should consider him "less" because of an unrelated story.

Why can't you uncritically take his side? Because company good, developer mean? If you want to say kik has a right to the three letter package name so be it but absolutely no one has the right to continue using someone else's work for their own gain. Especially not a company that threatened him with lawyers within three emails.

In Chromium it might not be blocked just because of an oversight (or because there was no consensus), see my other comment (and its parent): https://news.ycombinator.com/item?id=23253264

Exactly, port scans on my public IP address are not an attack, but crossing the boundary to my localhost and private networks is malicious behavior.

Serves you right for browsing the web, you dumb dummy! /s

There is an open Chromium bug for this: https://bugs.chromium.org/p/chromium/issues/detail?id=378566

I hope they consider it still valid and not close it.

These are the blocked ports: https://github.com/chromium/chromium/blob/83.0.4103.53/net/b...

Accessing localhost and LAN addresses works perfectly fine, except for those ports.

I am going to patch Bromite so that it doesn't allow any access to localhost nor private networks.

Interestingly enough they are already blocking these attacks for background requests, see https://github.com/chromium/chromium/blob/83.0.4103.53/third...

Perhaps they simply forgot to cover also the WebSockets case, or the discussion on the related bug was not allowing for expanding the coverage.

That's a good approach; the other alternative is to use F-Droid client, but it comes with its own bugs.

https://www.bromite.org/fdroid

And you trust instead a closed-source browser which has not been updated in months? Aside from the trust component I suggest you to use an up-to-date browser because of the security vulnerabilities which affect them.

What are you referring to, Firefox? If not, Kiwi is open source, and I trust Firefox a lot more than Brave.

Kiwi: it is severely outdated and you installed it before it was open source.

csagan5: I give all the code of a large project, for anyone to use, with detailed and functional build instructions.

I don't ask for anything in return, and you can do basically what you want with it.

Ok, you repeat on this thread that your own browser (Bromite) is better and so on essentially spreading FUD, but for what result ?

We both have something else to do than spending time on that.

I did not mention Bromite at all, what are you talking about?

There is no FUD here, let me write down some facts for you:

* users install Kiwi which does not contain all the security fixes of upstream stable Chromium (v81); this is been going on for several months now

* users do the same for Bromite and the Bromite SystemWebView

I warn everyone equally about this problem, nobody should run an outdated browser because of all the security issues, look at 2019 alone here: https://www.cvedetails.com/vulnerability-list/vendor_id-1224...

More facts:

* the current version of Kiwi, in Play Store and in source form, still is not up to date and covering the security issues fixed by upstream Chromium

* Kiwi was not open source until now and its repository was plain lying about it (https://web.archive.org/web/20190719191635/https://github.co...), making people think it was open source while you published only a few unusable patches

* even now there is no commit history making the source code unusable and unauditable

* you included trackers at some point in Kiwi and visits were going to some search server of yours

Did I miss anything? I am glad you decided to open source it but it does not change the above facts.

I thought it was you when seeing the Bromite posts (but apparently no).

There is some confusion about the notion of up-to-date, from a Kiwi perspective, we do not see the most recent version of Chromium as improvements.

We created Kiwi (with other users) because we disagreed with Chromium on functionalities like Duet, or APIs changes like with Manifest V2 and adblockers.

This is the reason to completely fork Chromium (or why Samsung diverged from Chromium 77 in 2019)

By definition will always diverge from Chromium v81+.

It's a choice.

About security fixes, yes, between end of 2019 and today, new problems emerged in Chromium (not specific to Kiwi though), and there is some work to backport. Should it have been done earlier ? Certainly.

About the last point, Kiwi makes money if you use Microsoft Bing or Yahoo, that's life, and that's how I pay for the build servers, some contributors, advertising Kiwi, logo designer, sometimes the programmers, etc.

Firefox does the same but with Google, Brave with DuckDuckGo, etc.

I see you have StartPage, DuckDuckGo, AdGuard, already in partners, and if they don't pay you, I encourage you to contact them, as they should.

Regarding the policy of Kiwi:

====

We do not collect the websites that you visit. What you do in the browser is your own freedom and responsibility.

We do not collect or sell location data. We do not collect telemetry data. We do not collect history data. We do not track users. We do not integrate third-party analytics SDKs.

We collect and store: how many installs are active, where the person has installed the browser from.

Our business model:

When you enter a search query, the query is sent to the Search Engine that you have selected (Microsoft Bing or Yahoo by default, Google, DuckDuckGo, or any provider of your choice).

If you choose to use the recommended search engine by Kiwi, Kiwi will process the request and will receive money for every search query it forwards to the partner search engine (example: Microsoft Bing).

====

and you know, with the releasing of Kiwi as a free software (and not just open-source), now there is no limitation. If you disagree with how the project is managed, then you can absolutely make your own product (or just use another search engine heh), or take the pieces you want (and over time, a better picture over commit history will build), and this is a very good thing.

Also, thanks for the kind words at the end, you really pushed onto open-sourcing Kiwi too. Though sometimes you are a bit extreme for me :)

> About security fixes, yes, between end of 2019 and today, new problems emerged in Chromium (not specific to Kiwi though), and there is some work to backport. Should it have been done earlier ? Certainly.

I am talking about telling users that they should not use a browser which is potentially vulnerable. Clear communication about the current status is not the same as planning an update.

> I see you have StartPage, DuckDuckGo, AdGuard, already in partners, and if they don't pay you, I encourage you to contact them, as they should.

There is no partnership with anyone. DuckDuckGo is a search engine already in upstream Chromium. StartPage search engine was removed months ago and some filters from AdGuard are used used in the combined Bromite filter.

There is no partnership and no payments of any kind because then there would be a conflict of interest to remove a search engine from the default choices while it is also a source of income.

> Also, thanks for the kind words at the end, you really pushed onto open-sourcing Kiwi too. Though sometimes you are a bit extreme for me :)

I am glad you are willing to be more open about these topics, these are I believe at the core of open source. I also wish you to make the project sustainable and fun to maintain.

You're right.

About security, you provided very useful technical elements, so I'll review each of them (publicly) and we'll find solutions.

Yes, conflicts of interests are always an issue. Finding the right balance between sustainability and freedom.

Some companies outright want to maximize revenue at the expense of the user. This is not the case here (that's the benefit of no investors, or just being independent, with all the caveats it has too).

Some browsers (Vivaldi, Cheetah Mobile) for example do affiliates link, I'm not too much in favor of that.

You get me nervous sometimes with your strong opinions, but I actually appreciate that someone skilled takes so much time and interest.

About DDG, maybe it's worth talking to them or Qwant (Qwant are friends of Kiwi, so you can say Hi to them from me).

It's in their interest to promote a privacy-focused browser, and yours to pair with the best ethical match (donations are fine too, just personally I think they create another type of pressure)

How is it outdated when the versions on the Play Store are automatically built with the open source version, which got an update 7 hours ago? Even if I had used a previous version, my current version is up to date by now.

He is referring to the fact that Kiwi is based on a mix of different Chromium versions of 2019. Chromium does new release almost every month. It's difficult to keep track of Chromium modifications with such large forks (and Chromium had lot of performance issue at the end of 2019 too with stuttering and lags).

UCBrowser for example is an engine of 2017, Samsung Internet from 2019, etc

You have not answered to the user's concern whether his browser is up to date with all the security fixes found in Chromium after v77.

Since there is no commit history I would also like to know which Chromium version this is based on, so that a diff can be made.

It had a GitHub repo (https://github.com/kiwibrowser/android) described as "source code used in Kiwi", but it was just a Chromium codebase thrown there without the actual patches.

Glad to see it's open source now however there is no commit history (thus no individual patches) and it's not possible to see which version of Chromium this was forked from.