Your strong wording is interesting here, and I'm curious about what this is implying about how you approach security.
The implication here is "not compromised by independent actors that wouldn't already be capable", right? You're delegating trust to closed source megacorp products or open-but-insanely-complex megacorp dependents (firefox/chromium babies?), all of which will naturally create a strong incentive to find or hide exploits, once they have some traction. Discussion on HN makes me think it's impossible to really trust a browser to be secure atm. The alternative is to hope there are no wide-sweeping exploits, and to try to remain anonymous.
I guess the real additional issue added by something like this is this introduction of another actor which you need to be inherently suspicious of since they're attempting to funnel you towards their system, which they have some control over. Just like other corps, but you've given them your trust already. It's not crazy, I don't know if it's even wrong.
But I'd say maybe we can reframe your issues adopting something like this. Would it be something you would trust to use daily if the following become true? :
- The team at Impervious, develop a sufficient reputation for being stewards of open software with healthy communities over the coming years. (I'm implying that's a good approach to get security researchers giving time to your project, maybe it'd be sufficient to have a really good bugbounty program, or just develop a sufficient security team)
- A large audience adopts this browser, so you're not one of the hundred beacon users that's easily picked out throughout the web (I assume fingerprinting techniques make this an issue though I admit I've little knowledge on the topic)
I'd love to hear what I'm missing, and if this conflicts with your approach to assessing security maybe you can help me see your perspective :)
For me to consider using it, the company would need to have millions of users, a large team of highly credentialed security engineers working on ensuring it is not vulnerable, and 6-figure bug bounties. If your unproven company can't be on the hook for $250,000 bug, why should anyone trust it with their banking info?
Basically there are not enough signals here for me to believe they are life-or-death serious about it. I know it sounds dramatic, but people's finances, careers, lives, etc can be destroyed by mishandling the information that flows through the browser. They need to take it that seriously, and signal that to everyone.
So you're saying that either way he has to trust someone. Then why not trust a company which at least open sources their code so anyone who has an interest in auditing the software can do so? (or have experts audit it for them,[who they also need to trust])
Yet people seem to trust google without batting an eye? "Google fired dozens of employees from 2018 to 2020 for accessing users' personal data."
So (like everything in security) it depends on your threat model. Open source has significant advantages over closed source, from the perspective of allowing the possibility of review (although that can be a false sense of security as we've seen several bugs in high profile projects live for decades)
Where closed source might work better is where you are a large company with a smaller supplier. There you can use contractual controls to require a level of review to be done alongside other controls and have meaningful financial penalties if those requirements are not met.
At the moment honestly the idea of fully trusting any large project seems like a tricky one as most projects/products are comprised of large quantities of 3rd party open source libraries, which are trusted. Whilst there's work to address that (e.g. the OpenSSF) there's a looong way to go.
That's why defence-in-depth/segregation/detective controls are so important, relying on any one control is likely not to end well :)
As to trusting Google, again threat model. I have a gmail account, could a google staff member access that? yep they could. Do I think I'm likely to be a target for that, not really :)
Trust in the original authors' code is only half of the attack surface. The other half is trust that no future contributors are malicious. Is the project more capable than Google in ensuring that malicious code can't land in the code base? I think the answer is clearly no.
I'm not sure what you expect Google to do? Permission to access personal data was limited to a small number of Google employees and when they abused their power they were fired. Do you want them to have some sort of AI that guesses the intent of looking at personal data?
As someone else already pointed out, you either put in the work or you have to delegate to people who you need to put your trust in.
Google has violated that trust many times, yet people just shrug it off and are like "well just accept your corporate overlords, everything else is just impractical".
Some people in his forum are just obnoxious and every-time I read the comments it reminds me why people call hackernews toxic.
However, I will never use it because a browser is one of those really important information gateways that I want to be very sure is not compromised.