The title is err, not correct because the top 2 alternatives Opera and Arc are based on Chromium engine. I have seen tons of people swear by Arc, but I am seriously asking (since as a Linux user I can’t use it), how much good can a browser be in this day and age if ultimately it’s ad blocking breaks and it will since Manifest v2 will go soon(unless Arc folks have a solution for it)
The rest alternatives are Firefox, Zen (FF fork but honestly Atleast this was something new I learned from this article) and Tor (which is weird since it is not meant for normal web browsing and using it will not only be slow but put additional strain on the nodes, correct me if I am wrong).
I agree, it also has some serious security issues: https://github.com/zen-browser/desktop/pull/927
The developer’s comment reveals that it has been there since the inception of the project. And there are even more privacy / security issues mentioned in the comments.
Unfortunately Zen browser gets a big fat no from me. 🫤
It’s not a backdoor, it just enabled Firefox’s remote debugging tool by default, which is necessary if you want to modify the chrome of the browser on your own computer.
At the time it was in one of its first alpha, sure it was naive to ship a browser with it enabled because it was convenient for development, but it was fixed 1 week after the issue was raised, and has been for months.
They use the release candidate to test upcoming Firefox releases and see if it breaks anything, to be able to ship the update on the same day as FF (just like the majority of other forks do). None of the patches they make require extra telemetry except for their “mod” system. Most of the criticism Zen gets about “security” applies to every browser except librewolf and tor. Zen is as secure as firefox is.
All this is coming from someone who doesn’t use Zen, as my workflow is constantly broken by their UI changes and bugs (which is the main problem with the browser).
Most browsers don’t claim to be more privacy conscious than all the others and leave all the telemetry enabled when they do.
Imo they are more privacy conscious than Firefox and most Chromium based browsers, and on par with Floorp/Waterfox with their provided defaults.
If someone wants a good looking browser with vertical tab, while not having to debug privacy settings breaking site or having to write custom css to have the UI they like. Zen is my recommendation.
The only telemetry they leave is the ones that provide features to their users. For example, they need to ping mozilla for addons update, firefox sync, update the tracker block list, …
Although I agree with you that the privacy part of
Zen the most beautiful, productive, and privacy-focused browser out thereis clickbaity.Have you read the PR linked above? The submitter points out (when the maintainer starts getting defensive) that Zen has more social trackers whitelisted than Firefox (not even Librewolf). Which going only by that metric would put Zen as the least privacy-focused browser among the other forks, contradicting their own tagline.
Just? I’m sorry but that’s just a terrible mistake to make, especially for a browser that people use to surf the world wild web. I don’t know if you’ve ever used a remote debugger (I do), but depending on the debugger, it can be a very powerful tool, you can do a lot of things with it. I don’t think calling it a backdoor is a massive exaggeration. I don’t doubt the developer’s good intention, but this issue shouldn’t be dismissed as an insignificant issue.
To add insult to the injury, it didn’t even prompt the user for it.
Unless you tweak the default Firefox settings in the code base, e.g. https://github.com/zen-browser/desktop/blob/dev/src/browser/app/profile/zen-browser.js#L258 (allow unsigned extensions by default).
xpinstall.signature.required was set back to true, seems like complaining works well
It was enabled due that zen was still a toy project and we needed people to easily open the debugger for easier bug fixing. This was due because zen was not in a daily drivable state and didn't gain any sort of popularity yetAs the dev says in the PR almost nobody was using the browser at that point. To be able to interact with the debugging server you would need to have a port open on your firewall and router. And you would need to manually start the dev server. The problem in the PR is it was not prompting the user when launching the debug server and user could turn on the debugger without touching about:config flags.The second part is more questioning, though not exploitable without the user clicking 2 times on a security warnings. I just checked their github to see if there is an issue/pr on the subject and there is none. Might be worth making one.