phc-winner-argon2 VS uBlock

Argon2, and it's derivations, are all memory hard. Beyond that, why change from 2i to 2id?

''Even though https://github.com/p-h-c/phc-winner-argon2 was standardized only somewhat recently, it is the result of the https://password-hashing.net/ and was a late re-design of Argon which also picked up ideas from a few other finalists. Since then there have been attacks on it, which caused the scheme to be tweaked to counter them better, this is why we have Argon2 v1.3 as the most current version, you may want to note that most of these attacks mostly weakened Argon2i and not Argon2d. Now during the competition results came up that your defense against time-memory trade-off attacks will suffer if you make sure that your scheme is immune to the various kinds of side-channel attacks that people have come up with (which also includes more "crazy" stuff like leaked intermediate state). Because of this, it was decided that there should be two versions: Argon2i and Argon2d. One offering the best possible protection while trying its best to be immune against side-channel attacks (by using data- and password-independent memory access patterns) and the other dropping these requirements and all-out optimizing against such attacks (by using data- and possibly password-dependent memory access patterns). Argon2d offers better protection than Argon2i at the expense of being more vulnerable to side-channel attacks. Now you have to ask yourself: Do these apply? No, not really. You said that you are on Android, which is not exactly known for high platform security, so if you have an attacker in such a privileged position to execute something like cache-timing attacks or similar attacks that try to exploit memory access patterns, your user has already much bigger problems anyways. It's a similar logic as with AES: https://en.wikipedia.org/wiki/Advanced\_Encryption\_Standard#Side-channel\_attacks, but these have never been observed in the wild, probably because other options are much easier, more reliable and equally as effective. So the conclusion is: You want to use Argon2d. So for whom is Argon2i? People who need to run applications on shared hardware or where timing attacks are a real thread. For example if you run a webserver in a public cloud on shared hardware. Then you have to be worried about who else is on the same CPU. And with webservers it's also easier to measure the timing of reactions and trying to deduce information from that."

And if you don't like my code you should take a look at the reference implementation.

AFAIK, Argon2 is the algorithm that's currently recommended for this. OpenSSL doesn't have support for it, so I'd recommend using the Argon2 reference implementation instead.

Which one should I use in terms of performance/standards? How about their performances comparing to the c implementation, https://github.com/P-H-C/phc-winner-argon2?

Did you try the Argon2 test vectors on each? They should all come out the same for both implementations, any implementation that doesn't match the test vectors is buggy.

> Is there anything stronger than blowfish?

I think you mean bcrypt..

Both Argon2 and scrypt win over that:

https://github.com/P-H-C/phc-winner-argon2

Here is the documentation for Argon2 to see why and how it's different, also why it won an award: https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf

Check out uBlock Origin's per site switches [1]

[1]: https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-...

If ads, in particular on YouTube, are the problem, anything Chromium-based is probably only going to get worse and worse (see [1] and [2]). So that basically leaves you with Firefox and Safari.

I work for Mozilla (speaking for myself, of course), so I'll leave you to guess which I'd recommend :P

[1] https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...

[2] https://arstechnica.com/gadgets/2023/09/googles-widely-oppos...

https://github.com/gorhill/uBlock

Or if on mobile, it is well worth it to look up adblock options for the browser you use.

What are the compelling advantages of Chrome nowadays?

Chrome is working to limit the capabilities of ad blockers:

https://www.malwarebytes.com/blog/news/2023/11/chrome-pushes...

Whereas a compelling advantage of Firefox is that uBlock Origin works best in Firefox:

https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...

Advertising networks have often been vectors for malware. Using an ad blocker is an important security measure. Even the FBI recommends ad blockers:

https://www.malwarebytes.com/malvertising

https://theconversation.com/spyware-can-infect-your-phone-or...

https://www.ic3.gov/Media/Y2022/PSA221221?=8324278624

> It allows for 30,000 dynamic rules

That is not what we mean by dynamic filters. From https://developer.chrome.com/blog/improvements-to-content-fi...

> However, to support more frequent updates and user-defined rules, extensions can add rules dynamically too, without their developers having to upload a new version of the extension to the Chrome Web Store.

What Chrome is talking about is the ability to specify rules at runtime. What critics of Manifest V3 are talking about is not the ability to dynamically add rules (although that can be an issue), it is the ability to add dynamic rules -- ie rules that analyze and rewrite requests in the style of the blockingWebRequest permission.

It's a little deceptive to claim that the concerns here are outdated and to point to vague terminology that sounds like it's correcting the problem, but on actual inspection turns out to be entirely separate functionality from what the GP was talking about.

> Giving this ability to extensions can slow down the browser for the user. These ads can still be blocked through other means.

This is the debate; most of the adblocking community disagrees with this assertion. uBO maintains a list of some common features that are already not possible to support in Chrome ( https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b... ) and has written about features that are not able to be supported via Chrome's current V3 API ( https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as... ). Of particular note are filtering for large media elements (I use this a lot on mobile Firefox, it's great for reducing page size), and top-level filtering of domains/fonts.

> "Its happened before"

> That's not an argument

It's a subheading to "2. Browser engine monopoly". The subsection's purpose is describing how bad things were during the IE monopoly to reinforce that it's something to be avoided.

> in fact you could counter-argue that IE left a lot of technical debt

That would be agreeing with the article, unless I understand what you mean.

> On top of that, the internet was very different back then.

In a way that now makes it harder for truly new competing engines to pop up due to increased complexity of the web.

> I'm still not convinced, why would I change my browser?

The points made in the article are:

* Increased privacy, opposed to willingly giving your data to an ad-tech company

* Helps avoid a browser engine monopoly which would effectively let Google dictate web standards

* It’s fast and has a nice user interface

Onto which I'd add:

* Content blockers work best on Firefox (https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...), doubly so when Manifest V3 rolls out

* Allows more customization of interface and home page

* UX improvements, like the clutter-free reader mode, aren't vetoed to protect search revenue as with Chrome (https://news.ycombinator.com/item?id=37675467)

Advertising networks are vectors for malware:

https://www.cisecurity.org/insights/blog/malvertising

https://www.malwarebytes.com/malvertising

https://theconversation.com/spyware-can-infect-your-phone-or...

So if you're concerned about security then you want the browser with the best ad blocker.

uBlock Origin works best in Firefox:

https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b...