A Review of ungoogled-chromium Patches

In the present day, having a secure browser is more important than ever. Being the most used application in the system, the browser represents a large attack surface because it processes untrusted input combined with being a written in an unsafe language while having a codebase whose size can rival some operating systems. However, many browsers come out of the box with weak privacy. ungoogled-chromium is an oft recommended browser because of its Chromium base and degoogled properties. However, I have a couple of concerns with this recommendation, namely:

Security issues aside, they must be doing unique and great work in privacy, right?

No. Most of the functionality of the patches are either in the best case minimally beneficial or can be reproduced with either a setting, a flag, or a switch, and using a browser specifically for these patches is not worth the tradeoff in security.

This article aims to detail the patches in the order they apply in, their functions, and how they can be reproduced in Chrome.

0001-fix-building-without-safebrowsing.patch, unrar.patch, safe_browsing-disable-incident-reporting.patch, safe_browsing-disable-reporting-of-safebrowsing-over.patch, remove-unused-preferences-fields.patch

These patches disable safe browsing. Related prefs are removed in remove-unused-preferences-fields.

— Safe browsing can be turned off in chrome://settings.

0003-disable-autofill-download-manager.patch

This patch disables form Autofill data transmission to Google.

— Autofill can be turned off in chrome://settings.

0005-disable-default-extensions.patch

This patch disables:

0007-disable-web-resource-service.patch

This patch disables Chrome's WebResourceService, which periodically fetches JSON data from a Google server to dynamically configure the browser.

0009-disable-google-ipv6-probes.patch

This patch uses RIPE NCC servers instead of Google servers for IPv6 probes.

0015-disable-update-pings.patch

This patch disables pings to clients2.google.com/ for component updates.

— Component updates can be disabled with switch --disable-component-update.

0017-disable-new-avatar-menu.patch

This cosmetic patch disables the new avatar menu.

0021-disable-rlz.patch

This patch disables RLZ, a promotional tag only found in Chrome.

This non-unique tag sent is sent with Google searches and crash reports

— RLZ can be disabled by defining "rlz_disabled":true in the preferences file.

disable-crash-reporter.patch

This patch disables the uploading of crash reports to Google. Chromium does not report crashes.

— Disable the crash reporter with switch --disable-crash-reporter.

disable-google-host-detection.patch

This patch disables Google specific features and restrictions applied to Google domains.

replace-google-search-engine-with-nosearch.patch

This patch replaces Google with "No Search" (disables search from omnibox).

— Use another search engine.

disable-signin.patch, fix-building-without-one-click-signin.patch, disable-gaia.patch

This patch disables browser management of sign-in of Google Accounts. Requires API keys found only in Chrome.

— Disabled with switches --disable-gaia-services, --disable-sync, --allow-browser-signin=false

toggle-translation-via-switch.patch

This patch disables translation and removes the "Translate to" context menu when --translate-script-url flag is not set.

— Define a non-existent --translate-script-url.

all-add-trk-prefixes-to-possibly-evil-connection.patch, disable-untraceable-urls.patch, block-trk-and-subdomains.patch, disable-webstore-urls.patch, fix-learn-doubleclick-hsts.patch, block-requests.patch

These patches disable all connections hard-coded into the browser using domain substitution. A lot of these connections are only made on user interaction and not transparently made in the background.

Connections patched out include

@lynn-stephenson — you can even change the URLs of "Google URLs" with some switches

--google-apis-url

--google-base-url

--google-url

--autofill-assistant-url

--autofill-server-url

--cloud-print-url

--connectivity-check-url

--crash-server-url

--cryptauth-http-host

--cryptauth-v2-devicesync-http-host

--cryptauth-v2-enrollment-http-host

--data-reduction-proxy-config-url

--data-reduction-proxy-pingback-url

--data-reduction-proxy-secure-proxy-check-url

--device-management-url

--disable-sync

--disable-sync-types

disable-profile-avatar-downloading.patch

This patch disables the downloading of profile avatars from Google.

disable-gcm.patch

Disables the Google Cloud Messaging component. Extensions can use the chrome.gcm API to send messages through Firebase Cloud Messaging.

disable-domain-reliability.patch

The domain reliability monitor sends info to Google whenever an error occurs while visiting a Google domain.

— Disable domain reliability with switch --disable-domain-reliability.

disable-fonts-googleapis-references.patch

This patch disables references to fonts.googleapis.com hardcoded in the browser.

disable-webrtc-log-uploader.patch

This patch disables the uploading of WebRTC logs for the Hangouts extension.

— Disable reporting additional diagnostics in Hangouts settings.

use-local-devtools-files.patch

This patch always uses local DevTools files instead of fetching remote files from Google.

disable-network-time-tracker.patch

This patch disables connections to Google to check if the system time is correct when a website certificate date seems incorrect.

— Disable the network time tracker with switch --disable-features=NetworkTimeServiceQuerying

disable-mei-preload.patch

This patch disables downloading of a list of sites with a high Media Engagement Index, used to determine whether or not a site autoplays.

— Disable MEI preload with switch --disable-features=PreloadMediaEngagementData, MediaEngagementBypassAutoplayPolicies

fix-building-without-enabling-reporting.patch

This patch disables reporting violations such as COEP.

disable-fetching-field-trials.patch

This patch disables the downloading of field trials (Google’s A/B testing).

— Field trials can be disabled with switch --disable-field-trial-config.

With the relative ease that these settings can be changed, there is no reason to use ungoogled-chromium as a main browser when Chrome can be configured similarly.