> A reminder that Tor Browser might be one of the least safe browsers you can run: it's a fork of Firefox, meaning that its maintainers have to coordinate and port patches from the mainline project.
Tor Browser ships updates as soon as new ESR versions come out.
> Firefox is already not one of the most hardened browser engines.
That might've been true in the past, it's hard to argue for it now.
> Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
The overwhelming majority of exit traffic now is using HTTPS and Tor Browser ships with HTTPS Everywhere to avoid SSL Striping attacks (in fact the next version of the Tor Browser will have the HTTPS-Only mode enabled by default, it's already being tested in the alpha release), so how will those evil exit node burn those exploits?
> I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.
First off, the "Tor Browser Bundle" is a deprecated name. If you're not using the Tor Browser you're making yourself both insecure (it ships with a smaller attack surface, no WebGL for example) and fingerprintable defeating thus the full privacy advantages of the Tor Browser. There is simply no other alternative.
> A reminder that Tor Browser might be one of the least safe browsers you can run: it's a fork of Firefox, meaning that its maintainers have to coordinate and port patches from the mainline project.
Tor Browser ships updates as soon as new ESR versions come out.
> Firefox is already not one of the most hardened browser engines.
That might've been true in the past, it's hard to argue for it now.
> Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
The overwhelming majority of exit traffic now is using HTTPS and Tor Browser ships with HTTPS Everywhere to avoid SSL Striping attacks (in fact the next version of the Tor Browser will have the HTTPS-Only mode enabled by default, it's already being tested in the alpha release), so how will those evil exit node burn those exploits?
> I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.
First off, the "Tor Browser Bundle" is a deprecated name. If you're not using the Tor Browser you're making yourself both insecure (it ships with a smaller attack surface, no WebGL for example) and fingerprintable defeating thus the full privacy advantages of the Tor Browser. There is simply no other alternative.
You can read the Tor Browser design documentation (though old) to get a rough sketch of what it's trying--and what it's not trying--to achieve: https://2019.www.torproject.org/projects/torbrowser/design/
Further reading in case you think VPNs are the solution: https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browse...