Counter measures In response to a report that a tracker was using CNAMEs to circumvent privacyblocklists4, uBlock Origin released an update for its Firefox version that thwarts CNAME cloaking . The extension blocks requests to CNAME trackers by resolving the domain names using the browser.dns.resolve API method to obtain the last CNAME record (if there is any) before each request is sent. Subsequently, the extension checks whether the domain name matches any of the rules in its block lists, and blocks requests with matching domains while adding the outcome to a local cache. Although uBlock Origin also has a version for Chromium-based browsers, the same defense cannot be applied because Chromium-based browser extensions do not have access to an API to performDNS queries. As such, at the time of this writing, it is technically impossible for these extensions to block requests to trackers that leverage CNAME records to avoid detection
It sounds right in theory but all the security mitigation in Chromium didn’t help to avoid this vulnerability being exploited in the wild. We should prioritize security in the real world over theoretic considerations. Despite all security innovations in Chrome / Chromium, that didn’t actually help users in the real world if Chromium maintenance (new releases with security fixes) lags behind Chrome. Maintenance is unfortunately something that cannot be excluded from the security comparison.
Now for more than 2 weeks Kicksecure would have had the choice to either install by default:
Firefox: No security vulnerabilities reported being exploited in the wild.
Chromium: At least 1 vulnerability reported being exploited in the wild.
More theoretic considerations…
Additionally, users on the Linux platform  had to choice:
Kicksecure Freedom Software doesn’t have the chance to install Chrome by default because it would then become non-freedom software. Even when mixing Freedom Software with non-freedom software, I wouldn’t know if Chrome could be legally re-distributed. I haven’t found license agreement for Chrome yet.
The question of the Kicksecure default browser, Debian’s Firefox ESR (or from any other Firefox from alternative sources) versus any Chromium unfortunately now got less clear to me.
 Leaving out Windows from considerations since this is about what to do in Kicksecure, Freedom Software, Linux based.
I find too many unresolved vulnerabilities in Debian’s Chromium security tracker. For now, is it better to use Firefox instead?
I don’t think Chromium from Debian will get any better soon, is it better to switch to a decent Chromium stable upstream? (I’m not aware of any stable upstream though) Maybe use Brave?
Firefox isn’t much better. Even assuming that Debian’s packaging of Firefox is flawless (it almost certainly is not), it’s still using an ESR build which inherently has many public, unfixed vulnerabilities upstream that can’t be patched even if Debian were to keep the package updated.
You only added to dummy-dependency.
For such changes, you need to search the whole file for chromium, better the whole source code, best all source code. In this case, whole file would have been enough.
Meta package kicksecure-desktop-applications-recommended wasn’t changed.
I don’t know if the situation has improved or not since 2021, but alternative packaging systems that have fresh versions of FF and even thunderbird are perhaps the best option. I don’t know if this gets around opengl dependency woes though (which is the main reason holding newer releases from being published in deb repos).