[liberationtech] Standalone JS apps vs. browser extensions, which is better?

Francisco Ruiz ruiz at iit.edu
Sat Aug 24 14:13:34 PDT 2013 

My encryption app, PassLok, is currently in the shape of a standalone,
static web page with two text boxes where users copy and paste plain or
encrypted messages. I am considering the possibility of making a browser
extension version out of it, probably along the lines of myMail-crypt or
Mailvelope for Chrome, to provide a tighter integration with email programs
(or at least with Gmail, which is very popular these days).

But let me frame this as a general issue, since I am sure there are other
developers who are wondering if browser extensions are the way to go. They
tend to make things easier for the user, but at some cost. I’d like to know
more exactly what is the trade-off.

There is a lot going for making an extension that ties with a web mail
service. For instance:

1.      1. Users would be able to store their contacts’ public keys within
the app, so the extension would fetch them automatically once recipients’
emails are typed.

2.      2. Extensions, I am told, can be better protected from tampering by
an enemy than a simple web page, even if that page travels by TLS/SSL.

On the other hand:

1.      1. Users would be forced to trust me, the developer, concerning the
security of the extension, while right now they can look at the code and
decide for themselves if they want to use it.

2.      2. The extension could be broken by Google changing things in
Chrome or Gmail, which would force me to be constantly updating it.

3.      3. In the examples I mentioned above, public keys are stored
locally in the computer, which would break the principle of perfect
portability that PassLok is based on. This would not be so much of a
problem if the keys could be stored in the Cloud, but I haven’t seen an
example that does it satisfactorily.

4.     4.  There’s also the issue that Google does no longer have a clean
nose concerning cooperation with spy agencies (with or without judicial
warrants), so they could change my code and weaken the extension without my
knowledge.

5.      5. Browser extensions don’t yet run on mobile devices, again
against one of PassLok’s design principles.

What do you think? Given the state of affairs these days, with some secure
mail services compromised and others shutting down because of the threat of
government interference, is it still worthwhile to invest the effort in
developing an extension in order to streamline user experience?
Thanks!

-- 
Francisco Ruiz
Associate Professor
MMAE department
Illinois Institute of Technology

PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok

get the PassLok privacy app at: http://passlok.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130824/6a6be17d/attachment.html>

More information about the liberationtech mailing list