[liberationtech] Whiteout OpenPGP.js encrypted mail client (Chrome HML5 App)
Tony Arcieri
bascule at gmail.com
Tue Jan 21 20:23:48 PST 2014
On Tue, Jan 21, 2014 at 6:53 PM, Fabio Pietrosanti (naif) <
lists at infosecurity.ch> wrote:
> I just would like to argue that the delivery (download, installation,
> upgrade) of an Chrome App is far more secure than an native application
> with an executable installer, due to the trust model of application store
> and the reduced risks of being hijacked/infected during the download.
>
Yes and no.
It's true that Chrome extensions distributed through Google's walled garden
are more secure than typing an address into your URL bar.
It's true that native applications have wide-ranging capabilities that
browser extensions don't.
But it's important to keep in mind that browser extensions are fraught with
their own problems, and that browsers are complex beasts with even more
complex potential interactions between components, the possibilities of
which are extremely hard to understand, even by the browser authors
themselves.
Where browser extensions can fall down is unexpected interactions with web
pages and JavaScript running on them. This is a problem that native apps
don't have because the browser is attempting to act as a sandbox, so
escalating privilege from a JavaScript to access to native code execution
is much more difficult than escalating privileges to interact with browser
extensions unexpectedly. In this regard, native apps are superior, because
the browser is trying to prevent that interaction from happening. Native
apps are "airgapped" from web pages in a way browser extensions are not.
This is a good talk on the matter, specifically in regard to Chrome:
http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions
Don't get me wrong, things are getting better, but we're not completely
there yet.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140121/2562513b/attachment.html>
More information about the liberationtech
mailing list