[messaging] Electron and Desktop Secure Messaging

Nadim Kobeissi nadim at nadim.computer
Mon Nov 13 03:32:05 PST 2017

Hello everyone,

Skype was recently rewritten entirely. It is now based on Electron. This new Skype has been rolled on all desktop platforms worldwide.

When Cryptocat and Signal switched to Electron, the security of Electron itself became somewhat more important (more-so when Signal switched, since, as everyone knows, Cryptocat is used exclusively by myself, my poodle and exactly one random person on Twitter.)

But now that Skype has switched too, Electron is a much bigger deal: busting Electron = busting Skype, and getting a bunch of comparatively less important apps (including Signal, Cryptocat) for free.

Guides exist that outline best-practice guidelines for writing Electron apps [0,1]. However, as of today and to the best of my knowledge, no real study exists in order to correctly understand the security that Electron can offer all these messaging apps we’ve used it to build.

This is unsustainable.

I propose that we assemble and create a task force, similar to the TrueCrypt Audit Project [2] that centers on Electron:

	1. What security properties are we assuming?
	2. How much code coverage do we have in order to verify that we’re getting these properties?
	3. What is the status of our source code review?
	4. What is the status of our black box review, including fuzzing and similar?
	5. You get the drift. I think I’m being pretty predictable here.

If there is interest, I’d be happy to work on putting together a team and combine our efforts [3] to set a work plan, get funding, etc. and get this done. Aside from Signal, I’d like to see Wire, Microsoft and others participate as well, based on skill level, ability to contribute and stake in better understanding Electron. Let’s:

	1. Establish who’s doing what.
	2. Set the hours we’re willing to commit to this. I’ll see if I can determine compensation, based on whether we can funnel a small pot to pay for the effort.
	3. Establish work packages and deadlines.
	4. Finalize findings in a report.

The Open Crypto Audit Project [2], again, has already followed this approach to great success.

Finally, a flourish of sincerity:
In the past, the Signal team has reacted, always, towards anything I’ve ever proposed in what can accurately be termed “high-school shunning.” I’ve gotten really bored with this and I hope Moxie, Trevor and co. can find the time to formulate a response to this, at the very least, even if they can’t find the time to meaningfully participate.

[0] https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
[1] https://github.com/electron/electron/blob/master/docs/tutorial/security.md
[2] https://opencryptoaudit.org/
[3] https://www.youtube.com/watch?v=GyOMYC6mlsY

Sent from my computer

More information about the Messaging mailing list