[messaging] Electron and Desktop Secure Messaging

Jeff Burdges burdges at gnunet.org
Mon Nov 13 08:42:06 PST 2017

If I understand, Skype traditionally turns over all messaging content to
any authority figure who asks, no?  If they improved the crpyto great,
but they cannot be trusted, so auditing their code sounds challenging
and might yield only temporary results.

Signal matters of course.

On Mon, 2017-11-13 at 12:32 +0100, Nadim Kobeissi wrote:
> This is unsustainable.

Rewrite it in Rust!    Rust Evangelism Strikeforce, Yey!

I'm actually not joking:  

Electron must contain the usual 0-day herd, via Chromium, etc.
Mozilla's Servo project otoh provides a largely memory safe browser
engine, with greater attention paid to security throughout, although
they never rewrote SpiderMonkey.  

If you want to write a secure Electron app, then maybe your first step
should figure out if you could do it under Servo plus whatever instead.
In fact, Mozilla has done exactly this before since their Browser.html
experiment runs under Servo, Gecko, and Chromium:

Also, I suspect the Servo team will be happier to consider issues you
raise and take your patches than Google or GitHub.  


p.s.  More links:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20171113/8c7dfb3c/attachment.sig>

More information about the Messaging mailing list