[messaging] Electron and Desktop Secure Messaging
nadim at nadim.computer
Mon Nov 13 10:18:43 PST 2017
> On Nov 13, 2017, at 5:42 PM, Jeff Burdges <burdges at gnunet.org> wrote:
> If I understand, Skype traditionally turns over all messaging content to
> any authority figure who asks, no?
So did WhatsApp, until they implemented Signal :-)
> If they improved the crpyto great,
> but they cannot be trusted, so auditing their code sounds challenging
> and might yield only temporary results.
> Signal matters of course.
> On Mon, 2017-11-13 at 12:32 +0100, Nadim Kobeissi wrote:
>> This is unsustainable.
> Rewrite it in Rust! Rust Evangelism Strikeforce, Yey!
> I'm actually not joking:
> Electron must contain the usual 0-day herd, via Chromium, etc.
> Mozilla's Servo project otoh provides a largely memory safe browser
> engine, with greater attention paid to security throughout, although
> they never rewrote SpiderMonkey.
You could check if Electron is modular enough to support isolating everything away from Chromium and wiring Servo in instead.
But you won’t have much luck convincing Skype and everyone else to do the same thing.
> If you want to write a secure Electron app, then maybe your first step
> should figure out if you could do it under Servo plus whatever instead.
> In fact, Mozilla has done exactly this before since their Browser.html
> experiment runs under Servo, Gecko, and Chromium:
> Also, I suspect the Servo team will be happier to consider issues you
> raise and take your patches than Google or GitHub.
> p.s. More links:
> Messaging mailing list
> Messaging at moderncrypto.org
More information about the Messaging