[messaging] Electron and Desktop Secure Messaging
joe at celo.io
Sat Dec 23 06:45:06 PST 2017
On 11/13/2017 03:11 PM, Nadim Kobeissi wrote:
>> On Nov 13, 2017, at 3:09 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
>> Nadim Kobeissi:
>>> Hello everyone,
>>> Skype was recently rewritten entirely. It is now based on Electron. This new Skype has been rolled on all desktop platforms worldwide.
>>> When Cryptocat and Signal switched to Electron, the security of Electron itself became somewhat more important (more-so when Signal switched, since, as everyone knows, Cryptocat is used exclusively by myself, my poodle and exactly one random person on Twitter.)
>>> But now that Skype has switched too, Electron is a much bigger deal: busting Electron = busting Skype, and getting a bunch of comparatively less important apps (including Signal, Cryptocat) for free.
>>> Guides exist that outline best-practice guidelines for writing Electron apps [0,1]. However, as of today and to the best of my knowledge, no real study exists in order to correctly understand the security that Electron can offer all these messaging apps we’ve used it to build.
>>> This is unsustainable.
>> I agree but I don't think any criticism is going to stick at this point. Best to just ignore it and watch it burn in 10 years, like Windows XP programs and IE 5 websites back in the day. Make something else better?
> Please, let’s cut off this possibility from the start. The whole point of this proposal is not to wait a decade and then have to sell an alternative to Skype and company. They’re all already on Electron. The Electron team is receptive to feedback and regularly fix security issues. The framework is established.
> Watching anything burn is not an option. Realistic and productive mindset only, please.
Another option is to turn your back to the snakeoil security (so you
won't have to watch it burn).
More information about the Messaging