zlacker

[parent] [thread] 2 comments
1. KingMa+(OP)[view] [source] 2020-05-31 23:47:49
True, but it's only safe if you do that. You have to either inspect the code every time you use the site or run it locally. Until subresource integrity [1] becomes widely used & the capability to 'pin' a given script to a specific version, web applications can not be used without at least trusting the owner of the domain.

A better example is Protonmail, a secure email service. It has a nice web client and there is an 3rd party desktop/electron version of the same size called Electronmail. While both essentially run identical code, the electron version is more secure because even Protonmail insert a backdoor for a single or # of users. They would have to at least publish the backdoor in the vanilla code at which point, the maintainers of Electronmail will probably raise the alarm.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

replies(2): >>rkager+D1 >>t-writ+R2
2. rkager+D1[view] [source] 2020-06-01 00:00:44
>>KingMa+(OP)
Write a little piece of open-source client software to take a hash of the source code. Check the hash every time you use it. Spread the tool around to a community of people who review every time the hash changes and publish (separately) a history of attested hashes.
3. t-writ+R2[view] [source] 2020-06-01 00:12:04
>>KingMa+(OP)
Or, you could download the repository, validate it once for yourself and then use it repeatedly. It is open source, after all.
[go to top]