Comment by AlBugdy
4 hours ago
It's obvious what GP meant - we can verify that the apps we download are the apps everyone else downloads.
We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.
> That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed
Apps ARE somewhat sandboxes and GP didn't mean than sandboxing == checking hashes. It was 2 sentences appearing one after the other.
You cannot. An app can update just like a browser tab. In fact, a very many apps are just frickin' webviews.
Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.
Now if it contains webviews, it brings the security issue of... the webapps, of course.
Personally, I want an open source app. You can audit an open source app and even compile it yourself. You can't really do that with a website. And I don't mean just mobile apps, that applies to desktop apps, too. I wouldn't run a web-based terminal, for instance (do people actually do that?).
>Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.
Not impossible to do with websites, if the need to do it was there. It would take about 15 minutes to create a browser extension that could make a hash of all the files loaded, to compare with other users with the extension installed - but honestly that's just not needed because if you're connecting via HTTPS, then you're getting the files that are intended to be served, presumably not malicious if you trust the source. And if you don't trust the source, then why are you loading it to begin with??
>Now if it contains webviews, it brings the security issue of... the webapps, of course.
Web applications are sandboxed in the web browser. Very little issue with that, outside of browser bugs/exploits, but bugs and exploits are found in every system ever.
>I wouldn't run a web-based terminal, for instance (do people actually do that?).
AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.
1 reply →
>We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.
That isn't a problem with how the web works vs how apps work, that's a problem with you trusting Protonmail.
If you really wanted to be secure sending an email or any communication, you wouldn't trust any third party, be it an app or a website - you would encrypt your message on an air-gapped system, preferably a minimal known safe linux installation, and move the encrypted file to a USB, and then insert the USB into a system with network access, and then send the encrypted file to your destination through any service out there, even plain old unencrypted http would work at that point, because your message is already encrypted.
The second you give your unencrypted message to any third-party on any device with an input box and a network connection, is the moment you made it public. If I had to be extremely sure that my message isn't read by anyone else, typing it into a mobile app or a web browser isn't the place I'd start - it would only be done as a last resort.
That is a problem with you not understanding how security works.
> If you really wanted to be secure
There is no such thing as "being really secure". There are threat models, and implementations that defend you against them. Because you can't prevent a bulldozer from destroying your front door does not mean that it is useless to ever lock it.
Even your air-gapped example is wrong, because it means that you have to trust that system (unless you are capable of building a computer from scratch in your garage, which I doubt).
Sending an encrypted over the Signal app is a lot more secure than sending an email over the ProtonMail website, which itself is more secure than sending it in a non-secret Telegram channel. It's a gradient, it can be "more" or "less" secure, it doesn't have to be "all or nothing" as you seem to believe.