← Back to context

Comment by palata

7 hours ago

Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.

Now if it contains webviews, it brings the security issue of... the webapps, of course.

Personally, I want an open source app. You can audit an open source app and even compile it yourself. You can't really do that with a website. And I don't mean just mobile apps, that applies to desktop apps, too. I wouldn't run a web-based terminal, for instance (do people actually do that?).

2 comments

palata

Reply
leptons  5 hours ago

>Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.

Not impossible to do with websites, if the need to do it was there. It would take about 15 minutes to create a browser extension that could make a hash of all the files loaded, to compare with other users with the extension installed - but honestly that's just not needed because if you're connecting via HTTPS, then you're getting the files that are intended to be served, presumably not malicious if you trust the source. And if you don't trust the source, then why are you loading it to begin with??

>Now if it contains webviews, it brings the security issue of... the webapps, of course.

Web applications are sandboxed in the web browser. Very little issue with that, outside of browser bugs/exploits, but bugs and exploits are found in every system ever.

>I wouldn't run a web-based terminal, for instance (do people actually do that?).

AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.

  • palata  4 hours ago

    > It would take about 15 minutes to create a browser extension that could make a hash of all the files loaded, to compare with other users with the extension installed

    You completely underestimate it. I am absolutely certain that you cannot create a browser extension that meaningfully solves this problem in 15 minutes.

    > Web applications are sandboxed in the web browser. Very little issue with that

    Except that when we are talking about end-to-end encryption, the sandbox has nothing to do with it. The sandbox defends against something else, not the server serving you an end-to-end encryption program abusing it.

    > AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.

    I genuinely can't see if you just don't understand the point being discussed at all, or if you keep saying off-topic things as a way to divert the discussion.