This post specifically says that browser crypto can be great to protect the interest of the website owner… well if you self-host your own Element or e2ee encrypted xmpp webclient you are the owner of the website.
The entire argument against javascript and webapps is always serverly distorted by all sort of false assumptions and compared to random binary only apps downloaded and run on MS Windows, I would take a modern browser and webapp in most cases.
if you self-host your own Element or e2ee encrypted xmpp webclient you are the owner of the website
That’s 0.01% of the general population, and even here, I guess very few people self-host their email or Matrix or XMPP. And it still doesn’t protect you against someone breaking the TLS connection between you and your server. This is a serious security concern, there have been multiple cases of certificate authorities issuing bad certificates.
The entire argument against javascript and webapps is always serverly distorted by all sort of false assumptions and compared to random binary only apps downloaded and run on MS Windows, I would take a modern browser and webapp in most cases
I mostly agree, but because proprietary, windows only apps are not generally designed with security as the number 1 concern. For FLOSS apps that do highly value security (like Matrix), this is not an acceptable compromise to me. Signal doesn’t have a web client for this exact reason. As I said in another comment, even password managers don’t care about this issue, which is really disappointing.
I guess very few people self-host their email or Matrix or XMPP.
You don’t need to self host email, Matrix or XMPP to use E2EE. I meant self hosting the web clients.
And it still doesn’t protect you against someone breaking the TLS connection between you and your server.
HSTS, Certificate Pinning, …
Every communication method suffers from this, it’s not exclusive to web-based communication.
proprietary, windows only apps are not generally designed with security as the number 1 concern
Yeah, Open Source software down to the OS itself is important for security. But even then, who audits their own software? It’s probably 0.01% of the 0.01% of the general population you mentioned.
You don’t need to self host email, Matrix or XMPP to use E2EE. I meant self hosting the web clients.
Nobody does that
HSTS, Certificate Pinning, …
HSTS is great but doesn’t protect you against maliciously issued certificates, and Certificate pinning is deprecated on the Web.
Yeah, Open Source software down to the OS itself is important for security. But even then, who audits their own software? It’s probably 0.01% of the 0.01% of the general population you mentioned.
That’s why you stick to software under high scrutiny and highly visible for security sensible stuff, and avoid using software with a broken security model for sensible stuff.
This post specifically says that browser crypto can be great to protect the interest of the website owner… well if you self-host your own Element or e2ee encrypted xmpp webclient you are the owner of the website.
The entire argument against javascript and webapps is always serverly distorted by all sort of false assumptions and compared to random binary only apps downloaded and run on MS Windows, I would take a modern browser and webapp in most cases.
That’s 0.01% of the general population, and even here, I guess very few people self-host their email or Matrix or XMPP. And it still doesn’t protect you against someone breaking the TLS connection between you and your server. This is a serious security concern, there have been multiple cases of certificate authorities issuing bad certificates.
I mostly agree, but because proprietary, windows only apps are not generally designed with security as the number 1 concern. For FLOSS apps that do highly value security (like Matrix), this is not an acceptable compromise to me. Signal doesn’t have a web client for this exact reason. As I said in another comment, even password managers don’t care about this issue, which is really disappointing.
You don’t need to self host email, Matrix or XMPP to use E2EE. I meant self hosting the web clients.
HSTS, Certificate Pinning, …
Every communication method suffers from this, it’s not exclusive to web-based communication.
Yeah, Open Source software down to the OS itself is important for security. But even then, who audits their own software? It’s probably 0.01% of the 0.01% of the general population you mentioned.
Nobody does that
HSTS is great but doesn’t protect you against maliciously issued certificates, and Certificate pinning is deprecated on the Web.
That’s why you stick to software under high scrutiny and highly visible for security sensible stuff, and avoid using software with a broken security model for sensible stuff.
So, like Element? scnr
More like Signal