|
|
|
|
|
|
by leni536
2765 days ago
|
|
|
I think it's worth comparing to the deployment to the phone apps and the threat model there. AFAIK the phone apps are not open source, so what if I don't trust the developers? OK, let's assume I trust the developers, but their build server gets compromised (probably much less attack surface then their web interface, but still)? But if it were open-source, available on F-droid and reproducibly buildable then it could be potentially more secure than a web application. But even then the users either have to audit the source themselves (unlikely), or trust the developers, or trust one or more 3rd party auditors and make sure they run the same code as audited. For a web application auditing the client code every time you log in is impractical and you can never be sure you run the same code as a third party auditor. |
|
|