Hacker News new | ask | show | jobs
by oskarsv 2016 days ago
there are different levels of security for ElectronJS, some, like in this case are not enough.

I think it will take a long time before we can call ElectronJS secure. there are regular sandbox escapes and that is from what we know publicly
1 comments
untog 2016 days ago
The OP is asking for more detail than “not enough”, though:

“Can it escape the Chromium renderer sandbox? Or is that sandbox disabled?”

link
oskarsv 2016 days ago
to simplify - no it’s not enabled

the real answer is more complicated as it is not necessarily a global setting and depends on what you call a “sandbox”

link
mwcampbell 2016 days ago
Thanks. I'd pay (moderately) for the more complicated answer. An ebook on Electron security might be a good idea.
link
oskarsv 2016 days ago
I'm not an expert on Electron security!

But if not addressed to me, there is no need to pay, you can start here: - https://www.electronjs.org/docs/tutorial/security - https://github.com/electron/electron/security/advisories

As you can see there are plenty of considerations and pitfalls to take into account. Best option is to enable contextIsolation for everything.

Further, Electron security is closely tied to Chrome security so that is one deep rabbit hole

link
pjmlp 2016 days ago
Best Electron security is not using it in first place.
link
coldtea 2016 days ago
Yeah, let's stick with raw C/C++, that would be much safer...

Or maybe let's use some research language made by Wirth, and get access to all 10 of packages and 5 devs worldwide using it :-)

link
pjmlp 2016 days ago
For starters, leave it on the browser.

I didn't mention any programming language.

link
gitweb 2016 days ago
Telegram Desktop is a cross-platform C++ app. What similar remote code execution exploit has existed in the wild for it?
link
MaxBarraclough 2016 days ago
Rather just keep it in the browser? ;-P
link
kevingadd 2016 days ago
This is safer to a significant degree.
link