[mwcampbell]

Thanks. I'd pay (moderately) for the more complicated answer. An ebook on Electron security might be a good idea.

[oskarsv]

I'm not an expert on Electron security!

But if not addressed to me, there is no need to pay, you can start here: - https://www.electronjs.org/docs/tutorial/security - https://github.com/electron/electron/security/advisories

As you can see there are plenty of considerations and pitfalls to take into account. Best option is to enable contextIsolation for everything.

Further, Electron security is closely tied to Chrome security so that is one deep rabbit hole

[pjmlp]

Best Electron security is not using it in first place.

[coldtea]

Yeah, let's stick with raw C/C++, that would be much safer...

Or maybe let's use some research language made by Wirth, and get access to all 10 of packages and 5 devs worldwide using it :-)

[pjmlp]

For starters, leave it on the browser.

I didn't mention any programming language.

[gitweb]

Telegram Desktop is a cross-platform C++ app. What similar remote code execution exploit has existed in the wild for it?

[coldtea]

The exact same kind of RCE?

https://securelist.com/zero-day-vulnerability-in-telegram/83...

and others...

https://www.notebookcheck.net/Researchers-at-Symantec-discov...

[gitweb]

One of them requires the user to click run on a file, much like running an EXE. The other, simply saves potentially malicious data to external storage which would then have to be run by a separate malicious third-party app. This are far from RCE exploits that execute immediately without poor user decision making, and Rust is not impervious to security exploits similar to these.

[untog]

C'mon. Just because there is one C++ app without remote exploits doesn't mean all C++ apps are immune.

[valand]

FYI it's not just PL that factors into security. The engineers, for example.

[MaxBarraclough]

Rather just keep it in the browser? ;-P

[kevingadd]

This is safer to a significant degree.