Hacker News new | ask | show | jobs
by chrismorgan 1487 days ago
Only if it was built and distributed by an independent third party. Otherwise, why would you trust that what you are being given is unmodified?

(But in this context, said independent third party is now a target, so that e.g. a government that wants to get your decryption key may talk to them.)

This is where reproducible builds are good stuff, because they make it possible to confirm that what you got is actually correct and unaltered. Sadly, that stuff only really works on desktop platforms, because mobile software distribution has kinda undermined it and the web never supported anything of this sort. (In ProtonMail’s defence, some years ago they did try to help with that for the web; but I believe all of that work stalled due to lack of implementer interest.)
2 comments
als0 1487 days ago
Reproducible builds aren't really that powerful if nobody audits what is being reproduced. And manual auditing is hard and tiring. You'd have to limit the number of updates to how many you can securely review over time. Or "pin" the code manually to specific versions so that it can't change without your permission.

My hot take on the subject of encrypted webmail is that the protocol to retrieve and decrypt mail should be a standard implemented by the browsers themselves. Not dependent on third party code, and you already trust the browsers not to leak information about what you're reading.

link
chrismorgan 1487 days ago
Reproducible builds make it possible. As an associated practical benefit, they also aid in making it possible to confirm that at least you’re getting the same version as everyone else, which is not something that can practically be done on mainstream mobile platforms, or at all on the web, yet which is probably the most likely form of attack (e.g. serving key-stealing code only to a subpoenaed customer, or only to one person as a rogue employee, to reduce the probability of being noticed).
link
kube-system 1487 days ago
And then you also need to audit all of the code yourself. Unless again, you want to trust someone else to do it. And then do the same with your OS and all of your hardware.

Computing without trusting others is damn near impossible.

link
vel0city 1487 days ago
Even when you get to the point of fabbing your own chips, how do you know your layout software isn't compromised? How do you know your pattern etcher isn't compromised? Are you inspecting the microscope and validating the billions of connections?

The only way to properly secure your web mail is to etch your own silicon by hand. Everything else is just useless security theater obviously.

link