Hacker News new | ask | show | jobs
by em-bee 561 days ago
i can remove network access capabilities from a desktop app after it is installed. i can't easily do that with an app running in a browser.

likewise monitoring and detecting network access per application is easy. tracking down which browser tab is making which network connection is a lot harder.
2 comments
mardifoufs 561 days ago
Go to the network tab of your browser's dev tools. It's literally easier than with a desktop app.
link
em-bee 561 days ago
i am using that already. at least in firefox the network tab only shows which destinations generate traffic. it does not show which tab the traffic comes from. since any page can connect to multiple destinations, not just the one where the page is loaded from, this is not enough to identify the culprit.
link
cxr 561 days ago
You are either confused about something, or you're simply refusing to engage with reality.

> Any nefarious thing a browser-based app can do, a local program can do, too, [or worse!]

link
em-bee 560 days ago
you are not wrong on the comparison but you miss the tools available to contain a desktop application that are not available for a browser application. by default a browser application is more limited than a desktop application, but those limitations also reduce the possible functionality of a browser application, and they are locked in place as far as i am aware of.

for a desktop application, at least on linux there are tools available to further constrain its access to the system by monitoring its activity, removing capabilities or placing the app in a container or even a VM. (VM are available on windows and mac too, but i don't know about other features)

to contain a browser app in this way i would have to run a contained copy of the browser as a whole, and i still can't easily limit network access.

further, almost all desktop applications on linux come from a trusted source or a trusted intermediary and have undergone at least some kind of review, whereas browser applications can be reviewed but it is non-trivial to ascertain that i am running the exact same version that was reviewed.

it is possible, and it is my hope for all this to change. i actually believe browser applications are a good idea, but the ability to audit, and constrain browser applications needs to improve a lot for that to happen.

link