|
|
|
|
|
|
by ranger_danger
439 days ago
|
|
|
I think one of the growing threats lately in the community has been over malicious client-side javascript, especially when the client handles end-to-end encrypted content (used on sites like Proton, MEGA etc.), so requiring users to trust Google with the contents of these client pages, and by extension the emails themselves, seems (in my opinion) to defeat the entire point of this feature. Some work in this area has been done in the form of browser extensions that are used to verify signed assets delivered to the client: https://github.com/freedomofpress/webcat https://github.com/tasn/webext-signed-pages https://github.com/jahed/webverify https://github.com/facebookincubator/meta-code-verify But unfortunately for now, none of these are seeing wide adoption and this remains an unsolved issue. It also does not require anyone to use known-good, audited and verified open-source components, meaning even if the client code is signed, it can still be malicious... there must be a greater reason to trust the code than just "trust me bro". |
|
|