Hacker News new | ask | show | jobs
by smcgregor 4455 days ago
I don't think CryptoCat has been distributed as a traditional web app for at least a year (probably more). The browser code is distributed as an extension, which does not have the properties you describe.

edit for sub-comment: A traditional web app updates every time you hit the URL. In a browser extension your code is not necessarily tied to any remote origin, including the Chrome/Firefox stores. It is a user's choice to automatically receive updates from the vendor and this is the same choice that you make if you use apt-get vs manual download/checksum/sig check/audit.
1 comments
teacup50 4455 days ago
> The browser code is distributed as an extension, which does not have the properties you describe.

Actually, browser extensions have the exact same properties except for being code signed. That's not enough: http://arstechnica.com/security/2014/01/malware-vendors-buy-...

> I don't think CryptoCat has been distributed as a traditional web app for at least a year (probably more).

That they ever shipped in-browser crypto demonstrates that they shouldn't be shipping crypto.

link
pilif 4455 days ago
Malicious people buying extensions and then malwareing it is as likely or not as malicious people buying the vendor of whatever tool you are using on the desktop once its auto-updating feature is good enough (that would actually be slightly worse, because in the case if the extension you at least get to read what's actually executed).

What you are saying is that you don't trust any kind of application to do crypto unless you have previously audited it. That's a reasonable stance to take but it's irrelevant whether you distrust a third-party browser extension or a third-party native app.

The main argument against crypto in JS extensions is that getting crypto correct in regards to timing based side-channel attacks is very hard to impossible.

But if you are dealing with a specific browser in an extension context, this might be somewhat mitigated which would bring us back to the trust issue, which, again, IMHO is not dependent on the platform you use

link
teacup50 4455 days ago
> ... once its auto-updating feature is good enough ...

This is why it's a very bad idea to implement silent automatic updates, and why they're the wrong thing to copy from the web.

link