New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Desktop app as insecure, as a web page. Serve code from local files, especially crypto. #17

Closed
3n-mb opened this Issue Aug 23, 2016 · 7 comments

Comments

Projects
None yet
4 participants
@3n-mb

3n-mb commented Aug 23, 2016

Context

A whole of app code, together with crypto parts, is loaded via electron/main.js

ipcMain.once('load-webapp', function(event, online) {
  enteredWebapp = true;
  if (baseURL.includes('?')) {
    baseURL += '&hl=' + locale.getCurrent();
  } else {
    baseURL += '?hl=' + locale.getCurrent();
  }
  main.loadURL(baseURL);
});

where baseURL points to wire's server, from where everything is loaded. All UI parts, all of crypto, everything.

This way all of security aspects are totally equivalent to those of a web page.
For example, when wire's server is compromised, and it starts to serve js files that also steal keys/passes, all desktop applications are compromised immediately, because they rely for key functionality on code, served from a web server.

This is a security problem.

Possible solution

Keep all web assets in a local directory.
Do not load it every time from a browser.

It can be as simple as modifying build/pack process.
For example, require wire-webapp folder to be nearby, trigger build in it, then copy assets into electron folder here, and trigger existing build process here.

In time, you may leverage this by injecting native-code backed crypto functions, speeding things up, turning a security benefit into a usability one.

@raphaelrobert

This comment has been minimized.

Show comment
Hide comment
@raphaelrobert

raphaelrobert Aug 25, 2016

Member

Our web app has a high frequency for updates. We would have to change our strategy considerably if we were to package static files in the AppStore/Windows version everytime.
Even if we were to do that, it would not completely solve the problem: users still have to trust the files from the AppStore/Windows package.
The best remedy is still to use the open source apps if you don't want to trust packages.

Member

raphaelrobert commented Aug 25, 2016

Our web app has a high frequency for updates. We would have to change our strategy considerably if we were to package static files in the AppStore/Windows version everytime.
Even if we were to do that, it would not completely solve the problem: users still have to trust the files from the AppStore/Windows package.
The best remedy is still to use the open source apps if you don't want to trust packages.

@3n-mb

This comment has been minimized.

Show comment
Hide comment
@3n-mb

3n-mb Aug 25, 2016

@raphaelrobert there is an updater for electron.

My steps as a user:
0) go to wire site

  1. click to Get the (windows) App
  2. it is 40-something MB download, thus, I assume it to be a complete electron app
    No windows app store noticed. Therefore, electron may have an updater in it, making updates as needed, provided user agrees to do an update.

Update server does not need to know user's identity.

When auto-ops push webapp, they push static assets to an update server, as a parallel branch. Parallel deployment into your own server shouldn't require, quoting you, "to change our strategy considerably", end of quote.

Here is another positive UX side for this security-minded solution. Faster startup! Potential for an offline work!

Rant:

The best remedy is still to use the open source apps if you don't want to trust packages.

This translates to a common theme: if we cannot give 100% security, we give none.

I, personally, thought that desktop users are those professionals (example from issue #12 ), to whom your company plans to sell premium services. Correct me, if I am wrong. Wire's site promises privacy and security as the first point. Instead, desktop version has lesser security than mobile apps.

3n-mb commented Aug 25, 2016

@raphaelrobert there is an updater for electron.

My steps as a user:
0) go to wire site

  1. click to Get the (windows) App
  2. it is 40-something MB download, thus, I assume it to be a complete electron app
    No windows app store noticed. Therefore, electron may have an updater in it, making updates as needed, provided user agrees to do an update.

Update server does not need to know user's identity.

When auto-ops push webapp, they push static assets to an update server, as a parallel branch. Parallel deployment into your own server shouldn't require, quoting you, "to change our strategy considerably", end of quote.

Here is another positive UX side for this security-minded solution. Faster startup! Potential for an offline work!

Rant:

The best remedy is still to use the open source apps if you don't want to trust packages.

This translates to a common theme: if we cannot give 100% security, we give none.

I, personally, thought that desktop users are those professionals (example from issue #12 ), to whom your company plans to sell premium services. Correct me, if I am wrong. Wire's site promises privacy and security as the first point. Instead, desktop version has lesser security than mobile apps.

@raphaelrobert

This comment has been minimized.

Show comment
Hide comment
@raphaelrobert

raphaelrobert Aug 25, 2016

Member

Let's be very clear: we care deeply about security and privacy and we are happy about suggestions and questions from the community.

The point you raised is an important one. We would certainly like to improve security where we can, but we also have to ask the questions: How good is the improvement? And if it is good enough, how will it affect the user experience (because ruining the user experience is ultimately also detrimental to security).

We use an updater for Electron (on Windows), and yes, we could package the files, but they would still come from a server. In addition we would also waste some bandwidth, because unfortunately Electron is not exactly small.
It might be a way forward to just package the web app and essentially cache it until the next update instead of downloading it every time the desktop app is started. But in reality the Wire desktop app is not started very often but rather kept in the background, and the web app updates are often just days apart.

Member

raphaelrobert commented Aug 25, 2016

Let's be very clear: we care deeply about security and privacy and we are happy about suggestions and questions from the community.

The point you raised is an important one. We would certainly like to improve security where we can, but we also have to ask the questions: How good is the improvement? And if it is good enough, how will it affect the user experience (because ruining the user experience is ultimately also detrimental to security).

We use an updater for Electron (on Windows), and yes, we could package the files, but they would still come from a server. In addition we would also waste some bandwidth, because unfortunately Electron is not exactly small.
It might be a way forward to just package the web app and essentially cache it until the next update instead of downloading it every time the desktop app is started. But in reality the Wire desktop app is not started very often but rather kept in the background, and the web app updates are often just days apart.

@ConorIA

This comment has been minimized.

Show comment
Hide comment
@ConorIA

ConorIA Aug 25, 2016

Contributor

Raphael, building on your last point (and from a lay perspective) would it be possible to have a small script that scrapes the version number from the web and only updates the cache if there have been changes?

Contributor

ConorIA commented Aug 25, 2016

Raphael, building on your last point (and from a lay perspective) would it be possible to have a small script that scrapes the version number from the web and only updates the cache if there have been changes?

@tmikaeld

This comment has been minimized.

Show comment
Hide comment
@tmikaeld

tmikaeld Aug 25, 2016

I would prefer this, a button that when clicked upon shows the version, changelog and link directly to the commited changes. It should show every time something changes and you haven't clicked it (Always in view). This would make it informative for those who want to see it and want to investigate the changes - while still keeping it out of view for those that don't care.

tmikaeld commented Aug 25, 2016

I would prefer this, a button that when clicked upon shows the version, changelog and link directly to the commited changes. It should show every time something changes and you haven't clicked it (Always in view). This would make it informative for those who want to see it and want to investigate the changes - while still keeping it out of view for those that don't care.

@tmikaeld

This comment has been minimized.

Show comment
Hide comment
@tmikaeld

tmikaeld Aug 25, 2016

I'd rather review the code of a few scripts rather than a +40MB binary on every update.

I'd rather review the code of a few scripts rather than a +40MB binary on every update.

@raphaelrobert

This comment has been minimized.

Show comment
Hide comment
@raphaelrobert

raphaelrobert Aug 26, 2016

Member

@ConorIA sounds like the way to do it once there is a cache.

@tmikaeld Thanks for the suggestion, we'll keep it in mind.

Member

raphaelrobert commented Aug 26, 2016

@ConorIA sounds like the way to do it once there is a cache.

@tmikaeld Thanks for the suggestion, we'll keep it in mind.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment