There are other attacks on even chrome apps, as the recent sales of legit extensions to shady groups who use it for malware/adware distribution because Google allows transfers of ownerships and the new owners to update the extensions with anything they want.
On a related note can someone who is more familiar with how chrome handles extensions and sandboxing, can an app cross boundaries and then modify even js for apps like openpgp.js or cryptocat? -Andrew On Jan 21, 2014 9:53 PM, "Fabio Pietrosanti (naif)" <li...@infosecurity.ch> wrote: > Il 1/22/14, 8:06 AM, Paul Ferguson ha scritto: > > > > While I do not disagree with you here, per se, I would like to point > > out that any client that gratuitously trusts JavaScript *or* HTML5 is > > also a client which allows the end user to be victimized by the most > > casual daily criminal campaigns. > > I just would like to argue that the delivery (download, installation, > upgrade) of an Chrome App is far more secure than an native application > with an executable installer, due to the trust model of application store > and the reduced risks of being hijacked/infected during the download. > > That's not a website delivering you javascript code. > > That's an *application* that is built using Javascript/HTML5 like if it > was built using Objectice-C/C++ for iOS. > > No substancial difference. > > I'm really bored about the continuous critics against use of Javascript > for encryption purposes. > > HTML5/JS is in the the future of any application development, it's the > only eterogenous application development environment, the browser is the > home of the end-user. > > That's what we just need to accept, it already happened, it's always that > way. We just need to deal with that. > > -- > Fabio Pietrosanti (naif) > HERMES - Center for Transparency and Digital Human Rights > http://logioshermes.org - http://globaleaks.org - http://tor2web.org > > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.