-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 1/21/2014 8:52 PM, Andrés Leopoldo Pacheco Sanfuentes wrote:
> What is the "value proposition" of changing email client from > Gmail? > Please don't feed the troll. Thank you. - - ferg > On Jan 21, 2014 10:24 PM, "Tony Arcieri" <[email protected] > <mailto:[email protected]>> wrote: > > On Tue, Jan 21, 2014 at 6:53 PM, Fabio Pietrosanti (naif) > <[email protected] <mailto:[email protected]>> wrote: > > I just would like to argue that the delivery (download, > installation, upgrade) of an Chrome App is far more secure than an > native application with an executable installer, due to the trust > model of application store and the reduced risks of being > hijacked/infected during the download. > > > Yes and no. > > It's true that Chrome extensions distributed through Google's > walled garden are more secure than typing an address into your URL > bar. > > It's true that native applications have wide-ranging capabilities > that browser extensions don't. > > But it's important to keep in mind that browser extensions are > fraught with their own problems, and that browsers are complex > beasts with even more complex potential interactions between > components, the possibilities of which are extremely hard to > understand, even by the browser authors themselves. > > Where browser extensions can fall down is unexpected interactions > with web pages and JavaScript running on them. This is a problem > that native apps don't have because the browser is attempting to > act as a sandbox, so escalating privilege from a JavaScript to > access to native code execution is much more difficult than > escalating privileges to interact with browser extensions > unexpectedly. In this regard, native apps are superior, because the > browser is trying to prevent that interaction from happening. > Native apps are "airgapped" from web pages in a way browser > extensions are not. > > This is a good talk on the matter, specifically in regard to > Chrome: > > http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions > > Don't get me wrong, things are getting better, but we're not > completely there yet. > > -- Tony Arcieri > - -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLfUwsACgkQKJasdVTchbKpwQD5ARHMTMUwUnt3r3FeeCWvzzB1 W+jWmAk/pIvZPOltOf8BAMAiTOu8wbzawNSP8I+svj+TlrlEM13FNJ2ALRamFGqB =5BXU -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
