Hello everyone,
Skype was recently rewritten entirely. It is now based on Electron. This new
Skype has been rolled on all desktop platforms worldwide.
When Cryptocat and Signal switched to Electron, the security of Electron itself
became somewhat more important (more-so when Signal switched, since, as
everyone knows, Cryptocat is used exclusively by myself, my poodle and exactly
one random person on Twitter.)
But now that Skype has switched too, Electron is a much bigger deal: busting
Electron = busting Skype, and getting a bunch of comparatively less important
apps (including Signal, Cryptocat) for free.
Guides exist that outline best-practice guidelines for writing Electron apps
[0,1]. However, as of today and to the best of my knowledge, no real study
exists in order to correctly understand the security that Electron can offer
all these messaging apps we’ve used it to build.
This is unsustainable.
I propose that we assemble and create a task force, similar to the TrueCrypt
Audit Project [2] that centers on Electron:
1. What security properties are we assuming?
2. How much code coverage do we have in order to verify that we’re
getting these properties?
3. What is the status of our source code review?
4. What is the status of our black box review, including fuzzing and
similar?
5. You get the drift. I think I’m being pretty predictable here.
If there is interest, I’d be happy to work on putting together a team and
combine our efforts [3] to set a work plan, get funding, etc. and get this
done. Aside from Signal, I’d like to see Wire, Microsoft and others participate
as well, based on skill level, ability to contribute and stake in better
understanding Electron. Let’s:
1. Establish who’s doing what.
2. Set the hours we’re willing to commit to this. I’ll see if I can
determine compensation, based on whether we can funnel a small pot to pay for
the effort.
3. Establish work packages and deadlines.
4. Finalize findings in a report.
The Open Crypto Audit Project [2], again, has already followed this approach to
great success.
Finally, a flourish of sincerity:
In the past, the Signal team has reacted, always, towards anything I’ve ever
proposed in what can accurately be termed “high-school shunning.” I’ve gotten
really bored with this and I hope Moxie, Trevor and co. can find the time to
formulate a response to this, at the very least, even if they can’t find the
time to meaningfully participate.
References:
[0]
https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
[1] https://github.com/electron/electron/blob/master/docs/tutorial/security.md
[2] https://opencryptoaudit.org/
[3] https://www.youtube.com/watch?v=GyOMYC6mlsY
Nadim
Sent from my computer
_______________________________________________
Messaging mailing list
Messaging@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/messaging
