undefined | Better HN

0 pointsbagacrap6y ago0 comments

Your browser sends and receives tons of packets to addresses owned by the browser vendor and third party sites. After all that's its main function. Your open source browser is millions of lines of code. You think it would not be possible to exfiltrate passwords without your notice? It seems a much more practical approach to assume your browser vendor is a "good guy", as the alternative model is that you choose to do all your most sensitive computing via an adversary.

0 comments

benburleson6y ago

I think the premise is we would know if it already did that, and incremental code changes can be inspected to see it isn't added. So yeah, it's pretty safe to say open source makes it trustable.

dancek6y ago

That's pretty reasonable, but if I were a malicious actor looking to do something like this, I'd try to introduce different bugs at different times that combine to leak passwords. That would give plausible deniability, too. Not saying it's an easy scheme to engineer.

UncleMeat6y ago

People inspect chrome diffs for weird changes too. Closed source software does not prevent people from noticing malware, especially in some of the most heavily scrutinized software in the world.

j / k navigate · click thread line to collapse