undefined | Better HN

0 pointsleptons1mo ago0 comments

>That the server can send you a backdoor every single time, made just for you, and nobody else will ever know?

There is no "backdoor" when the browser is sandboxed. "backdoor" is a specific thing, I think you need to read up on it before you keep using it incorrectly:

https://en.wikipedia.org/wiki/Backdoor_(computing)

>On the other hand, an app is sandboxed, too (on mobile OSes like Android and iOS). When you download it, you can check a hash that you can (if you want to) compare with a friend to see if they got the same app.

That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed, they have full access to your mobile device once you install it and give it access - and let's be real, most people are just going to blindly click "allow" for anything the app requests after installing an app.

>With an app, there is intermediary (the "app store") that would need to collude with the developers to send a backdoor just for you, and even then you would still have the app binary as proof.

You keep referring to "backdoor", and I don't think you really know what that means.

>That's always a question I have with "secure" web services: if you use ProtonMail, you trust that Proton doesn't send you a web page that leaks your key. But if you trust Proton for that, what's the point of the end-to-end encryption? When you use the Signal app, the whole idea is that you don't have to trust Signal for the end-to-end encryption, at all.

That isn't how any of this works. The main value proposition of Signal is that we do trust its end-to-end encryption. Protonmail sending a "web page" that "leaks your key"? WTF?

0 comments

AlBugdy1mo ago

It's obvious what GP meant - we can verify that the apps we download are the apps everyone else downloads.

We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.

> That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed

Apps ARE somewhat sandboxes and GP didn't mean than sandboxing == checking hashes. It was 2 sentences appearing one after the other.

leptonsOP1mo ago

>We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.

That isn't a problem with how the web works vs how apps work, that's a problem with you trusting Protonmail.

If you really wanted to be secure sending an email or any communication, you wouldn't trust any third party, be it an app or a website - you would encrypt your message on an air-gapped system, preferably a minimal known safe linux installation, and move the encrypted file to a USB, and then insert the USB into a system with network access, and then send the encrypted file to your destination through any service out there, even plain old unencrypted http would work at that point, because your message is already encrypted.

The second you give your unencrypted message to any third-party on any device with an input box and a network connection, is the moment you made it public. If I had to be extremely sure that my message isn't read by anyone else, typing it into a mobile app or a web browser isn't the place I'd start - it would only be done as a last resort.

palata1mo ago

That is a problem with you not understanding how security works.

> If you really wanted to be secure

There is no such thing as "being really secure". There are threat models, and implementations that defend you against them. Because you can't prevent a bulldozer from destroying your front door does not mean that it is useless to ever lock it.

Even your air-gapped example is wrong, because it means that you have to trust that system (unless you are capable of building a computer from scratch in your garage, which I doubt).

Sending an encrypted over the Signal app is a lot more secure than sending an email over the ProtonMail website, which itself is more secure than sending it in a non-secret Telegram channel. It's a gradient, it can be "more" or "less" secure, it doesn't have to be "all or nothing" as you seem to believe.

leptonsOP1mo ago

>That is a problem with you not understanding how security works.

That's hilariously wrong.

>There is no such thing as "being really secure".

Sure there is. "Being really secure" isn't what I said at all, and it's a vague statement to make. You're reaching to create an internet argument, and I'm frankly bored of this, you're out of your depth.

>Even your air-gapped example is wrong, because it means that you have to trust that system

I'd trust a system that I set up. I'm not going to do it on a system that you set up, that much is for certain.

> (unless you are capable of building a computer from scratch in your garage, which I doubt).

I still have an EPROM burner, so yes, I could, and I have.

>Sending an encrypted over the Signal app is a lot more secure than sending an email over the ProtonMail website

If you really think that, then nobody should be taking security advice from you.

I'm really tired of this pointless internet interaction. Goodbye.

1 more reply

asadotzler1mo ago

You cannot. An app can update just like a browser tab. In fact, a very many apps are just frickin' webviews.

palata1mo ago

Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.

Now if it contains webviews, it brings the security issue of... the webapps, of course.

Personally, I want an open source app. You can audit an open source app and even compile it yourself. You can't really do that with a website. And I don't mean just mobile apps, that applies to desktop apps, too. I wouldn't run a web-based terminal, for instance (do people actually do that?).

leptonsOP1mo ago

>Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.

Not impossible to do with websites, if the need to do it was there. It would take about 15 minutes to create a browser extension that could make a hash of all the files loaded, to compare with other users with the extension installed - but honestly that's just not needed because if you're connecting via HTTPS, then you're getting the files that are intended to be served, presumably not malicious if you trust the source. And if you don't trust the source, then why are you loading it to begin with??

>Now if it contains webviews, it brings the security issue of... the webapps, of course.

Web applications are sandboxed in the web browser. Very little issue with that, outside of browser bugs/exploits, but bugs and exploits are found in every system ever.

>I wouldn't run a web-based terminal, for instance (do people actually do that?).

AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.

2 more replies

armadyl1mo ago

AlBugdy and the person you are replying to are literally right re: server delivered backdoors. Using E2EE applications in a browser moves the trust back from the client to the server.

https://news.ycombinator.com/item?id=47664103

> That isn't how any of this works. The main value proposition of Signal is that we do trust its end-to-end encryption. Protonmail sending a "web page" that "leaks your key"? WTF?

Yes and it's that you also trust the client, with a server that dynamically delivers code you have no way of knowing fully what payload it's sending you. An example of this vulnerability was discussed when it was pointed out that 1P, Bitwarden and others were susceptible to server side backdoors if used from the web in that research study that came out last month that was posted here.

> And no, mobile apps are not really sandboxed, they have full access to your mobile device once you install it and give it access - and let's be real, most people are just going to blindly click "allow" for anything the app requests after installing an app.

This is genuinely just not true, even if you click allow for all permissions on Android and iOS. An application on a non-rooted device doesn't have "full access."

leptonsOP1mo ago

>This is genuinely just not true, even if you click allow for all permissions on Android and iOS. An application on a non-rooted device doesn't have "full access."

You're wrong.

Facebook has been repeatedly accused and caught using unallowed, hidden, or deprecated APIs to bypass user privacy settings and platform restrictions, particularly on iOS and Android.

palata1mo ago

Dude, I was here to talk about security, not to be judged on the quality of my English. What I get from your take is that your English is better than mine, but not your security knowledge.

> That isn't what "sandboxed" means, it has nothing to do with checking hashes.

I didn't say it had anything to do with it. I meant that NOT ONLY it is sandboxed, but ON TOP OF THAT you can check that you received the same code.

> You keep referring to "backdoor", and I don't think you really know what that means.

The only explanation I see for you not understanding what I mean by "backdoor" for the end-to-end encryption is that you have no idea how it works. If you're just being condescending about my language, go for it. Tell me I can't speak your language. But don't tell me I don't understand security, you have absolutely no idea what I know.

> Protonmail sending a "web page" that "leaks your key"? WTF?

You obviously don't understand how it works if this surprises you. I would gladly elaborate with anyone who is not a jerk, but that does not seem to be the case here.

leptonsOP1mo ago

>not to be judged on the quality of my English.

"backdoor" isn't really an English thing, it's a tech thing. If you want to talk about tech, you need to know the terminology. This is not something like the difference between "there" and "their" and "they're". I did not correct your English grammar, I corrected your tech terminology.

>I would gladly elaborate with anyone who is not a jerk, but that does not seem to be the case here.

I was not "a jerk". You didn't seem to understand what a "backdoor" is in terms of tech, and I still don't think you do.

This pointless internet interaction is over. Gooodbye.

j / k navigate · click thread line to collapse

0 comments

AlBugdy1mo ago

It's obvious what GP meant - we can verify that the apps we download are the apps everyone else downloads.

We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.

> That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed

Apps ARE somewhat sandboxes and GP didn't mean than sandboxing == checking hashes. It was 2 sentences appearing one after the other.

leptonsOP1mo ago

>We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.

That isn't a problem with how the web works vs how apps work, that's a problem with you trusting Protonmail.

palata1mo ago

That is a problem with you not understanding how security works.

> If you really wanted to be secure

Even your air-gapped example is wrong, because it means that you have to trust that system (unless you are capable of building a computer from scratch in your garage, which I doubt).

leptonsOP1mo ago

>That is a problem with you not understanding how security works.

That's hilariously wrong.

>There is no such thing as "being really secure".

>Even your air-gapped example is wrong, because it means that you have to trust that system

I'd trust a system that I set up. I'm not going to do it on a system that you set up, that much is for certain.

> (unless you are capable of building a computer from scratch in your garage, which I doubt).

I still have an EPROM burner, so yes, I could, and I have.

>Sending an encrypted over the Signal app is a lot more secure than sending an email over the ProtonMail website

If you really think that, then nobody should be taking security advice from you.

I'm really tired of this pointless internet interaction. Goodbye.

1 more reply

asadotzler1mo ago

You cannot. An app can update just like a browser tab. In fact, a very many apps are just frickin' webviews.

palata1mo ago

Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.

Now if it contains webviews, it brings the security issue of... the webapps, of course.

leptonsOP1mo ago

>Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.

>Now if it contains webviews, it brings the security issue of... the webapps, of course.

Web applications are sandboxed in the web browser. Very little issue with that, outside of browser bugs/exploits, but bugs and exploits are found in every system ever.

>I wouldn't run a web-based terminal, for instance (do people actually do that?).

AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.

2 more replies

armadyl1mo ago

AlBugdy and the person you are replying to are literally right re: server delivered backdoors. Using E2EE applications in a browser moves the trust back from the client to the server.

https://news.ycombinator.com/item?id=47664103

> That isn't how any of this works. The main value proposition of Signal is that we do trust its end-to-end encryption. Protonmail sending a "web page" that "leaks your key"? WTF?

This is genuinely just not true, even if you click allow for all permissions on Android and iOS. An application on a non-rooted device doesn't have "full access."

leptonsOP1mo ago

>This is genuinely just not true, even if you click allow for all permissions on Android and iOS. An application on a non-rooted device doesn't have "full access."

You're wrong.

Facebook has been repeatedly accused and caught using unallowed, hidden, or deprecated APIs to bypass user privacy settings and platform restrictions, particularly on iOS and Android.

palata1mo ago

Dude, I was here to talk about security, not to be judged on the quality of my English. What I get from your take is that your English is better than mine, but not your security knowledge.

> That isn't what "sandboxed" means, it has nothing to do with checking hashes.

I didn't say it had anything to do with it. I meant that NOT ONLY it is sandboxed, but ON TOP OF THAT you can check that you received the same code.

> You keep referring to "backdoor", and I don't think you really know what that means.

> Protonmail sending a "web page" that "leaks your key"? WTF?

You obviously don't understand how it works if this surprises you. I would gladly elaborate with anyone who is not a jerk, but that does not seem to be the case here.

leptonsOP1mo ago

>not to be judged on the quality of my English.

>I would gladly elaborate with anyone who is not a jerk, but that does not seem to be the case here.

I was not "a jerk". You didn't seem to understand what a "backdoor" is in terms of tech, and I still don't think you do.

This pointless internet interaction is over. Gooodbye.

j / k navigate · click thread line to collapse