Re: [GNU/consensus] [SocialSwarm-D] Secure communication tools and the obligation to use them

[carlo von lynX]

On Fri, Oct 30, 2015 at 08:00:37PM +0100, Per Guth wrote:
> Since many of those tools get rebuild using web technology[1], it

Hmm.. instead of finally starting to use safe compiler languages
for real applications we should use a complex multilayered platform
of historically grown inefficient things like HTML and Javascript,
a great stack of vulnerabilities like Canvas and WebRTC, a notion
of surveillance bugs deep in the HTTP stack and the ability to
introudce third party dependencies wherever there is a SRC= or
LINK HREF=?

I understand that all those Javascript coders need a job also in
a future world of distributed apps, but is that reason enough?
I'm a little skeptical.

> seems plausible to me to add something like "trustability (of the
> source code)". Meaning eg: Is there a reliable way to check the
> integrity of the source code? Any kind of warrantor? Is there a
> reliable history of all changes?
> 
> That is a field we can work on and I see some innovation:
> 
> *For websites*
> https://github.com/substack/hyperboot
> https://www.youtube.com/watch?v=J9_VaU4N3Rg

Alright, some movement in the area of permanently saved web-apps.
Still, it depends on the good-will of the website that the app
is indeed permanently installed. Later when he shows the example
of browser crypto, it all fails open if the user does not pay
attention and generates her private key on some actual website
because she didn't know she has to be sure the browser location
is actually saying "http://localhost:xxx...

> *For browser extensions*
> Search for "auditable static versions" in:
> https://whiteout.io/security.html

Huh, browser extensions.. after a decade they still have a status
of neither fish nor flesh. You can't safely install them over the
web unless they are hosted by the browser vendor, which isn't
safe either... and you frequently can't decently install them via 
your operating system either, because it only knows a few if at all.

A "sandboxed iframe" sounds like a catastrophe waiting to happen.

"The app is deployed as a signed Chrome Packaged App with auditable static 
versions in order to prevent problems with host-based security."

And who owns the keys for checking the hashes of the app? Google?
Isn't it madness to entrust anything onto any of the Google browsers
(that includes Firefox) after the recent Chromium malware scandal?

> [1]: Eg. with small tech explorations like mine:
> https://github.com/pguth/peertransfer

Looks like good stuff (within the parameters of WebRTC)

> https://github.com/pguth/peermesh

"Swarms can be joined by opening the mesh URL."
How does that work.. is it a URL on a server?

> Or with professional solutions like Firefox Hello.

Tokbox?

Either I'm getting old or you Javascript hipsters are
all betting on the inability of humanity to get rid of
suboptimal technology once it is too pop to fail.  :)

Still, the Tor router and the Linux kernel are still in C.


-- 
  E-mail is public! Talk to me in private using encryption:
         http://loupsycedyglgamf.onion/LynX/
          irc://loupsycedyglgamf.onion:67/lynX
         https://psyced.org:34443/LynX/