mirror of
https://github.com/privacyguides/privacyguides.org
synced 2024-11-27 13:33:30 +01:00
wording
Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com> Signed-off-by: fria <138676274+friadev@users.noreply.github.com>
This commit is contained in:
fria
GitHub
parent
6278a66ae8
commit
1b3c35cc1d
@ -19,7 +19,7 @@ The concept of a [progressive web app](https://developer.mozilla.org/en-US/docs/
|
|||||||
|
|
||||||
Attempts at similar things have been made before, the most infamous of which is [Electron](https://www.electronjs.org). Electron is a software framework that allows developers to easily create cross-platform apps by essentially bundling an entire Chromium browser in with the app. This approach has its [drawbacks](https://usa.kaspersky.com/blog/electron-framework-security-issues/28952/?srsltid=AfmBOor_UcYY-84soHz5K2ULTmhlX44-DsIfJp_StotBrusD63MweSGO), though. Browsers have huge attack surface so it's important to keep them updated with the latest security fixes, but many Electron apps ship outdated versions, leaving those apps vulnerable. Each Electron app has its own version of Chromium with its own attack surface, amounting to a performance and security nightmare. In contrast, PWAs use the browser that you already have installed, so as long as you keep it updated, all your apps will have the latest security fixes.
|
Attempts at similar things have been made before, the most infamous of which is [Electron](https://www.electronjs.org). Electron is a software framework that allows developers to easily create cross-platform apps by essentially bundling an entire Chromium browser in with the app. This approach has its [drawbacks](https://usa.kaspersky.com/blog/electron-framework-security-issues/28952/?srsltid=AfmBOor_UcYY-84soHz5K2ULTmhlX44-DsIfJp_StotBrusD63MweSGO), though. Browsers have huge attack surface so it's important to keep them updated with the latest security fixes, but many Electron apps ship outdated versions, leaving those apps vulnerable. Each Electron app has its own version of Chromium with its own attack surface, amounting to a performance and security nightmare. In contrast, PWAs use the browser that you already have installed, so as long as you keep it updated, all your apps will have the latest security fixes.
|
||||||
|
|
||||||
So why isn't every Electron app shipping as a PWA? The answer is an age old problem with web content: the fact that you have to trust the server fully. You make an HTML GET request and you're served the content, but if the server is compromised, you'll be served a compromised website. You also need to rely on the security of DNS name resolution and the [certificate authority](https://www.digicert.com/blog/what-is-a-certificate-authority) system. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server even just temporarily, could distribute compromised clients to millions of people, potentially breaking E2EE or any other number of malicious actions.
|
So why isn't every Electron app shipping as a PWA? The answer is an age-old problem with web content: the fact that you have to trust the server fully. You make an HTML GET request and you're served the content (i.e., the site's HTML, CSS, and JavaScript), but if the server is compromised, you'll be served a compromised website. You also need to rely on the security of DNS name resolution and the [certificate authority](https://www.digicert.com/blog/what-is-a-certificate-authority) system. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server—even just temporarily—could distribute compromised clients to millions of people, potentially breaking E2EE or executing a host of other malicious actions.
|
||||||
|
|
||||||
## Improving Web Apps
|
## Improving Web Apps
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user