What is the "value proposition" of changing email client from Gmail? On Jan 21, 2014 10:24 PM, "Tony Arcieri" <basc...@gmail.com> wrote:
> On Tue, Jan 21, 2014 at 6:53 PM, Fabio Pietrosanti (naif) < > li...@infosecurity.ch> wrote: > >> I just would like to argue that the delivery (download, installation, >> upgrade) of an Chrome App is far more secure than an native application >> with an executable installer, due to the trust model of application store >> and the reduced risks of being hijacked/infected during the download. >> > > Yes and no. > > It's true that Chrome extensions distributed through Google's walled > garden are more secure than typing an address into your URL bar. > > It's true that native applications have wide-ranging capabilities that > browser extensions don't. > > But it's important to keep in mind that browser extensions are fraught > with their own problems, and that browsers are complex beasts with even > more complex potential interactions between components, the possibilities > of which are extremely hard to understand, even by the browser authors > themselves. > > Where browser extensions can fall down is unexpected interactions with web > pages and JavaScript running on them. This is a problem that native apps > don't have because the browser is attempting to act as a sandbox, so > escalating privilege from a JavaScript to access to native code execution > is much more difficult than escalating privileges to interact with browser > extensions unexpectedly. In this regard, native apps are superior, because > the browser is trying to prevent that interaction from happening. Native > apps are "airgapped" from web pages in a way browser extensions are not. > > This is a good talk on the matter, specifically in regard to Chrome: > > > http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions > > Don't get me wrong, things are getting better, but we're not completely > there yet. > > -- > Tony Arcieri > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.