You've linked that thread a couple of times here, never really elaborating on the nature of your concerns, nor do you elaborate on the specific nature of your concerns in the ticket. Have you considered elaborating on the nature of your concerns? Is there a specific vulnerability in chromium you feel could be exploited here?
Electron makes things worse: it is not secure. Electron has many security vulnerabilities. The latest version is still based on old Chromium (58 & 59) so it inherits many of the security vulnerabilities published in Chromium 60, 61 and 62
As long as you don't load untrusted code or content... I guess many of the issues are moot if untrusted code can't get access to javascript and is only exposed to HTML parser (DOMParser).
The way I'm using electron for my pet projects is only passing untrusted HTML to DOMParser and then sanitizing with strict whitelist of attributes/html elements. Only then will any HTML code get interpreted by the browser engine.
Feels somewhat safe, but I haven't read the bug list. :)
Image format decoding and HTTP/TLS/request processing layer bugs may be other source of issues in any case. But hopefully that runs in some restricted environment.
If the developer uses Electron only to open the application's own html files and doesn't render user-provided HTML anywhere, then there won't be any XSS vulnerabilities.
This doesn't make it safe -- consider a lower level library inside Chromium can be exploited when processing input data. Your chat app can be exploited by receiving a crafted image. This actually happened in image processing library and network library in Chromium.
Sure, but the same can happen to whatever libraries you use on your native app. If anything Chromium is more likely to be patched, since there's a large entity interested in keeping it secure enough for accessing untrusted content.
Using Electron is a bad idea: it's not secure. Electron has many security vulnerabilities. The latest version is still based on old Chromium (58 & 59) so it inherits many of the security vulnerabilities published in Chromium 60, 61 and 62
Sure, but it doesn't pull HTML or Javascript from servers, it is all packaged along with the native Electron runtime. Exploiting a Javascript vulnerability is an absurd waste of time when you could just add a backdoor or whatever to the native code.
It's not as simple as you thought. Consider a bug in the image decoding library Chromium used that can be exploited by simply sending a crafted image in the chat.
Most major browsers, including Edge and Chrome, do this and are really good at it.
> closely monitor your deps for vulnerabilities and ship patches as quickly as possible
Most major browsers do this too, and they have well-established update pipelines that can patch vulnerabilities in short order.
> choose deps with a better security track record, when possible
Most major browsers do this (e.g., "boringssl").
> independently scan, test, and validate the deps you bring in
Most major browsers do this as part of QA and vulnerability scanning.
> things you can do in an electron app:
> * pray
* leverage all of the work that thousands at Microsoft, Google, Mozilla, etc., put into deploying what I suspect are the most heavily-attacked, heavily-scrutinized, and heavily-audited software platforms in existence.
Not that I'm specifically advocating web apps over native apps, but I don't think your list does a good job outlining their advantages.
That's likely to get fixed quickly and I can just apt-get upgrade. With electron we have to wait for google to fix it in chrome, wait for electron to update the chrome version or backport the patch, wait for the app developer to update their version of electron and then update it on your machine.
browser security vulnerabilities are expensive and heavily scrutinized. Just because they are on top of it for reporting vulnerabilities and fixes so that you become aware of it doesn’t make the alternatives more secure. You just wouldn’t be aware of them which is more dangerous.
They could use NW.js instead, which stays up-to-date with the latest Chromium version, including security updates. They usually release on the same day as Chromium. https://nwjs.io/blog/
This is interesting, I feel like NW.js has lost the war against Electron, but I haven't closely been following the topic. Can anyone summarize the latest common opinion on the subject?
There was a period in late 2014-early 2015 where NW.js stagnated, but since then it's been very actively developed. I found this 2016 comparison pretty even-handed and comprehensive; it'd be nice to see an updated version for 2017. http://tangiblejs.com/posts/nw-js-and-electron-compared-2016...
So you are suggesting they drop a battle-tested, production ready solution currently powering hundreds of apps (https://electron.atom.io/apps/) for one in beta that the developers warn in large capital letters "use at your own risk, still under development"?!
