Emily StarkFeb 10, 2024
More on E2EE apps for the web: is the web really that bad for E2EE compared to mobile/native? And some (IMO) unappreciated challenges in bridging the gaps https://emilymstark.com/2024/02/09/e2ee-on-the-web-is-the-web-really-that-bad.html
E2EE on the web: is the web really that bad?

In my last blog post, I discussed why people often view the web as a uniquely unsuited platform for implementing end-to-end encryption (E2EE). This view is that the web doesn’t offer a long-term trustable notion of what the application is. In that earlier post, I explored the idea of treating the application as untrustworthy and isolating sensitive data from it. In this post, I’m going to pontificate on whether web applications are truly less trustworthy than native applications, especially in an E2EE setting, and if so, how we should bridge the gap. The gap is narrower than it appears at first glance, especially with desktop applications. To close it, though, the devil is in the (UX- and deployment-related) details.

Emily M. Stark
Show threadRoyce Williams

@estark Thoughtful and needed - still reading, but have already learned a few things!

Hot-take observation: one thing I've seen pushback about, that you haven't explicitly called out, is the attack surface of Electron itself - claims of it being a proliferation of patch-lagged browsers with browser security features explicitly disabled. Grappling with that head-on for this topic seems high-leverage.

Feb 10, 2024 at 4:46pmWeb