So wait building all these "secure" chat apps on a browser engine packaged in a thin layer of UI, with its insane number of dependencies and the gigantic, immense attack surface that this entails, was somehow a bad idea?
Who knew! Who could have foreseen this! Shocking, really.
@selfisekai@rysiek isnt all this docker, flatpacks and snaps stuff the same issue that each one comes with their own copy of the library needing a dedicated patch?
Srsly though, the Matasano blog is long gone and I don't feel like dredging up things from the Wayback Machine right now either, but I swear @tqbf has harped upon similarly themed perils for an awfully long time now?
To abstract away even further: it's not just apps that bundle themselves as browsers (e.g. yuck at Signal Electron BS) that succumb to similar pitfalls.
VMs that have outdated toolchains with vulnerabilities, "containers" with similar challenges, etc.
Of course, there are also the software preservationists among others who may have valid reasons for keeping old (vulnerable) toolchains going, but as one colleague phrased it with regards to such precarious things which may occasionally be necessitated: "Not on a publicly routable network, behind at least three layers of firewalls."
@rysiek The one saving grace is that some of them at least designed and implemented a protocol, allowing them to stop pretending a web age is an application and actually write something native when they come to their senses.
@rysiek God, I used to yell at people like a raving lunatic about the dangers of using this kind of garbage masqueraded as software. I really don't like it when I end up being right about this, because everyone loses.
Add comment