Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
palata 2 hours ago

I think the argument is that when you load a webpage, you download the code everytime you want to run it, from servers owned by the company building the service. So they can choose to serve you different software (e.g. with a backdoor), just this one time and just for you, and you won't know (not that it would be impossible, but it is generally impossible in practice).

When you download a program on Linux through the distro package manager, you download it once and run this, every time. You know very well when it gets updated. You can compare the hash of your program/package with the one distributed by the distro, and the distro is not the developer of the program (so there is another layer there). You can audit that code (if open source), and at the very least you can compare with others to see if they receive the same code. And again, the program is served by the distro, not by the developer. The backdoor situation would require asking the developer to implement a backdoor, and then asking the distro to server you a different executable, and then hoping that you never, ever check the hash of that program that you own offline. It's a lot harder.

In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption.

Same applies to e.g. WhatsApp Web, which is an interesting example because there exists a browser extension allowing you to "validate" that you run the code Meta expects you to run. Though you still have to trust Meta: the extension only helps making sure that nobody other than Meta is abusing you. The WhatsApp mobile app doesn't have that problem, as it is distributed as an archive by a third party (Play Store).

IAmBroom an hour ago | parent [-]

> In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption.

Yes, and every VPN in the world (that isn't self-hosted) relies on trust that they won't share your info, not even your fingerprint - which defeats the purpose of VPNs. It's very hard to have perfect security. OK, impossible.