Hey, you can also say that about many others.
You should always weigh the risk before executing foreign code.
If you want to protect yourself 100% then better shut down your PC.
History teaches us that popular technologies are always the target of attacks. Whether Android, Windows, Outlook, GMail or something else.
Avoid software because of that, I think the wrong way.
It would be better to find a solution to handle these problems. A better update strategy for Electron can do a lot.
It currently only in 2018 about 40 code execution CVE's for Microsoft Office. But nobody says you should avoid it.
I do. Would you run arbitrary JS code in browser which is not sandboxed? Considering all the problems with infected JS/Node packages after recent events? There is no perfect security, but at least you can avoid common attack vectors.
You know, in this discussion, we should not fall into whataboutism. All SW which is not regularly & properly audited by security professionals/community is potentially dangerous. But Electron offers perfect attack vector by itself, so I have no reason to use it (even in sandboxed environment).
Ok, I think every software should run in something like a sandbox. But the edge of the sandbox does not have to be your computer. In an enterprise environment, you can easily deploy an electron application safely. Even without security professionals / community.
Yes, the electron exploits are easy to use.
I think it will be irrelevant to use electron in the future.
Electron has the same fate as Crosswalk and gets killed by the Chrome browser.
Until then, try to live as stable with electron as possible. I'm not sure which role Microsoft is playing here, but they also have an interest in electron. (VSCode, Microsoft Teams, etc ...)
But I think the problem is the WebApp.
If Telegram supports an XSS in Electron why not in Safari or Chrome?
You have to trust a vendor not only the technology.
As you pointed out in another thread, this discussion would be good to transfer somewhere else on this forum (maybe a security meta-topic)? I'll try to answer you as comprehensively as I can tomorrow, because have some job to do. Btw I do offensive security on regular basis, so I think I understand the issue of (not-only) Electron in different contexts. I do no want to argue with you about usability. Web will simply defeat native apps (mainly) because of the pain with creating native UI libraries for each ecosystem and so on...but I still do thing that in common context Electron is very insecure by itself.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey, you can also say that about many others.
You should always weigh the risk before executing foreign code.
If you want to protect yourself 100% then better shut down your PC.
History teaches us that popular technologies are always the target of attacks. Whether Android, Windows, Outlook, GMail or something else.
Avoid software because of that, I think the wrong way.
It would be better to find a solution to handle these problems. A better update strategy for Electron can do a lot.
It currently only in 2018 about 40 code execution CVE's for Microsoft Office. But nobody says you should avoid it.
I do not see a difference in risk here, do you?
I do. Would you run arbitrary JS code in browser which is not sandboxed? Considering all the problems with infected JS/Node packages after recent events? There is no perfect security, but at least you can avoid common attack vectors.
You know, in this discussion, we should not fall into whataboutism. All SW which is not regularly & properly audited by security professionals/community is potentially dangerous. But Electron offers perfect attack vector by itself, so I have no reason to use it (even in sandboxed environment).
Ok, I think every software should run in something like a sandbox. But the edge of the sandbox does not have to be your computer. In an enterprise environment, you can easily deploy an electron application safely. Even without security professionals / community.
Yes, the electron exploits are easy to use.
I think it will be irrelevant to use electron in the future.
Electron has the same fate as Crosswalk and gets killed by the Chrome browser.
Until then, try to live as stable with electron as possible. I'm not sure which role Microsoft is playing here, but they also have an interest in electron. (VSCode, Microsoft Teams, etc ...)
But I think the problem is the WebApp.
If Telegram supports an XSS in Electron why not in Safari or Chrome?
You have to trust a vendor not only the technology.
As you pointed out in another thread, this discussion would be good to transfer somewhere else on this forum (maybe a security meta-topic)? I'll try to answer you as comprehensively as I can tomorrow, because have some job to do. Btw I do offensive security on regular basis, so I think I understand the issue of (not-only) Electron in different contexts. I do no want to argue with you about usability. Web will simply defeat native apps (mainly) because of the pain with creating native UI libraries for each ecosystem and so on...but I still do thing that in common context Electron is very insecure by itself.