DEV Community

Tari R. Alfaro
Tari R. Alfaro

Posted on

Clients and Servers

I think that we should be trusting clients more than servers to handle our data for us.

Servers should try to focus more on performance and availability rather than individuals' security. This does not mean to disregard security at all! This just means servers should focus on securing themselves and the communications between clients and other servers.

Clients should provide confidentiality, authentication and integrity with cryptography for the individual. The clients themselves could be cryptographically signed, free open-source software with reproducible binaries. Anyone with the technical skill can audit the source code themselves. And if it's community based, also contribute!

Most importantly, clients are local while servers are remote. Meaning it is typically a lot harder to directly attack clients rather than servers, especially if individuals protected themselves adequately. Some might be easy targets. It all depends. This makes it harder to attack a whole audience if there is no easy way to distribute their attacks to everyone.

If that doesn't make any sense, think of it like this. The attacker would need to create malware for a specific operating system. Some of the audience might be using Android, iOS, Linux, MacOS, Windows, FreeBSD, etc. That is only one variable, there are many more. I am sure there are ways to distribute malware to multiple OSs.

So again, this allows client developers to focus on individuals' security, such as automatic secure updates, hashing their passphrases and encrypting confidential data before leaving the device. While servers focus more on storing and structuring data, performance and availability rather than individuals' security.

No, this does not mean client developers should overlook performance or availability either. But you should trust clients more than servers with your data.

This does make the client developers a much larger target, and wherever their client source-code is stored. But that is why they should be cryptographically signing their software.

So what are your thoughts on this?

Top comments (1)