Someone ought to put together a public model of an E2EE WebRTC client just so we can demonstrate how straightforward the intercept attack is here.
-
-
Replying to @tqbf @durumcrustulum and
Why isn't backdooring a desktop client as straightforward? One can argue well users have to install the update, but desktop clients are required by the same security people to have auto updates :)
2 replies 0 retweets 1 like -
Replying to @XorNinja @durumcrustulum and
Because installing updates is harder than intercepting a browser WebRTC app, in ways I seriously think we just need a public model to show.
4 replies 0 retweets 1 like -
Replying to @tqbf @durumcrustulum and
Chrome, Firefox, etc. can push updates to my machine without me doing anything. What you're saying is if I have RCE on a machine, it's hard for me to control that machine. We all know that it's nonsense.
1 reply 0 retweets 1 like -
Replying to @XorNinja @durumcrustulum and
That’s not at all what I’m saying. I am very aware that Google has RCE on my device by dint of me running Chrome. I do not assume that of _every website I interact with_.
1 reply 0 retweets 2 likes -
(i’ll trim the cc list from this point, sorry)
1 reply 0 retweets 0 likes -
Replying to @tqbf @durumcrustulum and
We're talking about a single website, that is Zoom. We're comparing Zoom desktop client vs Zoom browser client. You're saying that the latter is easier to compromise. I'm saying that it is as easy or as hard as the former.
1 reply 0 retweets 1 like -
I don’t think you really believe this, because if you did: no E2EE app is meaningfully E2E secure. Browser E2EE is trivially, transparently intercepted.
2 replies 0 retweets 1 like -
You mean it's easier for the provider to secretly disable E2E in a browser app? Not sure about trivial, but I think I agree, easier to target who gets the broken bits and unheard of to compare integrity, etc, etc. However, it seems moot because of bugdoors!
2 replies 0 retweets 2 likes -
I wonder how much of this is due to my model being “iOS app versus browser app” and Thai’s being “Electron desktop app vs browser app”. I won’t run desktop Signal, by way of example.
2 replies 0 retweets 2 likes
I agree it would be easier to do it the way you're envisioning, or more importantly, harder to get caught. I really think it would be crazy to not use a bugdoor though, so seems irrelevant. I like to use the Signal bug that could enable the microphone on any device as an example.
-
-
I agree that bugs complicate this story on all platforms.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.