Signal and Electron hacked
why people continue to use anything but IRC is beyond me
it's ugly as shit
>the absolute state of nu-Jow Forums
proof of concept or fuck off
this: there is no PoC here... just a generic claim, "the Signal desktop app is vulnerable [because of Electron]!"
Nothing burger.
>electron is based on Chrome therefore it's insecure
WOW.
I wouldn't use that crap for thousands of reasons, but lack of security isn't one of them.
why people think _anything_ is secure is beyond me
your virginity is secure :^)
The issue is that it is based on old unpatched chrome.
Web """""""""""""developers"""""""""""" at it again
>desktop app
Who cares.
>using the smiley face with the caret nose
>electron
just write a webapp that fucking launches the user's web browser. how fucking hard is this shit? electron is fucking retarded like all these chromium enslaving retard frameworks.
>signal not wire
heh
Wire's desktop client also uses electron
This is not meant as a gotcha for you, because I use Wire too and I'm concerned about it also.
>electron
such a bad feeling when some service gets a desktop app and you see that huge filesize and then realize exactly why
>vulnerability discovered == hacked
Dumb quasi-journo pseud.
>javascript meme hipster frameworks insecure
News at 11
>not using the smiley face with the caret nose
>Spelling carrot wrong
You spelled it wrong too faggot en.wikipedia.org
The absolute state of neo-Jow Forums
>being this new
Whoosh
>carrot nose
>says the newfag who doesn't know the proper spelling of caret
Why not just use IRC? It's so simple that you can run it on anything that can connect to the internet so your attack surface can be ridiculously tiny. Seriously, there have been IRC clients written for old 8 bit computers that don't have the processing power to handle modern encryption to secure your connection, and having enough RAM for the IP stack is more of an issue than having enough RAM for the IRC client on those machines.
i'm a real GAMER so i use DISCORD
If you read the link in OP you would see that a 0day RCE was discovered in Signal today.
>encrypted messaging app
>uses phone numbers to identify users
>b-b-but they're hashed desu
Moxie fanboys are the worst.
>
>Considering how well-versed Moxie is alone in security, it's possible that not only has this been addressed and considered, but resulted in design changes that mitigate risk from using Signal.
God, that's a fucking stupid reason to dismiss an issue. What a cult of personality.
>Needing a desktop app for a mobile messenger
Kinda defeats the purpose
But it is. WebKit and Blink are insecure as fuck. They're these huge ass programs with over a million lines of code and no auditions whatsoever (which is why people shouldn't use Bromite or Iridium, but that's another thing entirely.) Hell, the 3DS and PS Vita got hacked thanks to web browser exploits.
I told you faggots a million fucking times: never trust kikes.
Moxie is so fucking full of himself that he probably forgot to double check the code committed to his shitty app.
And this is all due to the idea that active content should be embedded in webpages. Java was rightly shit on for being impossible to secure, as was Flash after it, but somehow people think that Javascript is somehow different. It isn't.
The web is for displaying static content. If you need to run code, you should write a local application. A web browser is not the right tool for this.
But in Electron the page content is static. All code is local.
For better or worse, that's what we're stuck with. At least now we have compatibility across operating systems, browsers (mostly) and devices; unlike Flash, XHTML and Java plugins.
nou
The problem is that a web browser has become a huge massively-complex... thing... that's being used here as an application framework. Not only is this ugly but its also impossible to secure. If you want to write a local application, write a local application, and dump the whole web browser in the bin. Along with the JS interpreter and VM that's the source of so much of its complexity and security vulnerabilities.
That was the goal of Flash and Java too, it was insecure with those and its insecure here. I'm reminded of that guy who said that saying Java is nice because it works on all OSes is like saying anal sex is nice because it works on all genders. The fact that thats even your priority shows that something has gone badly wrong.
> There are quite a few identically implemented chat clients. I wonder if this is also exploitable on those: whatsapp messengerfordesktop slack...
> Discord :^)
Holy crap Discord 0day when
Link Embeds (such as YouTube and Soundcloud) in discord are not sandboxed. That could be a possible vector of attack
>Connect to IRC
>Nobody to talk to
I see why it's considered secure
Fix already published: twitter.com
>recommended by Snowden and the Guardian Project
>it's an insecure piece of shit
Really thinks your noggin.
Thanks for the chuckle.
Best girl
>Let's just regex the string instead of fixing the actual cause
Bravo.
Oh wow, another time a handful of webfaggots can't handle the unreliable, giant clusterfuck made by google for google.
/thread
She'd be qt if it wasn't for the glasses
How dare you
wait...what? signal's desktop application is in fucking electron? what fucking timeline is this??? why??? i thought this project had a security guru on it. is he really a fucking hack?
>security guru
If they claim that using those exact words: run.
The regex does not recognize non-latin TLDs, like тpaeктopия.oнлaйн
Does this mean it's still vulnerable?
>тpaeктopия.oнлaйн
Also, seems like Jow Forums fucked up the link, but it does work in its original form
probably not a shitty ass version of it, though
>is like saying anal sex is nice because it works on all genders.
WTF I love anal now!
I unironically like Atom.
There, I said it.
how much ram your rig has?
16, but I wish it didn't use more ram idling than my browser with 15 tabs open.
this is why you find atom nice
>not using riot im
>running your own server
>exposing ur ip and probably ur pleb router
Unless u host with a company but then thats a security risk.
Signal is a botnet, use riot or jabber
If signal wants to be a chat app for everything, why don't they simply decouple the front end and make themselves into a super robust chat API?
Shouldn't the goal be:
-i want a secure chat for my service
-npm install signal-core
-i'll bind it in Vue for my front-end
-hey look it has bindings and is easy to use wow just like 2018 should be
nice