DEV Community

Discussion on: A science fiction terminal emulator 🚀

Collapse
 
ondrejs profile image
Ondrej

People & devs should really get rid off Electron everywhere if possible. For the sake of security.

Collapse
 
likebrain profile image
Ricardo Rivera

Hey, you can also say that about many others.
You should always weigh the risk before executing foreign code.
If you want to protect yourself 100% then better shut down your PC.

History teaches us that popular technologies are always the target of attacks. Whether Android, Windows, Outlook, GMail or something else.

Avoid software because of that, I think the wrong way.
It would be better to find a solution to handle these problems. A better update strategy for Electron can do a lot.

It currently only in 2018 about 40 code execution CVE's for Microsoft Office. But nobody says you should avoid it.

I do not see a difference in risk here, do you?

Collapse
 
ondrejs profile image
Ondrej

I do. Would you run arbitrary JS code in browser which is not sandboxed? Considering all the problems with infected JS/Node packages after recent events? There is no perfect security, but at least you can avoid common attack vectors.

Thread Thread
 
ondrejs profile image
Ondrej

You know, in this discussion, we should not fall into whataboutism. All SW which is not regularly & properly audited by security professionals/community is potentially dangerous. But Electron offers perfect attack vector by itself, so I have no reason to use it (even in sandboxed environment).

Thread Thread
 
likebrain profile image
Ricardo Rivera • Edited

Ok, I think every software should run in something like a sandbox. But the edge of the sandbox does not have to be your computer. In an enterprise environment, you can easily deploy an electron application safely. Even without security professionals / community.

Yes, the electron exploits are easy to use.
I think it will be irrelevant to use electron in the future.
Electron has the same fate as Crosswalk and gets killed by the Chrome browser.

Until then, try to live as stable with electron as possible. I'm not sure which role Microsoft is playing here, but they also have an interest in electron. (VSCode, Microsoft Teams, etc ...)

But I think the problem is the WebApp.
If Telegram supports an XSS in Electron why not in Safari or Chrome?

You have to trust a vendor not only the technology.

Thread Thread
 
ondrejs profile image
Ondrej

As you pointed out in another thread, this discussion would be good to transfer somewhere else on this forum (maybe a security meta-topic)? I'll try to answer you as comprehensively as I can tomorrow, because have some job to do. Btw I do offensive security on regular basis, so I think I understand the issue of (not-only) Electron in different contexts. I do no want to argue with you about usability. Web will simply defeat native apps (mainly) because of the pain with creating native UI libraries for each ecosystem and so on...but I still do thing that in common context Electron is very insecure by itself.