Also, a browser could have cross-site attacks that would not be possible in Signal Desktop, as there are no other pages, so it would have to be an attack from within Signal's code. The desktop app can just hardcode the authentication certificates of the update routine to detect if someone tries to sneak in a malicious update, in a Browser this is not really possible. Things like this have been pulled off even for TLS-encrypted websites, although rarely and typically not by your neighbor. A web app gets served anew every time you open it, and as a consequence has a way larger attack surface, as someone could try to man-in-the-middle the website that's delivered.
It only occasionally pulls an update from a trusted source and works standalone. The technology behind it is the same with which you can build a web-client, that is true, but there is one significant difference, because of which there is no web client: The desktop app is standalone and always serves this very application.
I think Signal's desktop app is web based anyways.
0 kommentar(er)
