Safe Launcher Security


It’s quite clear to me: with the PAC they provide a (quick and easy) entry point to the *.safenet for browsing. I mean without it, there wouldn’t be any way to browse the network at the moment at all (the firefox plugin essentially loads that pac file, too, so…). So, considering time-constrains, this is a very feasible solution to provide access to a broader audience.

And sure, there should be a dedicated safe-browser – no one questions that. But it is also a big piece of work and the network isn’t nearly in a state to provide that yet. If you want that, just go ahead and configure your browser like @Powersign explained you to do. But be aware that this will make the browser completely unusable for any other internet activity. Considering the limited size of the network at the moment, and that most people use one browser, this is a considerable problem and would slow adoption.

Either way, the described “problems” caused by that – like still having facebook or google analytic tracking – are privacy issues not security issues. I want to have that clear because the mixing of these terms isn’t helping. And these issues are caused by the way browser operate nowadays and not by safenet. Sure a safenet browser should prevent that from happening, but as anyone can access the network from anywhere at anytime (even browsers that aren’t the official browser) and anyone can still put this content into the pages they host, there is no way to prevent that from sometimes happening by the network but only through the tooling around it.

And to answer @cretz questions from before:

No, you did not. I am using a dedicated browser (firefox profile instance) exclusively for the safenetwork worker and browser, where I never log in into facebook, github and the other social thingies. It further blocks that request using the uBlock Origin addon and if even if you’d do some simple ip-tracking, my VPN tunnel will probably make that useless to you.

And nothing of that has to do with webapps or my app in particular (where this discussion originated – why I am not sure). Sure any (web)app can publish any content on the network and if your browser (environment) acts as they classically do, then you may fall into these privacy traps – not security, but I’ll get to that later.

I want to respond inline to some other broad claims made here:

Why? Browsing isn’t a problem, they can read any public content from anywhere without any problems. Heck you could throws ‘crust’ into asm.js and run it inside your browser and don’t even need the launcher to access the network at all.

The only thing the launcher provides more than access to the public content is access to private content – but only through an oauth-access-loop that the user has to authorize. The same loop, may I remind you, that any local app also would have to go through. This is and shouldn’t be any different between web and local apps. Of course this doesn’t protect the user from bad actors – any app that has been authorized can than abuse the data as it pleases.

Which brings up the actual point of security, which I believe to be reverse than you describe as it is much worse with locally running apps compared to webapps. While a browser sandboxes the app and – in a hardened environment where neither non-*.safenet-requests nor websockets are allowed – protects your data to stay in this app/session, any locally running app has all system resources at disposal to do with the data as it pleases: store locally, send via network to any other system, print it out, encrypt on the filesystem for later usage, whatever it likes.

A webapp does not have these capabilities, or at least they are all under control from the browser and the user can just clear their session to prevent them from staying on the system.

While I agree there should also be a separate web-proxy-app, which doesn’t require a UI, there is no harm in having it in the launcher, too. It makes distributing the setup much easier, as people only have to start one app. And as you can use the web-proxy without ever having to sign in or up, there is literally no harm in bundling them. What is your presumption based on? I’d rather argue that it is clever to put them together because it allows for an easy transition from being a mere observer (using only the proxy feature) to become an active participant in the system. All you have to do is sign up in the launcher and then you can use that ghost in the safe webapp you just started to host your own blog. Awesome – publishing hasn’t ever been easier!

What XSS issue? Across-Domain-Scripts should be prevented by your browser (standard feature, even opera mobile does it). And that is really not a problem that providing a proxy causes…

What? Where? How does it encourage? It makes it possible for the moment, agreed. But the few people, who are actually building things now are distribution and privacy-hardliners. Have we even had one case of someone adding facebook tracking or google analytics to their maidsafe site? While I agree that this the PAC-file should be – in due time – prevent non-*.safenet-urls from working – and a statement that this will happen from the core-team might be a good signal here – there is certainly no encouraging happening by having that this open at the moment.

You are not making any point why the system should be stopped. It can easily be updated to prevent said problems.

However, I now finally see where your idea came from to bring this up on the webapp-thread. Many Ghost-Themes come with these things build in – although you can’t actually configure them within my App at the moment.

Again: why?

You make these broad claims, that somehow, local apps are supposed to be more secure and better than webapps when they’d be loaded from said web and executed in your browsers sandbox. I already explained the reasoning why I believe the opposite to be the case before, so there is little point in repeating it, but there is another great case:

If you have a (hypothetical) document-leaking-programme you had to install on your system when police confiscates it, that would be enough in many (not so democratic – including the US) countries to keep you in custody for a very long time. While on the other hand if you were running it solely from that maidsafe web, in a privacy-mode-firefox window, after closing your launcher and Firefox all traces will be gone. And those can be execute in any internet café, school, library or at work, where you don’t have the possibilities to install programmes locally.

If anything, I am excited about the possibility to provide all apps from within the network and give anyone the possibility to run them anywhere and without a trace (which will greatly improve once WebAssembly arrives). This protects their privacy more than anything we’ve ever done as human kind.

What? Why. If anything, safenet can and should leverage the easy of software development as webapps. You’ve still not given one actual reason or security concern against them. I also don’t see that “absence of a foundation”. I’ve build ghost in the safe in 10 days, part-time. And it doesn’t do any of the sketchy things you claim webapps do. I agree that in the future all this should be hardened for privacy but that has nothing to do with webapps. If they rely on google-analytics, then they will break soon – seriously, if just enough people browse safenet with ublock origin for now, there is little point in even trying to use these sketchy techniques.

Which “bad practices”? Doing web-development? Or doing the sketchy things within that? Again, still waiting for actual proofs of those being implemented – and being more abused by web than locally. Otherwise calling them “practices” is quite a stretch of meaning and “hypothetical possibilities” is a better one …

Who says that? And what proof/data is that statement based on? As a Software Developer on and off the Web I can attest you, you can do way more harm on the system itself than from within the web-browser-sandbox.

Idea: While writing this, I came up with an idea. Maybe for the time being a fork of uBlock Origin which blocks any non-*.safenet-URLs on all *.safenet-websites would be sufficient. You could still browse the web as before but can be sure to not leak any safenet info outside of it. And secondly, maybe offer an official global proxy (network) that people could use for browsing without a local launcher. Hmm, the first might be a thing I could investigate …