Wrap the web application with Electron #52
Comments
|
Note that you can already use npm nativfier for a local desktop-client: #33 |
|
Someone already attempted something like this (with nativefier) and succeeded:
Why would that be the case? Electron is just a wrapper around webkit, as far as I know. Main advantages in my opinion are the absence of browser plugins that interfere with WebRTC as well as no things like local storage clearing on close. |
Well, one can download the app the first time and check the signature and everything is ok. With https://web.threema.ch one has to check the certificate each time to prevent (possible) MitM attacks. |
Good question. But I think he means you could serve the files locally, so the JS /HTML files are all included in the Electron app. |
Exactly. I've just tried Threema Web with nativefier and, yes, it works more or less! :) So perhaps Threema can release a native version someday. There are advantages! |
|
Fork it, customise it, make a PR. It will get you there a lot faster than waiting for Threema to do it themselves. ;) |
|
Well, lacking JavaScript and Electron knowledge keeps me away from doing Threema's job here. 😉 |
We deployed HSTS and HPKP, so MitM attacks should be very improbable (hopefully impossible) if you've visited the site before. Note that you can also use Threema Web from Rambox if your main goal is simply having a native app. |
|
Well, HSTS does not prevent MitM attacks, but it's of course a good thing to use. :) However, one should know:
|
which are both not compatible with Threema Web at this time…
Which is done by few people. Anyway, it's not useful to discuss how/whether MITM is possible/realistic. Threema does a far good job to prevent it… |
|
I also agree that it would be nice if Threema themselves distribute an Electron-based application. |
|
@dbrgn: Seems to be a reasonable choice too -> https://github.com/brave/muon |
|
Hi! I have made a desktop client with nativefier and added some features to it (tray, notifications, notification sounds). For all who are interessted, take a look here: https://github.com/EinsteinXXL/Threema-Desktop-Client |
|
A desktop client would be very useful. Optionally published and updated via Windows Store and Apple OSX AppStore. |
|
Chrome will stop supporting HPKP and Threema Web security relies on it. |
Google suggests certificate transparency as an alternative to HPKP in their deprecation notice. The threema.ch-Domain already uses CAA headers on DNS level (see People that are worried about the chance of a MITM attack should self-host. It's always a tradeoff between security and convenience. A wrapper for Threema Web is still on our radar, but Electron has its own share of security and performance problems. See signalapp/Signal-Desktop#1635 for example. Maybe we can also find a different solution, e.g. a simple embedded webserver for the self-hosted download. |
|
An alternative way may be to make a smaller native wrapper application as a localhost server, which serves the files from localhost. There, an update-mechanism could also be included. Another advantage would be that you can open it with any (supported) browser. It would also help against these "server-hosted/MITM" problems (so it would fix these security issues), but of course the disadvantage would be that it feels less "native" for the user as a browser widnow has to be open... |
|
I agree that Electron is not a perfect solution because of the mentioned reasons (especially overhead and security). The perfect solution would be an additional native client using Qt5/Gtk3/etc., but I know it's not realistic at the moment, unfortunately. Please be aware that the update process should be automatic/secure by default, i.e. using package manager for Linux and an updater for Windows with cryptographically signed releases. |
|
That hasn't stopped me and I have started on a very hacked together electron wrapper for Threema Web. It currently allows to either load web.threema.ch or to have Threema Web served from a local server included in the wrapper or to just serve the files locally without a server. |
|
@joelfischerr: Note that since Threema Web only consists of static files, you can entirely include those in the build, so that no external website is loaded. |
|
Oh right. That makes things easier. Should I include this repository as a submodule and then copy the threema-web.tar.gz into my application folder in electron or is there a better way to do this? |
|
Probably you'll only want the tagged/signed releases: https://github.com/threema-ch/threema-web/releases I don't know Electron well enough though to know which approach is the best 🙂 |
|
I think including it as a submodule and then building it before including it in the electron-wrapper is easier. And as I have basically started looking at electron last night, going with easier might be a good idea for now. |
|
Do I need to put my project under the GNU Affero General Public License if it includes Threema-Web as submodule? |
|
BTW that trust problem can also (partially) be solved by a browser extension, see #427. |
|
Mh, I no longer think it's a good idea to use Electron: |
|
Here also a nice post by a person who extensively deals with Electron: |
|
BTW I've been thinking about a way to do it for a personal app, and I was wondering why a lot of security-sensitive apps don't do this instead: a daemon (made with Go maybe, like that it's easy to do multi-platform) that runs a localhost webapp. When you run the daemon it can open the link in your browser with an auth token in a GET param. If the app is a single-page js app then it could store the auth token and refresh the page to remove the GET param. What's wrong with that approach? |
|
I'm not sure what this approach is trying to resolve and why there is a need for an auth token. Maybe you can elaborate. However, I don't think this issue here is mainly about security. This is more about having a separate application for the purpose of running the web client in a native manner with all its potential advantages. |
|
The idea is that you delegate a lot of security elements to the browser, allowing you to avoid complete RCE in some cases. The auth token is to avoid dns rebinding attacks. What are the advantages of having the web client look like a native app? The "Security does not depend on TLS anymore" and "Session reconnection much easier" points of this issue are taken care of by my approach. |
|
I think there are multiple reasons why people are looking for a standalone application:
Any others?
The best solution would probably be a fully native app that implements the webclient protocol (which we might document & publish soon), but that's a lot of work of course. @mimoo you're aware that threema web is just static HTML+JS and that it just needs a plain HTTP server to run, right? (In theory double-clicking index.html would suffice, but the browser does not offer access to all APIs from file:// URIs) |
|
Well, in the start post I mentioned the following advantages. I changed my mind concerning Electron, but here perhaps a small overview: Native look & feel of Threema and better integration (system tray, etc.) Security does not depend on TLS/server anymore (https://web.threema.ch) Session reconnection much easier (many people delete browser data on a regular basis -> reconnection is not possible) Perhaps performance boost |
|
@mimoo I guess I need an example for protection against DNS rebinding to understand the attack scenario. I'm aware of RCE due to some issues with Electron but haven't looked into it. |
|
Maybe the easiest way would be just a local webserver like https://www.mailpile.is/ e.g. does in a very userfriendly way. It can then access 127.0.0.1 and security stuff is covered. |
My approach is a daemon that serves the webserver locally, so no evil server or MITM there
I'd argue that security/sandboxing is better on chrome than on Electron. I would agree with that point for a native QT app though. But you end up having to write different apps for different platforms.
I'd argue that it's more convenient to have a webapp that you can access from your browser (we live in our browser nowadays) |
Yeah, I agree with that point. That's the main reason to have a native app imo, but the price to pay with Electron seems too high. The price to pay with QT is that you need to write different code for each platform, which seems high as well.
My approach solves that : o
Same, my approach solves that |
|
I've never exploited one myself so I'm definitely not the best person to explain that. Here's a post about it. Bottom-line is that browsers are somehow broken when it comes to localhost so you need to protect yourself otherwise malicious pages on the web will be able to read the content served by your localhost app (and for what matters, any app running on your machine, but that's usually less of a threat). By using an auth token, these tricks cannot access any relevant data from your localhost app without the knowledge of that auth token (which is only given by your running daemon) |
|
@mimoo: You mean that the data stored in the browser's local storage is then managed by the daemon?
Qt is cross-platform, so it will run on all major operating systems. |
|
@mimoo Thanks for the link. I don't think this is applicable to Threema Web since there is no session data that can be retrieved from a local server. Session data is stored using Web Storage which means it is stored inside of the browser/application and not on the server serving the files. Regarding local serving: You can already do all of this today by cloning the project and running it with |
|
(@dbrgn FWIW it seems |
|
@lgrahl yep regular serve is broken, but for debugging / development you use the live server anyways and for production you don't serve with npm. |
|
@lgrahl the attack allows you to see the page's response, so it could be private chats/texts |
Thumbs up for open-sourcing the web client protocol. 👍 |
|
@mimoo IIRC, DNS rebinding allows you to make a request to localhost from another page. That is a relevant attack for local applications that serve private data. However, Threema Web does not work that way. The server only exists to transfer a single page application that on itself reveals absolutely zero user data unless you... a) actively scan the QR code displayed on the web app with your smartphone, or Even if you could somehow access the session data, which is just the session key and a few settings, it is encrypted with a password chosen by the user. All other data exists temporary in RAM and is only accessible by the tab or window running the single page application. Hit F5 and everything is gone. |
|
The native client in the Qt sense would also have reduced system requirements / resource bloat as a major argument for it (in the assumption of it being far from Electron/Chromium), and reinventing the wheel against it. |
|
I don't think this is a good idea any more. Adding the required necessities to make Threema Web a Progressive Web App might be an alternative. |
Hint: #407 😉 |
|
Closing in favour of #407 |
Not sure about how many adjustments are needed for this, but definitely worth a try.
Advantages:
Edit: Electron has some major security problems.
The text was updated successfully, but these errors were encountered: