Desktop Client Electron Security Concerns

#1

Hi.

I’ve been using Delta Chat for quite a while and I love it.

I recently learned about the development of a Desktop Client and that it would use the Electron framework.

I’m wondering, are you aware of the following security concerns regarding Electron:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/

Are these issues still up to date?

Please don’t misunderstand me. I appreciate any effort to make Delta chat more accessible to a larger group of people as long as this doesn’t come at the cost of security and trust.

Personally I would love to see Delta chat integration for my email client of choice and trust: mutt.

Thank you all for this amazing project!

deltalover

:heart:

#2

Hey deltalover – what a name :wink:
Yes, we are aware of potential security issues with Electron.
However, all network connectivity and user input (incoming e-mail messages) is handled by the C-core, including stripping of html etc. so the actual Delta/Desktop UI code is in no direct contact with “the outside”. This provides a better basis than most other Electron apps who actually implement logic on the node/js side.

#3

Hey deltalover! thanks for bringing this up.
We are using the most stable version of electron at the moment, v2, and upgrading to v3 soon. The issue that you reference is valid for versions <2, which is quite old at this point.

We went through the appropriate security checklist when building the app, as you can see here: https://github.com/deltachat/deltachat-desktop/issues/198

We also do not execute or transform any client input or code for display in the JavaScript or Node context – it’s all sent to C and sanitized there, as @hpk correctly notes.

Upon the next big release for desktop (by new year) we plan to write a blog post addressing these security concerns.
Thanks again!

#4

The German IT security expert Felix von Leitner recommends to stay away from Electron. See https://blog.fefe.de/?ts=a406d87c