Desktop Client Electron Security Concerns

Hi.

I’ve been using Delta Chat for quite a while and I love it.

I recently learned about the development of a Desktop Client and that it would use the Electron framework.

I’m wondering, are you aware of the following security concerns regarding Electron:

Are these issues still up to date?

Please don’t misunderstand me. I appreciate any effort to make Delta chat more accessible to a larger group of people as long as this doesn’t come at the cost of security and trust.

Personally I would love to see Delta chat integration for my email client of choice and trust: mutt.

Thank you all for this amazing project!

deltalover

:heart:

Hey deltalover – what a name :wink:
Yes, we are aware of potential security issues with Electron.
However, all network connectivity and user input (incoming e-mail messages) is handled by the C-core, including stripping of html etc. so the actual Delta/Desktop UI code is in no direct contact with “the outside”. This provides a better basis than most other Electron apps who actually implement logic on the node/js side.

Hey deltalover! thanks for bringing this up.
We are using the most stable version of electron at the moment, v2, and upgrading to v3 soon. The issue that you reference is valid for versions <2, which is quite old at this point.

We went through the appropriate security checklist when building the app, as you can see here: https://github.com/deltachat/deltachat-desktop/issues/198

We also do not execute or transform any client input or code for display in the JavaScript or Node context – it’s all sent to C and sanitized there, as @hpk correctly notes.

Upon the next big release for desktop (by new year) we plan to write a blog post addressing these security concerns.
Thanks again!

The German IT security expert Felix von Leitner recommends to stay away from Electron. See https://blog.fefe.de/?ts=a406d87c

Is there awareness that Electron is inherently risky due to the use of a Google Chromium instance, no matter its age?

The reason is that Chromium is built with some unknown binaries from Google and uses unidentified Google web services. You can find more information in the ungoogled-chromium project.

If you want to keep using Electron despite these issues, there should be at least a clear warning for the users. Not many seem to be aware of it while Delta Chat is advertised as secure and privacy-friendly, so without a warning this can lead to bad surprises.

Edit:
As pointed out in another thread, Node.js uses Google Chrome’s Javascript engine V8. So there’s an additional risk of Google’s influence on the backend side as well.

@Simon mentioned in that post that alternative desktop clients are planned, but I feel that in the meantime users should be informed about the risks with the current implementation.

1 Like

As I have read from Purism devs here: https://tracker.pureos.net/T57#14719 that Chromium doesn’t have unknown binaries and licensing issues with them anymore.

Hm, I can’t say that this convinces me :thinking: There’s just a statement without sources. Anybody could simply claim that while the ongoing activity in the ungoogled-chromium project contradicts it somehow.

It also mentions “does not contain non-free code” which is vague. Does it refer to the prebuilt binaries or only the source code? And what about the web service calls?

Considering the history of Chrome specifically and Google in general regarding privacy and data collection, I’d say we need much more than a statement by an unknown internet person to cast away the doubts.

In addition, the link shared by @Keridoo mentions that Electron doesn’t use the current versions of Chrome. So even if the issues were solved now, it would take time until they’re reflected in Electron. And of course not updating in a timely manner implies a constant risk of security issues which is not great for a security-focused app like Delta Chat either :wink:

I didn’t pay much attention to that but they were discussing about Chromium a lot and that notice was to include Chromium by default on PureOS, one of the Free Distros listed in the GNU website. Then, it is true about the sources and I am going to request him but should be reliable.

I have edited my post to include concerns about Electron using outdated versions of Chromium. These won’t be fixed even if everything’s fine regarding the unknown parts.

Thanks for requesting, though. Can you also ask if they’re aware of the ungoogled-chromium project and if they can confirm that the problems mentioned there are solved in the standard Chromium now?

On top of security concerns there are performance and resource usage concerns as well. I’m really over electron apps at this point. There are a lot of us that value resource efficiency and use computers that have less than 16GB of RAM.

2 Likes

Just only to reference this and taking it in account. I got it from LibrePlanet webpage referenced in the issue https://tracker.pureos.net/T57: http://code.google.com/p/chromium/issues/detail?id=28291