webext-signed-pages
frame
webext-signed-pages | frame | |
---|---|---|
16 | 23 | |
190 | 1,102 | |
- | 1.0% | |
0.0 | 1.5 | |
about 2 years ago | 4 days ago | |
JavaScript | JavaScript | |
BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webext-signed-pages
-
E2EE on the web: is the web that bad?
There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. https://github.com/tasn/webext-signed-pages
-
Cloudflare and CDNs - call for community opinions
EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users.
- Is there any tool to verify client-side website code you get served is the same as the open source version?
-
Truly safe?
There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used.
- A browser that verifies Javascript
-
Security experts declare all Proton apps secure after security audit
> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
-
ProtonMail Is Inherently Insecure, Your Emails Are Likely Compromised
Something like a browser extension for this does already exist, fortunately:
https://github.com/tasn/webext-signed-pages
-
"Were you able to subpoena ProtonMail?"
In regards to untrusted webapp, yes, that is a reasonable attack vector. That said, I've heard from ProtonMail they have been considering to implement Signed Pages to help mitigate (at least some of the) issues with this attack vector.
-
Proton’s priorities
Which is why it is important to get proper E2E encryption on e-mail, where the source is open source and can be audited. And then that there are verify mechanisms to verify that the source code has not been manipulated. For web services there are signed-pages which is quite interesting.
frame
-
Daily General Discussion - June 21, 2023
Regarding your earlier comments on Frame, did you try the AppImage? At least on the x86 side of things, the AppImage just works, and I don't think I've ever seen an AppImage that didn't "just work". The arm64 version can be seen on their releases page here: https://github.com/floating/frame/releases/tag/v0.6.6
-
Multichain UX is… Kind of Bad [Rant]
Using frame.sh instead of metamask helps. It isn't connected to a single chain at a time, but all of the chains you've added. For example you can use dapps on multiple chains at the same time but never go through the step of switching networks. Also sounds like what you're really complaining about is delay period for fraud proofs, that should not be abstracted away because bridging without waiting is likely costing you more than you're making in returns if you bridge too often.
- Daily General Discussion - May 16, 2023
-
Is Ethereum's network traffic fully centralized, or am I wrong?
MetaMask provides an extension to add a wallet feature to your browser so that you can interact with dapps. This was the first project to provide this feature back in the day, but it's now quite outdated; A much better alternative would be Frame. A wallet needs an RPC node to talk to, and a new user doesn't want to have to worry about this, so MetaMask uses Infura as their default. But you can go into settings and change it, either to your own node or to a node hosted by someone else.
-
Did I lose my ETH?
As your next step, I'd suggest trying alternative apps for accessing and managing your account(s). I'd personally suggest Frame (https://frame.sh/), but most use MetaMask (which is available as a browser extension).
-
Best Wallet For USDC?
gotcha, maybe check out frame (https://frame.sh) — you can import any wallets, hardware, seeds, private keys, etc. If you want to use it with any defi, there’s a companion browser extension.
-
MEW keystore v4 export
I work on Frame (frame.sh) and used MEW to get a keystore file for testing our import keystore flow. The file I got was a different version (v4) and format from the expected v3, and our import flow does not support it at all. Digging deeper, we use `ethereumjs-wallet` to parse the keystore files - this library does not have a fromV4 method, and the existing fromV3 does not work at all with the MEW file.
-
Daily General Discussion - April 2, 2023
Just wanted to install frame.sh as a new web3 wallet. It tells me to add "frame companion" to Edge, it warns me about:
-
Ledger seed phrase doesn't include Ethereum?
So try MetaMask, or my personal favourite for stuff like this is: http://frame.sh and play around with derivation paths.
-
What tools do you use in crypto?
Frame Wallet does a few things Rabby doesn't and also supports hardware wallets but lacks the contact security check.
What are some alternatives?
photos-app - ➡️ Moved to https://github.com/ente-io/ente
eth-crypto - Cryptographic javascript-functions for ethereum and tutorials to use them with web3js and solidity
pacman-bintrans - Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)
eth-sdk - Type-safe, lightweight SDKs for Ethereum smart contracts
ios-mail - Secure email that protects your privacy
stingle-photos-android - Stingle Photos is an open-source, end-to-end encrypted media gallery application that provides backup, sharing and cross-platform sync functionality without sacrificing convenience.
mailvelope - Browser extension for OpenPGP encryption with Webmail
chainlist
termpair - View and control terminals from your browser with end-to-end encryption 🔒
photos-desktop - 📦 Binary releases of the Ente Photos desktop app
leCrypt-web-extension - leCrypt is a decentralised password manager which is cross-platform, free and secure.
disco3-react - disco3 - well typed and performant web3 react library