webext-signed-pages
proton-mail
webext-signed-pages | proton-mail | |
---|---|---|
16 | 73 | |
190 | 171 | |
- | - | |
0.0 | 9.8 | |
about 2 years ago | over 3 years ago | |
JavaScript | TypeScript | |
BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webext-signed-pages
-
E2EE on the web: is the web that bad?
There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. https://github.com/tasn/webext-signed-pages
-
Cloudflare and CDNs - call for community opinions
EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users.
- Is there any tool to verify client-side website code you get served is the same as the open source version?
-
Truly safe?
There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used.
- A browser that verifies Javascript
-
Security experts declare all Proton apps secure after security audit
> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
-
ProtonMail Is Inherently Insecure, Your Emails Are Likely Compromised
Something like a browser extension for this does already exist, fortunately:
https://github.com/tasn/webext-signed-pages
-
"Were you able to subpoena ProtonMail?"
In regards to untrusted webapp, yes, that is a reasonable attack vector. That said, I've heard from ProtonMail they have been considering to implement Signed Pages to help mitigate (at least some of the) issues with this attack vector.
-
Proton’s priorities
Which is why it is important to get proper E2E encryption on e-mail, where the source is open source and can be audited. And then that there are verify mechanisms to verify that the source code has not been manipulated. For web services there are signed-pages which is quite interesting.
proton-mail
- Protonmail archived on github?
-
The new ProtonMail has passed its independent security audit
The linked site is very low on info high on outrageous claims. It is not the same as gmail and protons response to that paper are accurate imo. The fact is web clients are inherently insecure but you can run your own client entirely afaik (https://github.com/ProtonMail/proton-mail). I don't think anybody has evidence of wrong doing but the service is proprietary so...
- Ask HN: What's a good TS codebase to learn from?
-
ProtonMail - New release - 4.0.0 — June 8, 2021
I was switched from beta to stable release but saw another update and when I clicked on it, I was reverted back to the old design and couldn't find a switch to go the beta again. I had to use beta.protonmail.com address to go back to the beta. The information you have written in comments below is inaccurate. I'm a bit disappointed by this.
-
A new ProtonMail in coming!
The new web app has been open source for a while already and can be found here: https://github.com/ProtonMail/proton-mail
-
Calendar?
Well, to log to beta you can simply go to beta.protonmail.com when needed.
-
Outlook vs Protonmail for a main email
If you want it to, you check check out the beta version (beta.protonmail.com) - that offers the ability to stay logged in on the web.
-
Adding sites to Containers without visiting sties
For example, if I wanted to add beta.protonmail.com to a container, I am running into the issue where I cannot add beta.protonmail.com to always open in a container because as soon as visiting the site, it would redirect to https://account.protonmail.com/login. So the beta.protonmail.com would never open in a container tab, but then it would open the login page by opening a brand new tab.
-
Adding another protonmail
You've been pointed at https://beta.protonmail.com/ already.
-
Anyone else thinks the clear background makes the white text annoying to read? Trying to find a typo makes my eyes hurt. Seems like a weird design choice.
Hi! Have you checked out beta.protonmail.com? It has a sleek new interface, and we think the login page will be more to your liking :)
What are some alternatives?
photos-app - ➡️ Moved to https://github.com/ente-io/ente
ProtonMail Web Client - Monorepo hosting the proton web clients
pacman-bintrans - Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)
ElectronMail - Unofficial ProtonMail Desktop App
ios-mail - Secure email that protects your privacy
AnonAddy - Anonymous email forwarding
mailvelope - Browser extension for OpenPGP encryption with Webmail
Tutanota makes encryption easy - Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.
termpair - View and control terminals from your browser with end-to-end encryption 🔒
webclient - The mega.nz web client
frame - System-wide Web3 for macOS, Windows and Linux
stylus - Stylus - Userstyles Manager