Skip to content

Signed pages #427

Open
Open
@rugk

Description

@rugk

Maybe you could consider adding support for this signed pages browser add-on.

The idea is simple:

  • Devs sign the page with PGP and use subresource Integrity (SRI) in order to assure all resources loaded from that site are valid. (thus indirectly also signed)
  • Browser extension verifies this.

That can protect against the "server trust" problem you still have with Threema Web – actually, with every web application. (as discussed in #52) At least it would protect against a server compromise, not against you (dev/Threema) acting evil, of course. So it's a bit limited threat model here, but it is certainly better than without that verification.

And BTW as another advantage, it would also allow anybody to verify third-party self-hosted instances of Threema Web.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions