
An end-to-end encrypted web app - DVassallo
https://github.com/encrypted-dev/proof-of-concept
======
theamk
That’s a pretty dangerous idea. It may seem to user that they are safe from
server compromise or government investigation, but this is not the case. The
code is shipped every time, which means that hackers will modify the code to
exfiltrate users’ keys, and governments will make developer do that.

See the story of hushmail and feds for an example.

~~~
DVassallo
There are ways to address that: One of them is to provide a downloadable copy
of the web app. Another is to offer a browser extension to verify integrity.
Here's an example from Cloudflare
([https://blog.cloudflare.com/e2e-integrity/](https://blog.cloudflare.com/e2e-integrity/)).

But even without code integrity checks, client-side encryption of user data
should still radically improve user data privacy compared to the status quo of
storing it in clear in a database owned by the app developer.

