Beaker: Mist Browser and Beaker: security about Electron browsers

Can you give me more information about Mist's decision?

From this article:

Electron is a great framework for webapps on the desktop, built for apps that used their own trusted javascript files. But when you are building a browser, you are, by definition, running random code from unknown people all around the world. This is tricky. Also, for most of our history together, electron was not updated frequently and even when it was, it was still running several versions behind chromium, which meant that often the latest version of Mist was running an engine several months out of date. Google tends to publish vulnerabilities it found after six months of releasing a fix, and at that point we were still stuck with the one-hundred-day exploit open, leading to a situation where we were paying from our bug bounties fund from people who simply took known vulnerabilities in chrome and applied them to us. We had a professional audit of Mist and they were able to discover multiple vulnerabilities that were fixed, none very dangerous but in late last year we received notice of a few very serious bugs: ones that would allow an attacker to take control of your computer (and your crypto keys) by simply visiting an untrusted website. This is very bad.

So, in recent years, Electron has restored Chromium's process-level sandbox for the webContents and it has moved to a faster release schedule that keeps it closer to Chromium. The most recent release of Electron is on Chromium 80.

It's true there's a greater delay than we want - you want to be able to update Chromium immediately after they release a security fix, and a direct fork (like Brave) can do that but we rely on Electron. In the past, I've seen Electron respond quickly to CVEs, but in the long run having more direct response-time control is important.

It'd be useful to see the security issues that led Mist to give up entirely (mentioned at the end). I'm not familiar with any issue of that nature which uniquely affects Electron.

As this project gains more resources we'll consider moving to a direct Chromium fork, for security reasons and also for more direct control over the codebase. At this point, however, I'm not aware of a security issue which is untenable. Please share any if you know of them!

As this project gains more resources we'll consider moving to a direct Chromium fork, for security reasons and also for more direct control over the codebase

https://github.com/beakerbrowser/beaker/issues/1310

At this point, however, I'm not aware of a security issue which is untenable. Please share any if you know of them!

https://github.com/beakerbrowser/beaker/issues/1422