Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

40 megs downloaded just to present a login screen (possible security issue revealed as well) #7785

Open
bruceleerabbit opened this issue Apr 19, 2024 · 0 comments
Open

40 megs downloaded just to present a login screen (possible security issue revealed as well) #7785

bruceleerabbit opened this issue Apr 19, 2024 · 0 comments

Comments

@bruceleerabbit
Copy link

bruceleerabbit commented Apr 19, 2024
edited

Wire version: 3.29.x

What steps will reproduce the problem?

  1. run a network monitoring app (builtin to some soho routers) and nothing else, note the bandwidth meter
  2. run wire-desktop --startup
  3. wait for login screen (due to bug Login fails with "Unexpected error" #7764, we now get a login screen); this takes a long time
  4. check the bandwidth meter, notice a consumption of 40mb just to launch wire-desktop

What is the expected result?

Nearly zero consumption. The app should have its own login screen. Electron likely does not, I still would not expect the download bulk to exceed 1k.

What is the actual result?

40 mb is consumed. This is a crazy amount of data to fetch before logging in. It seems as if the entire application is being fetched for every conversation, and then disposed of, which would totally defeat the purpose of using a dedicated app instead of the webapp.

security issue
If javascript is being fetched, there is a security problem because dynamically loaded JS can be malicious and users can be targetted.

Electronmail is an Electron-based app for accessing Protonmail. I have not used it in a while but I think it fetches almost nothing prior to login because static javascript is bundled in, which enables users to control the code they run. If software must be deployed on Electron, Electronmail probably sets a good example of what users expect.

cost issue
Not everyone is on an unlimited internet connection. 40 mb takes a huge toll on measured rate subscriptions. In my area it’s 10-50¢/mb depending on the ISP.

Before bug 7764 manifested, I always suspected (without confirming) the consumption was high possibly due to refetching the conversation (as I did not know at what point the autologin happened). But refetching the chat history should not happen either. It should be stored locally. I’ve told my correspondents to only send text not binary content to try to get the bandwidth problem under control. In any case, it’s now clear that makes no difference so this is a show stopper for me.
@bruceleerabbit bruceleerabbit changed the title 40 megs downloaded just to present a login screen 40 megs downloaded just to present a login screen (possible security issue revealed as well) Apr 19, 2024
@bruceleerabbit bruceleerabbit mentioned this issue May 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bruceleerabbit