←back to thread

Is it possible to allow sideloading and keep users safe?

(shkspr.mobi)
205 points ColinWright | 2 comments | 30 Aug 25 12:03 UTC | HN request time: 0.401s | source
Show context
mzajc ◴[30 Aug 25 13:40 UTC] No.45074619[source]
> The first is that a user has no right to run anyone else's code, if the code owner doesn't want to make it available to them. Consider a bank which has an app. /../ I think the bank has the right to say "your machine is too risky - we don't want our code to run on it."

But should they? Should we also accept Google's browser signing and ban all browsers the bank doesn't like? Am I allowed to accept calls from people they haven't vetted or is it too much of a risk to the bank's bottom line that they might talk me into a scam.

I suppose we should also write off the inevitable privacy and freedom violations in the name of "security".[0] I don't have anything to hide after all.

[0]: https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...

replies(3): >>45075816 #>>45080831 #>>45081011 #
1. edent ◴[31 Aug 25 07:04 UTC] No.45081011[source]
Plenty of banks will say "only available in Chrome" or "you must be running version xyz of your browser".

There are also banks which are app-only.

You'll also notice that modern phones have a "spam caller" feature. It either gets data from the phone network or from another source. Should your phone block the most obvious spam calls? Your email client already blocks spam.

At a network level, STIR/SHAKEN is also trying to block you from answering fraudulent calls.

These things are happening right now. I expect most people think a reduction in phone spam is worth the occasional false positive.

You may have a different opinion.

replies(1): >>45083664 #
2. mzajc ◴[31 Aug 25 14:58 UTC] No.45083664[source]
> Plenty of banks will say "only available in Chrome" or "you must be running version xyz of your browser".

Despite bogus requirements like these, websites have to rely on hacks to figure out what browser you're using, usually making it trivial to spoof (especially between browsers using the same engine). More importantly, websites can't prevent extensions from running, which I believe was one of WEI's goals.

> You'll also notice that modern phones have a "spam caller" feature.

I have yet to see a smartphone that enforces such feature and does not allow the user to disable or configure it.

> At a network level, STIR/SHAKEN is also trying to block you from answering fraudulent calls.

I am unfamiliar with STIR/SHAKEN, but Wikipedia describes it as "a suite of protocols and procedures intended to combat caller ID spoofing". This is fraudulent in the sense of "the caller is not who they claim to be," and not "this caller is on our blacklist" or even "is not on our whitelist". YMMV as some countries require GSM subscribers to ID themselves, but it's still far from a central entity deciding who is allowed to call you.