You cannot solve social problems ("how do i know I can trust X") with technology.
meta-code-verify is itself vulnerable to the trust chain. You trust Mozilla/Chrome not to alter the version you install from their store. You trust that GitHub isn't going to pull a swifty on you, or Facebook. You trust that the server hosting the append only log hasn't been unknowingly compromised, or the interpreter, or your machine, etc. ad nauseum.
Indeed, you trust in your computer to display the right hash, and to compare them correctly.
What's more is that this browser extension is useless in the context of this thread, because, as the grandparent post points out:
> A significant % of Twitter usage is through the website (either twitter.com or tweetdeck), which means the decryption would all have to happen in javascript in an effectively untrusted context - it doesn't even have the moderate protections offered by a chrome app/extension, and there's no clean way to securely store encryption keys for a webpage (afaik) without the aid of something like a Yubikey or Windows Hello. Secure cryptography in the browser is still (generally speaking) adjacent to a joke, and the idea of doing it in Twitter.com - a very complex website with a huge attack surface that gets loaded into iframes/popups and targeted by various extensions - is probably exciting to people looking for easy ways to claim Twitter's bug bounties.
> You cannot solve social problems ("how do i know I can trust X") with technology. ... Indeed, you trust in your computer to display the right hash, and to compare them correctly.
Are you saying "No one should ever use a computer or phone because it might be spying you"? Every time someone uses Twitter they are using technology to solve a social problem (e.g. "I want to know what people I care about are talking about").
You're right that ultimately some unavoidable trust decisions have to be made, but with open source software (and multiple reviewers with hard-earned long-standing reputations) those trust decisions become even easier to make than "Do I trust my government not to illegally wiretap my phone call?".
> Secure cryptography in the browser is still (generally speaking) adjacent to a joke ... probably exciting to people looking for easy ways to claim Twitter's bug bounties.
If you think that secure cryptography in the browser is a joke then feel free to earn $10,000 by hacking ProtonMail.[0] You'll be laughing all the way to the bank, and actually helping to improve the security of millions of people.
> If you think that secure cryptography in the browser is a joke then feel free to earn $10,000 by hacking ProtonMail.[0] You'll be laughing all the way to the bank, and actually helping to improve the security of millions of people.
meta-code-verify is itself vulnerable to the trust chain. You trust Mozilla/Chrome not to alter the version you install from their store. You trust that GitHub isn't going to pull a swifty on you, or Facebook. You trust that the server hosting the append only log hasn't been unknowingly compromised, or the interpreter, or your machine, etc. ad nauseum.
Indeed, you trust in your computer to display the right hash, and to compare them correctly.
What's more is that this browser extension is useless in the context of this thread, because, as the grandparent post points out:
> A significant % of Twitter usage is through the website (either twitter.com or tweetdeck), which means the decryption would all have to happen in javascript in an effectively untrusted context - it doesn't even have the moderate protections offered by a chrome app/extension, and there's no clean way to securely store encryption keys for a webpage (afaik) without the aid of something like a Yubikey or Windows Hello. Secure cryptography in the browser is still (generally speaking) adjacent to a joke, and the idea of doing it in Twitter.com - a very complex website with a huge attack surface that gets loaded into iframes/popups and targeted by various extensions - is probably exciting to people looking for easy ways to claim Twitter's bug bounties.