Hi, the cryptpad instance I'm currently using was recently breached. This got me thinking.
As I saw on the github repo in issue number 288 there has been some discussion in the past regarding using browser extensions to do code integrity checking. There was even a code integrity branch but it hasn't been updated in 7 years.
Currently if I understood correctly even though the data is only decrypted on the browser it also means that if only once, a malicious version of the code that sends the decrypted data remotely gets served by the instance, then we can lose all accumulated private data.
In a sense, this means there is no forward secrecy in case of a breach.
It doesn't have to be this way because there are now, compared to 2018 when this GitHub issue was first raised, more ways to check code integrity.
Hence, I was wondering if you were considering somewhere implementing ways to check the integrity of the code served.
Actually, to be honest, I think CryptPad is already so nice, working so well, with so little bugs, and with already so many features, that I'm surprised this isn't asked more often. It could jeopardize the entire rest of the project.
Thank you for your attention and thank you for making crytpad.
