.net Framework vs. Open Source


#1

I downloaded Brave for my Win7 Ultimate 64-bit laptop.
I went to install it.
My laptop informed me that it would have to first install the Microsoft .net framework v.4.5

I do not like that story. So I deleted Brave.

How can you say you use open source software if you are using the .net framework?


#2

A big red flag for me on the question of installing the Microsoft .net framework v. 4.5 is its multiple security vulnerabilities, which are listed out at

https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-2002/version_id-124628/Microsoft-.net-Framework-4.5.html

I don’t know why I would want to introduce so many problems to my laptop just to use Brave.

Why do you have to use the .net framework?


#3

ccing @sriram, @suguru or @kamil for answer. :slight_smile:


#4

Agree with this sentiment 100%. After successfully using Brave on my Mac and Linux laptops, I was shocked to see that .NET 4.5 would be required in order to install on one of my Windows machines. I go to great lengths to minimize the attack surface and patch download bandwidth on my machines which is why .NET doesn’t come near any of them unless absolutely positively required. Surely there’s just a minimal dependency here that our fearless Brave developers can overcome.

Pretty Please???


#5

Compared to applications written in plain C++, applications written on top of software frameworks like .Net or Java should generally comprise less vulnerabilities.

For C++ it is well known, that it is difficult to write secure software with it. A common problem which occurs over and over in C++ applications are for example Buffer overflows. This is because the developers have to manage memory in every part of the application by themselves, which is difficult to master.

Frameworks like Java or .Net implement secure memory management which is used by all applications build on top of them. So in this respect there is less attack surface.

Java and .Net provide even more common functionality which is security relevant, like cryptography, parsers etc. Applications implemented in C++ generally employ a wider variety of libraries, which leads to a more heterogeneous and more attack surface.

Because of the modular structure of the frameworks I do not think that components of the framework which are not used in an application have a negative impact on security. It has however a negative impact on download bandwidth—in my opinion this is bearable.


#6

I read through the CVE list and only see few vulnerabilities which could apply to a browser.

For many CVEs in the list it is necessary for the attacker to place a special software on the victims computer (e.g. by downloading and running an app from the internet or an XAML browser application—probably not supported by Brave). As long as the source code of Brave is not controlled by an attacker, these vulnerabilities should not apply.

Some of the other CVEs apply to vulnerabilities in libraries which are used by .Net. However these libraries could also be used by other applications not implemented with .Net (e.g. some of the Font parsing vulnerabilities).

Other vulnerabilities apply to features of .Net which are rather used in server applications not a browser (e.g. .Net remoting, XML signature verification).


#7

That’s exactly how I feel and I think you put it better than I did. Thanks for replying.

Tina Rock


#8

Totally agree about the security benefits of coding in CLR based languages. What’s surprising from the end-user perspective is that the Brave browser, which appears to be cross platform from the same code base (such as Chromium and Firefox), is actually apparently a different code base for the Windows implementation. It’s simply a question of end-user expectations. For the huge chunk of Windows users out there, .NET 4.5+ will already have been pushed onto those systems by Microsoft and it’s a non issue. However, for security-conscious persons such as myself and many others, it’s a tough pill to swallow to agree to open up that whole new avenue of potential attack and patch vectors…especially when no such requirement exists for other cross-platform browsers.

I have wonderful hopes for Brave’s desire to “reinvent the web”. Maybe riding on .NET on Windows is an acceptable way to accomplish that for most people. Unfortunately for this security conscious individual, that’s the wrong path to head down.

At this point I also have to chuckle and acknowledge that most hard-core security conscious individuals that I am following are currently abandoning both their Windows and their Mac OS platforms in favor of Linux, so perhaps we’ll all be happy in the end game when we arrive at that reinvented web together :slight_smile:


#9

Thanks for bringing this to our attention. The .net framework is used for the Brave installer, which is the default that Electron (https://electronjs.org/) uses. So this security issue affects virtually all Electron apps.

We are moving away from Electron in 2018, at which point .net will no longer be needed.


#10

Actually I just noticed that the ‘Install .net 4.5’ error message is hard-coded and hasn’t been updated in a long time: https://github.com/electron/windows-installer/blob/4070e7d3fa7175971aaed838d3f4311916cc51d1/vendor/template.wxs#L9. It might just work if you install a later version of .net instead of 4.5.


#11

@yan, thanks for the suggestion to use a later version of .net; however, that does not address the security issues I have with installing .net at all.

I would like to be notified when you have completed moving away from Electron in 2018 and no longer needing .net to install Brave.

Thank you


#12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.