Browser security

The browser environment is used for the primary user application because of its unparalleled support on all platforms.

The web-application is served from the Clarabot servers directly. These programs and resources are protected in transit by the standard TLS technology that is widely supported and used. The user’s account is managed by the web application received from the Clarabot servers, which means they need to trusted to provide authentic and secure executable files. This is the most convenient use of Nano that requires no installation on the user’s side.

Future improvements we’re considering investigating:
  • allow hosting some files on external CDNs securely by utilizing SRI: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

  • concerned users shall be able to automatically verify the received application files to be authentic using browser extensions; they will need to do review at each update for this to be effective

  • adept users may even build their own version of the web application and run a self hosted trusted-root-proxy for their localhost and the Clarabot API servers