Comment by John Richard@lemmy.world on Proton launches privacy-focused Google Docs alternative: Docs in Proton Drive is an open-source, end-to-end encrypted collaborative document editor

A SaaS solution that claims to be private but won’t provide the backend code to prove it. You don’t find it at all suspicious that they claim releasing backend code would make it less secure? What kind of security product is not open for inspection? The same kind of “security” you get from Microsoft.

I imagine it probably is inspected, just not by the public. They probably do it themselves.

And they may have contracts with certain companies specializing in this sort of security that also inspect it.

And there’s also the cybersecurity companies that test it whether they’re contracted or not. At some companies, their entire job revolves around finding bugs (especially security bugs) in other companies’ software.

Just because it’s not on GitHub doesn’t mean it’s not a good product that hasn’t been thoroughly tested.

Surely we’re not gullible enough to accept “we inspected ourselves and determined we are secure and you should use our services”?

That’s where the second and third paragraphs come in. Because other companies likely test it themselves, too.

They’ll typically report security bugs privately and then, after X amount of months, publicly announce the bug. Doing it this way will, ideally, force the other company to patch the bug prior to the announcement. If not, they’ll end up with a publicly known security bug that bad actors can now exploit. The announcement will also let the public (including companies) know to update their software.

Yes, and those other paragraphs are the same thing other proprietary companies do. Your opening paragraph is just absurd on the face of it because “inspected” does not mean “by themselves”.

The second paragraph is literally speculation about something that might happen.

The third paragraph is about bug bounties, which every major software company does and which does not involve code inspection.

You just smokescreened and talked around the fact that your opening statement “it probably is inspected” is entirely unverifiable and non-credible even if true. I guess since you started that sentence with “I imagine” then it is technically true. You did imagine that.

I admittedly should’ve done more research before my first comment, but it does actually turn out that everything I said is true. Proton’s technology was previously audited by Mozilla and is currently audited by SEC Consult and other companies regularly, and the audits are available for everyone to view. Additionally, they do have a bug bounty program. Also (and this is something I didn’t mention), the ProtonVPN and Proton Mail apps are all open source.

Is that the backend code? It seems like they’re talking about the apps, not backend code. The thing being discussed here is backend code.

You realize that Microsoft code is inspected as well, even more heavily and regulated… and yet they still end up with major breaches. Security evolves through open source collaboration and inspection by experts that aren’t being paid to say you’re doing a good job.

You are making a lot good points… But is there any other practical solution?

Seems this is the best a normie on budget can get

They’re not actually good points at all… Proton’s open sourcing of the clients is for the purpose of trust in terms of security and privacy. The backend doesn’t matter because the point is that the data is encrypted before it ever gets to the backend. The goal with Proton’s open sourcing is not the ability to make it self-hostable. Sure, a lot of concerns are valid, but this isn’t like Microsoft or Google. Nearly all of Proton is verifiably and provably secure. Well, at least as long as you trust the web clients being served are the ones whose code is publicly available. But again… You can’t verify that with any SaaS. Such a risk is even present with self-hosting tbh. But that’s another discussion.

You don’t find it at all suspicious that they claim releasing backend code would make it less secure? What kind of security product is not open for inspection?

No, because Proton has 3rd party audits all the time and they share the results openly.

Microsoft has third party audits all the time and say they’re secure, and then you learn of new backdoors every 6 months. Audit companies are unreliable and paid to give good feedback while doing the least work possible.

Yeah because enterprises primarily use a ton of open source security tools…

ಠ_ಠ

Enterprises are using a plethora of open source tools at this point. They may still utilize closed source solutions, but they definitely have quite a bit of open source solutions tied in.

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Proton launches privacy-focused Google Docs alternative: Docs in Proton Drive is an open-source, end-to-end encrypted collaborative document editor(proton.me)

Technology

!technology@lemmy.world

Our Rules

Approved Bots

Community stats

Community moderators