• Gestrid@lemmy.ca
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    2
    ·
    4 months ago

    I imagine it probably is inspected, just not by the public. They probably do it themselves.

    And they may have contracts with certain companies specializing in this sort of security that also inspect it.

    And there’s also the cybersecurity companies that test it whether they’re contracted or not. At some companies, their entire job revolves around finding bugs (especially security bugs) in other companies’ software.

    Just because it’s not on GitHub doesn’t mean it’s not a good product that hasn’t been thoroughly tested.

    • Excrubulent@slrpnk.net
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      2
      ·
      4 months ago

      Surely we’re not gullible enough to accept “we inspected ourselves and determined we are secure and you should use our services”?

      • Gestrid@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        That’s where the second and third paragraphs come in. Because other companies likely test it themselves, too.

        They’ll typically report security bugs privately and then, after X amount of months, publicly announce the bug. Doing it this way will, ideally, force the other company to patch the bug prior to the announcement. If not, they’ll end up with a publicly known security bug that bad actors can now exploit. The announcement will also let the public (including companies) know to update their software.

        • Excrubulent@slrpnk.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          Yes, and those other paragraphs are the same thing other proprietary companies do. Your opening paragraph is just absurd on the face of it because “inspected” does not mean “by themselves”.

          The second paragraph is literally speculation about something that might happen.

          The third paragraph is about bug bounties, which every major software company does and which does not involve code inspection.

          You just smokescreened and talked around the fact that your opening statement “it probably is inspected” is entirely unverifiable and non-credible even if true. I guess since you started that sentence with “I imagine” then it is technically true. You did imagine that.

          • Gestrid@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            4 months ago

            I admittedly should’ve done more research before my first comment, but it does actually turn out that everything I said is true. Proton’s technology was previously audited by Mozilla and is currently audited by SEC Consult and other companies regularly, and the audits are available for everyone to view. Additionally, they do have a bug bounty program. Also (and this is something I didn’t mention), the ProtonVPN and Proton Mail apps are all open source.

            • Excrubulent@slrpnk.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 months ago

              Is that the backend code? It seems like they’re talking about the apps, not backend code. The thing being discussed here is backend code.

              • Gestrid@lemmy.ca
                link
                fedilink
                English
                arrow-up
                1
                ·
                4 months ago

                The way I read it, they already (in the third paragraph of the blog post) had companies auditing their backend technology and (in the fourth paragraph) were starting to have companies audit their apps, too.

              • lastweakness@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                4 months ago

                Nearly all of Proton’s stuff uses publicly verifiable client side encryption, so idk what all this is about

                • Excrubulent@slrpnk.net
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  4 months ago

                  It’s about the server-side code. If that’s not an issue then someone needs to make the argument, not throw up smokescreens about the apps and frontend code.

                  You’re right that the encryption needs to be verifiable on the client side, but then why not share the server side code?

                  I mean if they did, anyone could theoretically spin up an instance, which would be good, actually.

                  • lastweakness@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    4 months ago

                    would be good, actually.

                    Good for us. Bad for business. I explained this in another comment too but Proton’s idea of “open source” is simply to build trust in the security and privacy offered by the service. At least, as much as you can trust any SaaS.

                    but then why not share the server side code?

                    And to answer this… Well, business and practicality… One more than the other ofc unfortunately… Why would they take on the additional burden of making it self-hostable, make the backend fully open source, etc just to make competition for themselves? And that maintenance burden is huge btw, especially when the backend was probably never intended for self-hosting in the first place.

                    If Proton, as a company or foundation, didn’t keep making the right decisions in terms of privacy and security, we might have had a reason to doubt their backend. But so far, there’s been nothing. And steps like turning to a foundation-based model just inspires more trust. By using client-side encryption, even within the browser, they’re trying to eliminate the need for trusting the closed source backend. Open sourcing the backend wouldn’t improve trust in the service itself anyway since you can’t verify that the code running in the backend is the same as the open sourced code. If you’re concerned about data, they also offer exports in open formats for every service they offer.

                    Why wouldn’t you trust them just because their backend is closed source? Ideologically, yeah I’d like them to open source absolutely everything. But as a service, whose income source is exclusively the service itself, how can it make sense for them to open source the backend when it cannot tangibly benefit their model of trust?

                    My other comment regarding proton and trust: https://lemmy.world/comment/11003650

    • John Richard@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      9
      ·
      4 months ago

      You realize that Microsoft code is inspected as well, even more heavily and regulated… and yet they still end up with major breaches. Security evolves through open source collaboration and inspection by experts that aren’t being paid to say you’re doing a good job.

      • sunzu@kbin.run
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        You are making a lot good points… But is there any other practical solution?

        Seems this is the best a normie on budget can get

        • lastweakness@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 months ago

          They’re not actually good points at all… Proton’s open sourcing of the clients is for the purpose of trust in terms of security and privacy. The backend doesn’t matter because the point is that the data is encrypted before it ever gets to the backend. The goal with Proton’s open sourcing is not the ability to make it self-hostable. Sure, a lot of concerns are valid, but this isn’t like Microsoft or Google. Nearly all of Proton is verifiably and provably secure. Well, at least as long as you trust the web clients being served are the ones whose code is publicly available. But again… You can’t verify that with any SaaS. Such a risk is even present with self-hosting tbh. But that’s another discussion.