this post was submitted on 03 Jul 2024
1041 points (100.0% liked)
Technology
67987 readers
3187 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
ooooh I love this. Proton is just winning constantly these days.
No they're not. They can't even finish a single solution, let alone actually make anything functional when you're not using their proprietary servers. They're becoming Microsoft.
Gee, it's almost as if that's the whole point of an ever-evolving SaaS platform.
Releasing unfinished products and expect users to just make do while they launch the next product can't be the solution either.
Then it's a good thing all of their products are fully functional and working as advertised, I guess.
Sure, whatever you want to belief :)
Which bits are not functional? I'm using their email and calendar.. they aren't completely polished, but they're very usable.
Drive has no Linux client, Photos is extremely barebones and locks you basically in, as there is no export function.
Pass still has no proper SimpleLogin integration, no credit card support and UX wise is the browser extension pretty bad. Funny enough, years after launch you still can't auto fill on Reddit.
The only thing I don't like about Mail is that you still have to create reverse aliases through SimpleLogin. Better integration would be great.
Contacts still don't sync to you local mobile contacts. Which means you either do it manually or you have to keep two sets updated.
Calendar is good too, I've heard it has no offline support though. Although I haven't verified that.
Last thing I would like to see is notification support without Play Services.
Some of those things might be super unimportant to some, but for me it makes the use of their stuff unnecessary cumbersome. Especially if you consider that those are all Proton products and should work together well.
My by far biggest problem is their communication and general development speed though. Stuff like contact sync has been requested for 5(?) years now but there hasn't been so much as a "we're working on it".
It feels to me they come out with new products all the time, like the document editor now, without addressing the little things that would make their ecosystem great.
Anyway, long ramble. But I appreciate that you asked for more details without insulting me.
Community has been begging for contacts for years...
It is getting tiring
~~I'm actually pretty sure they have one. I was doing a lot of exploring the last 2 days to make sure it was worth it to me to spend money on. And I landed on a downloads page on my Linux desktop that had a download link for drive for fedora, or debian. I can't find it on mobile (where I am now), but I'll look later on my PC and see if I can link it.~~
Was wrong, not sure what I found. Must have been the vpn or mail app.
Interesting, thanks for the heads up. Hopefully it gets better later on, but for the moment I'm glad I made my own solution using a NAS, and a sync client.
This was one of my first concerns, I'm also annoyed by it.
Additionally, I was hoping their big "docs update" would also include spreadsheets, but hopefully soon.
That's a good list. Certainly a public feature/bug tracker would be nice. But those are pretty rare for corporate software..
Whatever, dude. They're most probably not a native English speaker, and even if they are, a spelling error doesn't make them an "idiot". You're being a complete dick.
if it were spelled correctly it would still be a useless comment
❤️
A SaaS solution that claims to be private but won't provide the backend code to prove it. You don't find it at all suspicious that they claim releasing backend code would make it less secure? What kind of security product is not open for inspection? The same kind of "security" you get from Microsoft.
I imagine it probably is inspected, just not by the public. They probably do it themselves.
And they may have contracts with certain companies specializing in this sort of security that also inspect it.
And there's also the cybersecurity companies that test it whether they're contracted or not. At some companies, their entire job revolves around finding bugs (especially security bugs) in other companies' software.
Just because it's not on GitHub doesn't mean it's not a good product that hasn't been thoroughly tested.
That's where the second and third paragraphs come in. Because other companies likely test it themselves, too.
They'll typically report security bugs privately and then, after X amount of months, publicly announce the bug. Doing it this way will, ideally, force the other company to patch the bug prior to the announcement. If not, they'll end up with a publicly known security bug that bad actors can now exploit. The announcement will also let the public (including companies) know to update their software.
I admittedly should've done more research before my first comment, but it does actually turn out that everything I said is true. Proton's technology was previously audited by Mozilla and is currently audited by SEC Consult and other companies regularly, and the audits are available for everyone to view. Additionally, they do have a bug bounty program. Also (and this is something I didn't mention), the ProtonVPN and Proton Mail apps are all open source.
The way I read it, they already (in the third paragraph of the blog post) had companies auditing their backend technology and (in the fourth paragraph) were starting to have companies audit their apps, too.
Nearly all of Proton's stuff uses publicly verifiable client side encryption, so idk what all this is about
Good for us. Bad for business. I explained this in another comment too but Proton's idea of "open source" is simply to build trust in the security and privacy offered by the service. At least, as much as you can trust any SaaS.
And to answer this... Well, business and practicality... One more than the other ofc unfortunately... Why would they take on the additional burden of making it self-hostable, make the backend fully open source, etc just to make competition for themselves? And that maintenance burden is huge btw, especially when the backend was probably never intended for self-hosting in the first place.
If Proton, as a company or foundation, didn't keep making the right decisions in terms of privacy and security, we might have had a reason to doubt their backend. But so far, there's been nothing. And steps like turning to a foundation-based model just inspires more trust. By using client-side encryption, even within the browser, they're trying to eliminate the need for trusting the closed source backend. Open sourcing the backend wouldn't improve trust in the service itself anyway since you can't verify that the code running in the backend is the same as the open sourced code. If you're concerned about data, they also offer exports in open formats for every service they offer.
Why wouldn't you trust them just because their backend is closed source? Ideologically, yeah I'd like them to open source absolutely everything. But as a service, whose income source is exclusively the service itself, how can it make sense for them to open source the backend when it cannot tangibly benefit their model of trust?
My other comment regarding proton and trust: https://lemmy.world/comment/11003650
In general, I agree with you. I would very much prefer if they did more open sourcing too. Just want to address some additional stuff.
Unfortunately, this isn't really true anymore because of the necessity of minification. It introduces obscurity but is necessary for performance. But yes, the rest is correct, which is why I specified "web clients". You can verify the native clients, which is why native clients are so important imo. The concern of a hacked server serving a keylogging web client is unfortunately very real. Kind of makes it impossible to fully trust any SaaS at all.
The thing is, they already do public third party audits already. You can view their audit reports on their site. This is unlike companies like Google and Microsoft who conduct audits and keep the reports private. If you end up having to trust third party audits anyway, it doesn't help their model of trust since they do already do that in a transparent manner.
But yeah... stuff like the monopoly is kind of intentional. The exports are a mitigation, a huge one at that. Proton Mail exports are supported by services like FastMail, Proton Pass exports are supported by Bitwarden, etc. But in the end, the best case scenario would be some level of open sourcing. It's just that this "monopoly" is by design. For better or for worse, the fact that there is only one Proton is also good for Proton's model of trust tbh since the user doesn't have to wonder if the "instance" they're using is a good one for example. The fediverse model will not work for something that is so heavily based on trust. Proton wants to appeal to the general user, more than us folks... for better or for worse...
I hope they succeed too. I don't trust many companies. Proton has been one of the exceptions and I hope it stays that way...
You realize that Microsoft code is inspected as well, even more heavily and regulated... and yet they still end up with major breaches. Security evolves through open source collaboration and inspection by experts that aren't being paid to say you're doing a good job.
You are making a lot good points... But is there any other practical solution?
Seems this is the best a normie on budget can get
They're not actually good points at all... Proton's open sourcing of the clients is for the purpose of trust in terms of security and privacy. The backend doesn't matter because the point is that the data is encrypted before it ever gets to the backend. The goal with Proton's open sourcing is not the ability to make it self-hostable. Sure, a lot of concerns are valid, but this isn't like Microsoft or Google. Nearly all of Proton is verifiably and provably secure. Well, at least as long as you trust the web clients being served are the ones whose code is publicly available. But again... You can't verify that with any SaaS. Such a risk is even present with self-hosting tbh. But that's another discussion.
No, because Proton has 3rd party audits all the time and they share the results openly.
Microsoft has third party audits all the time and say they're secure, and then you learn of new backdoors every 6 months. Audit companies are unreliable and paid to give good feedback while doing the least work possible.
Yeah because enterprises primarily use a ton of open source security tools...
ಠ_ಠ
Enterprises are using a plethora of open source tools at this point. They may still utilize closed source solutions, but they definitely have quite a bit of open source solutions tied in.
All Their services are online based right? I don't understand why using their proprietary servers is an argument here.
Because their primary audience is those gullible enough to believe they somehow can't read your messages, yet they can easily capture your private password.
So, if you want to have any sense of a service respecting you, it should be hosted on a server you can control?
No difference at all between the server of the world's biggest advertiser and a server by a company that opens itself for audits and is in a country whole laws require no bullshit? Are you sure those two are the same? All or nothing?
Was that reply for me?