I admittedly should’ve done more research before my first comment, but it does actually turn out that everything I said is true. Proton’s technology was previously audited by Mozilla and is currently audited by SEC Consult regularly, and the audits are available for everyone to view. Additionally, they do have a bug bounty program. Also (and this is something I didn’t mention), the ProtonVPN and Proton Mail apps are all open source.
Excrubulent@slrpnk.net 4 months ago
Is that the backend code? It seems like they’re talking about the apps, not backend code. The thing being discussed here is backend code.
Gestrid@lemmy.ca 4 months ago
The way I read it, they already (in the third paragraph of the blog post) had companies auditing their backend technology and (in the fourth paragraph) were starting to have companies audit their apps, too.
lastweakness@lemmy.world 4 months ago
Nearly all of Proton’s stuff uses publicly verifiable client side encryption, so idk what all this is about
Excrubulent@slrpnk.net 4 months ago
It’s about the server-side code. If that’s not an issue then someone needs to make the argument, not throw up smokescreens about the apps and frontend code.
You’re right that the encryption needs to be verifiable on the client side, but then why not share the server side code?
I mean if they did, anyone could theoretically spin up an instance, which would be good, actually.
lastweakness@lemmy.world 4 months ago
Good for us. Bad for business. I explained this in another comment too but Proton’s idea of “open source” is simply to build trust in the security and privacy offered by the service. At least, as much as you can trust any SaaS.
And to answer this… Well, business and practicality… One more than the other ofc unfortunately… Why would they take on the additional burden of making it self-hostable, make the backend fully open source, etc just to make competition for themselves? And that maintenance burden is huge btw, especially when the backend was probably never intended for self-hosting in the first place.
If Proton, as a company or foundation, didn’t keep making the right decisions in terms of privacy and security, we might have had a reason to doubt their backend. But so far, there’s been nothing. And steps like turning to a foundation-based model just inspires more trust. By using client-side encryption, even within the browser, they’re trying to eliminate the need for trusting the closed source backend. Open sourcing the backend wouldn’t improve trust in the service itself anyway since you can’t verify that the code running in the backend is the same as the open sourced code. If you’re concerned about data, they also offer exports in open formats for every service they offer.
Why wouldn’t you trust them just because their backend is closed source? Ideologically, yeah I’d like them to open source absolutely everything. But as a service, whose income source is exclusively the service itself, how can it make sense for them to open source the backend when it cannot tangibly benefit their model of trust?
My other comment regarding proton and trust: lemmy.world/comment/11003650