Proton MailJul 19, 2023

Proton Pass is #opensource and has now passed an independent #security audit: https://proton.me/blog/pass-open-source-security-audit.

All fields and metadata in Pass are secured by #e2e encryption, so you can rest assured that no one, not even Proton, can access your information.

Proton Pass is open source and audited for security | Proton

Proton Pass’s code has been made open source and passed an audit carried out by the security experts at Cure53.

Proton
Show threadtobeygoodwin
@protonmail Hmm. The repos are available to the public for viewing but contributions are not taken. Interesting!
Jul 19, 2023 at 2:57pmWeb
Show threadtobeygoodwinJul 19, 2023
@protonmail Which does bring up interesting debate about open source. The originating author's branch is generally used in mass rather than any forks. Many a times decisions are made which the majority disagree with but moving away from the originator has lots of friction.
Show threadNetuxJul 19, 2023
@tobeygoodwin @protonmail
You could fork, but I expect that digging in to user supplied pulls to vet them would probably be a bigger lift than they could reasonably do.
Show threadtobeygoodwinJul 19, 2023
@Netux Its free code, like having another dev on the team. All PRs should be reviewed anyhow. Now discrepancies on design decisions are another thing.
Show threadNetuxJul 19, 2023
@tobeygoodwin
I don't trust my ability to spot malicious code by state actors in anything much more complex than hello world.
Having the devs being people you trust vs having to look for that level of malevolence seems like a reasonable precaution.
Show threadtobeygoodwinJul 19, 2023
@Netux Eh, I think it is quite doable. Many projects do this already. Although it is an important weight to consider.
Show threadNetuxJul 20, 2023

@tobeygoodwin
Good example of how hard it really is. Fun new exploit from today.

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt