MichaelJul 19, 2023
Proton Mail

Proton Pass is #opensource and has now passed an independent #security audit: https://proton.me/blog/pass-open-source-security-audit.

All fields and metadata in Pass are secured by #e2e encryption, so you can rest assured that no one, not even Proton, can access your information.

Proton Pass is open source and audited for security | Proton

Proton Pass’s code has been made open source and passed an audit carried out by the security experts at Cure53.

Proton
Jul 19, 2023 at 12:41pmWeb
Show threadPierreJul 19, 2023
@protonmail can you have individual vaults sync to specific devices or is it an all or nothing
Show threadProton MailJul 19, 2023
@breadandwater Vaults sync between all of your devices where you have Proton Pass installed.
Show threadPierreJul 19, 2023
@protonmail can I configure it not to sync personal vaults to my work laptop? (Device specific/control)
Show threadProton MailJul 20, 2023
@breadandwater Hi! This is not possible at this time, however, we'll share your feedback internally so our team can consider implementing such functionality.
Show threadChiefGyk3DJul 19, 2023
@protonmail and with that I may start testing to migrate from @keepassxc as I’ve been debating a hosted solution and yes I know there is @bitwarden too but I’ve already used it and am familiar
Show threadTimJul 19, 2023
@chiefgyk3d @protonmail @keepassxc @bitwarden have you tried Passbolt?
Show threadChiefGyk3DJul 19, 2023
@vSwingy I'm going to have to play with that
Show threadTimJul 19, 2023
@chiefgyk3d just looked a bit into it and seems like the guys at proton have no short term plans to propose a self hosted solution. I have a passbolt server running for my own needs, and I can recommend it, has all the autofill/iOS/browser extensions and you control your security :) Anyway, still remarkable job by the guys at proton and hope this can bring opensource trusted and reliable vault and identity management solutions to the masses! Better security for everyone! 👏
Show threadChiefGyk3DJul 20, 2023
@vSwingy that's not really an issue for me, I was wanting to find a managed host for myself. I'm at the point right now I am so busy it's hard to maintain my own infrastructure so I pay for convenience when possible. So it was either @bitwarden or similar for myself since they have hosted options. I just am already so familiar with Bitwarden I wanted to see what else is out there. I will work on my new password vault when I audit my accounts and rotate the keys again quite soon
Show threadTristan PartinJul 19, 2023
@protonmail Congrats on the launch and audit! One thing that is keeping me from switching is the lack of CLI. When can we expect one? When a desktop app becomes available, will we be able to expect good system integration like 1Password has?
Show threadProton MailJul 19, 2023

@tristan957 What do you have in mind by 'good system integration'?

We'll also share your feedback about a CLI with the team, but we don't have a timeline for this feature at the moment.

Show threadTristan PartinJul 19, 2023
@protonmail https://developer.1password.com/docs/cli/app-integration/#turn-on-the-app-integration-and-sign-in-to-your-account is what I'm talking about. I use my password manager for storing app passwords for my email accounts for use in my terminal email client. I couldn't make the switch without the CLI.
About the 1Password app integration | 1Password Developer

With the 1Password app integration turned on, you can sign in to 1Password CLI with the accounts you've added to the 1Password desktop app. Then you can authenticate your accounts in the same way you unlock your device, like with your fingerprint, face, Apple Watch, Windows Hello PIN, or device user password.

Show threadguissoJul 19, 2023
@gutocarvalho eu tenho um pezinho atrás dessas paradas da Proton que são ""open source" ", abri o link aqui e só tem os apps mobile, cadê o backend?
Show threadtobeygoodwinJul 19, 2023
@protonmail Hmm. The repos are available to the public for viewing but contributions are not taken. Interesting!
Show threadtobeygoodwinJul 19, 2023
@protonmail Which does bring up interesting debate about open source. The originating author's branch is generally used in mass rather than any forks. Many a times decisions are made which the majority disagree with but moving away from the originator has lots of friction.
Show threadNetuxJul 19, 2023
@tobeygoodwin @protonmail
You could fork, but I expect that digging in to user supplied pulls to vet them would probably be a bigger lift than they could reasonably do.
Show threadtobeygoodwinJul 19, 2023
@Netux Its free code, like having another dev on the team. All PRs should be reviewed anyhow. Now discrepancies on design decisions are another thing.
Show threadNetuxJul 19, 2023
@tobeygoodwin
I don't trust my ability to spot malicious code by state actors in anything much more complex than hello world.
Having the devs being people you trust vs having to look for that level of malevolence seems like a reasonable precaution.
Show threadtobeygoodwinJul 19, 2023
@Netux Eh, I think it is quite doable. Many projects do this already. Although it is an important weight to consider.
Show threadNetuxJul 20, 2023

@tobeygoodwin
Good example of how hard it really is. Fun new exploit from today.

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Show threadAdaohJul 19, 2023
@protonmail will you be offering API support at least through the Proton Bridge? I'd love to maybe some day make a native #gnome client for proton pass
Show threadlj·rkJul 19, 2023

@protonmail Awesome, and great protocol to also publish the report by @cure53 , I know they're awesome people! :)

This makes you a serious contender to 1Password IMHO who also publish their reports but don't publish the source code. There's also Bitwarden which is also audited and open source of course.

This leads me to the questions:

1. Do you plan on open sourcing the server and supporting self-hosting?
2. What's the support of passkeys?
3. Is in-depth integration into the OS planned, e.g., through Linux SecretService API and/or wayland protocols (input-methods und text-input AFAIK)

Show threadProton MailJul 21, 2023
@ljrk @cure53 Hi!
1. This is something we may consider later, but right now it's not on the roadmap. We'd like to focus first on bringing privacy & security to users who are less tech savvy & therefore need more help to stay safe online.
2. Passkey is indeed something that is on our roadmap, but not prioritized because it will take some time before it gains widespread adoption, so passwords will stay around for some time.
3. This is not currently on our roadmap.
Show threadlj·rkJul 23, 2023

@protonmail @cure53 Thank you for taking the time and answering my questions! W.r.t. (1) I do hope that this can be solved soon-ish, as it should IMHO be mostly a legal thing which shouldn't eat the development resources. It just helps build trust and hopefully even improves the product for less technical people!

Passkeys are definitely in the same vein something that hopefully helps a lot of non-tech users but it's crucial for adoption that everyone is pulling on the same rope. Apple is there, Google is coming and 1P and Bitwarden already have it in the pipeline as well, it'd be a bummer if it would be held back for Proton users!

Linux universal autofill is quite complicated (similar to Windows autofill) unfortunately but it hopefully is getting better with some Wayland protocols being in the works... but there's a lot of questions that need to be resolved :'-)

Show threadProton MailJul 24, 2023
@ljrk @cure53 Thank you very much for your feedback! We'll pass it on internally.
Show thread⚡Tasin 🚀Jul 19, 2023
@protonmail do you have any plan to come up with a desktop app like bitwarden?
Show threadProton MailJul 20, 2023
@tasinone Hi! Yes, desktop apps are planned for this year. However, we cannot share a specific date at this time.
Show threadb9AcEAug 16, 2023

@protonmail Hi! Could you please help me by clarifying exactly how this Proton Pass differs from e.g. KeePassXC synced over Syncthing, apart from the additional cost for Proton Pass?
From what I can see, it seems to only be the e-mail address auto-generation, but since I have a private DNS-domain, with catch-all e-mail, that does not apply for me.

I have several times now gone through the details of Proton Pass thinking you must have launched it for some good reason because that's my experience with your projects so far, but I don't see it for this one.
Thank you!

Show threadProton MailAug 17, 2023

@b9AcE There are multiple differences. For example, Proton Pass allows you to easily create unique alias email addresses upon signups, and it has an integrated 2FA authenticator: https://proton.me/pass.

However, at the end of the day, it all depends on your use case. We recommend that you check out our Reddit community (r/ProtonPass) to read other users' experiences and see whether Proton Pass fits your particular needs.

Proton Pass: Free password manager with identity protection | Proton

Store, share and sync passwords, passkeys, email aliases, and more, on any device, with our open-source, free password manager. No trials, just free forever.

Proton
Show threadb9AcEAug 17, 2023

@protonmail
KeyPassXC also has integrated 2FA and as I described the e-mail address auto-generation does not benefit me, so it seems to me the answer is none, in my use case.
Everything can't be for everyone. ;-)

Thanks for the reply and clarification!