• John Richard@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    123
    ·
    6 months ago

    No they’re not. They can’t even finish a single solution, let alone actually make anything functional when you’re not using their proprietary servers. They’re becoming Microsoft.

    • micka190@lemmy.world
      link
      fedilink
      English
      arrow-up
      60
      arrow-down
      8
      ·
      6 months ago

      They can’t finish a single solution

      Gee, it’s almost as if that’s the whole point of an ever-evolving SaaS platform.

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        30
        ·
        6 months ago

        A SaaS solution that claims to be private but won’t provide the backend code to prove it. You don’t find it at all suspicious that they claim releasing backend code would make it less secure? What kind of security product is not open for inspection? The same kind of “security” you get from Microsoft.

        • Gestrid@lemmy.ca
          link
          fedilink
          English
          arrow-up
          13
          arrow-down
          2
          ·
          6 months ago

          I imagine it probably is inspected, just not by the public. They probably do it themselves.

          And they may have contracts with certain companies specializing in this sort of security that also inspect it.

          And there’s also the cybersecurity companies that test it whether they’re contracted or not. At some companies, their entire job revolves around finding bugs (especially security bugs) in other companies’ software.

          Just because it’s not on GitHub doesn’t mean it’s not a good product that hasn’t been thoroughly tested.

          • Excrubulent@slrpnk.net
            link
            fedilink
            English
            arrow-up
            14
            arrow-down
            2
            ·
            6 months ago

            Surely we’re not gullible enough to accept “we inspected ourselves and determined we are secure and you should use our services”?

            • Gestrid@lemmy.ca
              link
              fedilink
              English
              arrow-up
              3
              ·
              6 months ago

              That’s where the second and third paragraphs come in. Because other companies likely test it themselves, too.

              They’ll typically report security bugs privately and then, after X amount of months, publicly announce the bug. Doing it this way will, ideally, force the other company to patch the bug prior to the announcement. If not, they’ll end up with a publicly known security bug that bad actors can now exploit. The announcement will also let the public (including companies) know to update their software.

              • Excrubulent@slrpnk.net
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                Yes, and those other paragraphs are the same thing other proprietary companies do. Your opening paragraph is just absurd on the face of it because “inspected” does not mean “by themselves”.

                The second paragraph is literally speculation about something that might happen.

                The third paragraph is about bug bounties, which every major software company does and which does not involve code inspection.

                You just smokescreened and talked around the fact that your opening statement “it probably is inspected” is entirely unverifiable and non-credible even if true. I guess since you started that sentence with “I imagine” then it is technically true. You did imagine that.

                • Gestrid@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  edit-2
                  6 months ago

                  I admittedly should’ve done more research before my first comment, but it does actually turn out that everything I said is true. Proton’s technology was previously audited by Mozilla and is currently audited by SEC Consult and other companies regularly, and the audits are available for everyone to view. Additionally, they do have a bug bounty program. Also (and this is something I didn’t mention), the ProtonVPN and Proton Mail apps are all open source.

                  • Excrubulent@slrpnk.net
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    6 months ago

                    Is that the backend code? It seems like they’re talking about the apps, not backend code. The thing being discussed here is backend code.

          • John Richard@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            9
            ·
            6 months ago

            You realize that Microsoft code is inspected as well, even more heavily and regulated… and yet they still end up with major breaches. Security evolves through open source collaboration and inspection by experts that aren’t being paid to say you’re doing a good job.

            • sunzu@kbin.run
              link
              fedilink
              arrow-up
              1
              ·
              6 months ago

              You are making a lot good points… But is there any other practical solution?

              Seems this is the best a normie on budget can get

              • lastweakness@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                6 months ago

                They’re not actually good points at all… Proton’s open sourcing of the clients is for the purpose of trust in terms of security and privacy. The backend doesn’t matter because the point is that the data is encrypted before it ever gets to the backend. The goal with Proton’s open sourcing is not the ability to make it self-hostable. Sure, a lot of concerns are valid, but this isn’t like Microsoft or Google. Nearly all of Proton is verifiably and provably secure. Well, at least as long as you trust the web clients being served are the ones whose code is publicly available. But again… You can’t verify that with any SaaS. Such a risk is even present with self-hosting tbh. But that’s another discussion.

        • micka190@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          6 months ago

          You don’t find it at all suspicious that they claim releasing backend code would make it less secure? What kind of security product is not open for inspection?

          No, because Proton has 3rd party audits all the time and they share the results openly.

          • John Richard@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            4
            ·
            6 months ago

            Microsoft has third party audits all the time and say they’re secure, and then you learn of new backdoors every 6 months. Audit companies are unreliable and paid to give good feedback while doing the least work possible.

        • deezbutts@lemm.ee
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          3
          ·
          6 months ago

          Yeah because enterprises primarily use a ton of open source security tools…

          ಠ_ಠ

          • John Richard@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            arrow-down
            3
            ·
            6 months ago

            Enterprises are using a plethora of open source tools at this point. They may still utilize closed source solutions, but they definitely have quite a bit of open source solutions tied in.

      • slooopy_potatoe@lemm.ee
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        38
        ·
        6 months ago

        Releasing unfinished products and expect users to just make do while they launch the next product can’t be the solution either.

        • micka190@lemmy.world
          link
          fedilink
          English
          arrow-up
          44
          arrow-down
          3
          ·
          6 months ago

          Then it’s a good thing all of their products are fully functional and working as advertised, I guess.

            • naught101@lemmy.world
              link
              fedilink
              English
              arrow-up
              20
              arrow-down
              1
              ·
              6 months ago

              Which bits are not functional? I’m using their email and calendar… they aren’t completely polished, but they’re very usable.

              • slooopy_potatoe@lemm.ee
                link
                fedilink
                English
                arrow-up
                17
                arrow-down
                2
                ·
                6 months ago

                Drive has no Linux client, Photos is extremely barebones and locks you basically in, as there is no export function.

                Pass still has no proper SimpleLogin integration, no credit card support and UX wise is the browser extension pretty bad. Funny enough, years after launch you still can’t auto fill on Reddit.

                The only thing I don’t like about Mail is that you still have to create reverse aliases through SimpleLogin. Better integration would be great.

                Contacts still don’t sync to you local mobile contacts. Which means you either do it manually or you have to keep two sets updated.

                Calendar is good too, I’ve heard it has no offline support though. Although I haven’t verified that.

                Last thing I would like to see is notification support without Play Services.

                Some of those things might be super unimportant to some, but for me it makes the use of their stuff unnecessary cumbersome. Especially if you consider that those are all Proton products and should work together well.

                My by far biggest problem is their communication and general development speed though. Stuff like contact sync has been requested for 5(?) years now but there hasn’t been so much as a “we’re working on it”.

                It feels to me they come out with new products all the time, like the document editor now, without addressing the little things that would make their ecosystem great.

                Anyway, long ramble. But I appreciate that you asked for more details without insulting me.

                • matt1126@feddit.uk
                  link
                  fedilink
                  English
                  arrow-up
                  8
                  ·
                  6 months ago

                  These are some excellent points, thank you for sharing rather than just giving a blanket “they bad” statement.

                  I believe Pass has integrated SimpleMail now, you can create aliases which forward to your email without setting up reverse aliases.

                  You can also add credit cards to Pass now, this was actually one of the things keeping me on Bitwarden for ages.

                  Can’t say that their communication has improved though, all I can find on contact sync is that “Soon you’ll be able to sync the contacts in your proton mail app to the default contact app on your mobile device” so if poor communication is your biggest problem then I can’t fault you for avoiding them.

                • nieminen@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  edit-2
                  6 months ago

                  Drive has no Linux client,

                  I’m actually pretty sure they have one. I was doing a lot of exploring the last 2 days to make sure it was worth it to me to spend money on. And I landed on a downloads page on my Linux desktop that had a download link for drive for fedora, or debian. I can’t find it on mobile (where I am now), but I’ll look later on my PC and see if I can link it.

                  Was wrong, not sure what I found. Must have been the vpn or mail app.

                  Photos is extremely barebones and locks you basically in, as there is no export function

                  Interesting, thanks for the heads up. Hopefully it gets better later on, but for the moment I’m glad I made my own solution using a NAS, and a sync client.

                  Contacts still don’t sync

                  This was one of my first concerns, I’m also annoyed by it.

                  Additionally, I was hoping their big “docs update” would also include spreadsheets, but hopefully soon.

                • sunzu@kbin.run
                  link
                  fedilink
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  6 months ago

                  Community has been begging for contacts for years…

                  It is getting tiring

                • naught101@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  6 months ago

                  That’s a good list. Certainly a public feature/bug tracker would be nice. But those are pretty rare for corporate software…

              • The Liver@lemm.ee
                link
                fedilink
                English
                arrow-up
                10
                ·
                6 months ago

                Whatever, dude. They’re most probably not a native English speaker, and even if they are, a spelling error doesn’t make them an “idiot”. You’re being a complete dick.

    • Jin@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      6 months ago

      All Their services are online based right? I don’t understand why using their proprietary servers is an argument here.

      • claudiop@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        5
        ·
        6 months ago

        So, if you want to have any sense of a service respecting you, it should be hosted on a server you can control?

        No difference at all between the server of the world’s biggest advertiser and a server by a company that opens itself for audits and is in a country whole laws require no bullshit? Are you sure those two are the same? All or nothing?

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        17
        ·
        6 months ago

        Because their primary audience is those gullible enough to believe they somehow can’t read your messages, yet they can easily capture your private password.

        • Excrubulent@slrpnk.net
          link
          fedilink
          English
          arrow-up
          12
          ·
          edit-2
          6 months ago

          It is entirely possible to keep secure data on a server that only someone else with the password can access. They don’t store your password in plaintext, they don’t test whether what you typed is the same thing they keep on their servers. If the password works to decrypt your data then your client can read the emails. If not, your client gets gibberish and knows your password was wrong. With a secure system your password should never be sent to the server at all.

          Now, that doesn’t mean it’s trustworthy. There could be holes in the security, and I certainly would feel better controlling my own server, but it’s not automatically insecure just because it’s hosted by them.