Yes, except that you are making assumptions, officially it is a bug and a misinterpretation of the community, there is no loss of confidence to have, nothing changes, they have clarified very quickly the situation, without tongue in cheek.
This a helpful narrative here âŚ
Perhaps it is wishful thinking that the whole Open Source model can sustain itself and progress as is pointed out here âŚ
Agree.
I was just thinking the same thing, just stick with Bitwarden or choose something different.
Yes, life can be that simple, in a broader perspective.
I mean its not like there is one Password manager, one woman, one job etc
A post was split to a new topic: Password manager (aside from Bitwarden) compatible with SimpleLogin API?
sorry, may i ask what do you mean âsharing passwordsâ?
im trying to understand this vulnerability and how it may affect proton drive and pass
KeepassX has been unmaintained for nearly three years, so you should move to KeepassXC if youâre considering proceeding with that route.
Except itâs not E2EE anymore if youâre sharing, genius.
If you have a file on Proton Drive, Tresorit, Mega, etc, and you create a sharing link without password, youâre basically sending the decrypted file to server. Forget E2E, itâs not even E anymore.
Well, password managers often allow you to share passwords, or even whole vaults, with family members. So you and your wife/husband/kids/etc donât have to create multiple Netflix entries, one in each personâs password manager.
If youâre sharing a file with a password (from a file hosting cloud such as Proton Drive, Tresorit, Mega, etc) it may just reencrypt using a new private key, so I guess you can still keep it E2EE.
If youâre sharing between accounts, as password managers do, you need a way to communicate keys between accounts, which seemingly involves some server mediation (see the link I posted, thatâs exactly the issue they found with Tresorit). Thatâs why having an open-source app only doesnât suffice for when thereâs sharing involved, ideally youâll want the server code to be open source as well.
ah i see what you mean.
well from protons website:
If youâre the vault administrator, you can share your vault key and Proton Pass will encrypt it with your recipientâs address key, ensuring only they can access it.
After your intended recipient receives your encrypted vault key, they will validate its signature using your address key. This step verifies that the invitation legitimately came from you. Once the signature has been validated, Proton Pass will encrypt the vault key using your recipientâs user key and store it securely.
however i do understand what you mean, there is no way to actually verify its doing what it says cause backend is not open source
Thatâs interesting. It might be actually possible to be all done in the clients by that description. It would be cool if someone could go through the code and pay special attention to that part
Iâm pretty sure thatâs not how it works. The file is still encrypted on the server. But the sharing link you create contains a key to decrypt the file. As long as you share the link in a secure manner then nothing is exposed.
I believe thatâs what security audits are for, which proton pass has had
Tell PG to drop all their âopen sourceâ requirement for recommendations, then, since audits are all we need.