Ente completes CERN sponsored audit

Ente, specifically the server side - both code, and infrastructure on which it runs - was audited by a team of 5 researchers from the German cybersecurity firm Cure53 over a period of 2 weeks as part of a CERN sponsored audit. No data integrity issues were found, and 12 of the 15 security related issues were fixed by the Ente team during the audit itself.

The audit covered all the apps - Photos, Auth, and the upcoming Locker - since the same code and infrastructure powers the entire platform. You can read Cure53’s summary here (and the full report here). All changes are already in the latest Docker image.

Fantastic news!

What exactly is Ente Locker and when will it be available?

From what I’ve seen from the code, it’s basically an Ente Drive. Correct me if I’m wrong though.

Locker will be a simple app, separate from Photos, that will let you store and organize your files.^[1]

Not a fully-fledged Drive, but something that is fine tuned for the few important documents in your life.^[1:1]

(The comment is 2 years old, though.)

1. Ente Locker : enteio ↩︎ ↩︎

This is great. Ente is one of the apps I wanted to self host but don’t because I want to keep giving them money.

Apps where out of scope, which is a pity.

I would still advise against using Ente Auth (atleast on Linux) until there was a proper audit of their flatpak / AppImg.

There were some fairly major vulnerabilities found. Most of them are fixed, but I hope they will learn from this and engage a security expert to review things in the future. Any system has vulnerabilities, but taking preemptive steps is the best.

This is exactly what they did. Cant find out about security problems without throughought code audit, best even from security researchers.

One could say “do the audit before production” but that is not as effective, since good portion of the code and logic can only be figured out when live testing /production

Some things like the cloudflare-based IP detection in their open-source stack read like they didn’t do enough thinking to potential attack vectors. For the future, they might want to draw a security model for their architecture.

It sounds like you are quite knowledgable on this topic and that the audit discovers Vs that could have easily been discovered at first. might be the case, I’m just stating that security audits in fact are part of profilaxis.

also its not the first one they did

I really am not, I just read the Cure report.

profilaxis?

Ente just sent out a mass about this email and isn’t it pretty disingenuous?

“CERN has been a heavy user of Ente, and they volunteered to sponsor an audit of Ente. The audit was conducted by 5 researchers from the German cybersecurity firm Cure53 over a period of two weeks. Ente passed with flying colors”

How is 15 security incidents considered passing with flying colors? Maybe looking too much into it.

You are also misrepresenting all facts (by omission). The blog post linked in the email also said:

12 of the 15 security related issues were fixed by the Ente team during the audit itself.

And

All changes are already in the latest Docker image.

The Cure53 report also stated:

This security evaluation of the Ente platform resulted in the identification of fifteen total security pitfalls, comprising ten confirmed vulnerabilities and five general weaknesses. The scope of the findings ranged from substantial flaws such as SSRF and XSS, to lower impact mplementation concerns within authentication mechanisms. The Ente team exhibited a high degree of security awareness and responsive remediation capabilities, successfully fixing twelve of the fifteen issues, including all Critical- and High-severity issues prior to the finalization of this report.

–

How do you not evaluate the aforementioned info a success? Perhaps you should revisit your thresholds for evaluating security related info. It may be objectively skewed.