• John Richard@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    4 months ago

    A SaaS solution that claims to be private but won’t provide the backend code to prove it. You don’t find it at all suspicious that they claim releasing backend code would make it less secure? What kind of security product is not open for inspection? The same kind of “security” you get from Microsoft.

    • Gestrid@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      4 months ago

      I imagine it probably is inspected, just not by the public. They probably do it themselves.

      And they may have contracts with certain companies specializing in this sort of security that also inspect it.

      And there’s also the cybersecurity companies that test it whether they’re contracted or not. At some companies, their entire job revolves around finding bugs (especially security bugs) in other companies’ software.

      Just because it’s not on GitHub doesn’t mean it’s not a good product that hasn’t been thoroughly tested.

      • Excrubulent@slrpnk.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Surely we’re not gullible enough to accept “we inspected ourselves and determined we are secure and you should use our services”?

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        You realize that Microsoft code is inspected as well, even more heavily and regulated… and yet they still end up with major breaches. Security evolves through open source collaboration and inspection by experts that aren’t being paid to say you’re doing a good job.

        • sunzu@kbin.run
          link
          fedilink
          arrow-up
          0
          ·
          4 months ago

          You are making a lot good points… But is there any other practical solution?

          Seems this is the best a normie on budget can get

          • lastweakness@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            They’re not actually good points at all… Proton’s open sourcing of the clients is for the purpose of trust in terms of security and privacy. The backend doesn’t matter because the point is that the data is encrypted before it ever gets to the backend. The goal with Proton’s open sourcing is not the ability to make it self-hostable. Sure, a lot of concerns are valid, but this isn’t like Microsoft or Google. Nearly all of Proton is verifiably and provably secure. Well, at least as long as you trust the web clients being served are the ones whose code is publicly available. But again… You can’t verify that with any SaaS. Such a risk is even present with self-hosting tbh. But that’s another discussion.

    • deezbutts@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      4 months ago

      Yeah because enterprises primarily use a ton of open source security tools…

      ಠ_ಠ

      • John Richard@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Enterprises are using a plethora of open source tools at this point. They may still utilize closed source solutions, but they definitely have quite a bit of open source solutions tied in.