Crypto AG wasn't a fake crypto company; it was a real crypto company selling a product with a CIA/BND backdoor.

Proton makes open-source alternatives to big tech spyware and provides the service with a freemium model. Not sure what the comparison you're trying to make here is; they're both headquartered in Switzerland?

> Proton makes open-source alternatives to big tech spyware

Can you link to the open-source repository for this password manager?

>Like all Proton services, Proton Pass will be open source upon release.

https://proton.me/blog/proton-pass-security-model So the beta isn't free software, but the release will be? I don't understand why you'd do that, surely the beta is when you most want people to try and break things, but the rest of their products do seem to be in their repos so it doesn't seem like a completely bullshit claim. https://github.com/ProtonMail

Unless something has changed, Proton's "open source" doesn't include the servers themselves, only the clients.

Whereas if you really wanted an open source server-based password manager, you could use VaultWarden with BitWarden clients, or one of countless other options. At this point, people are spoiled for choice.

I dont understand.

How does releasing an open-source version prove their production code doesnt have a backdoor in it?

It depends on what kind of software you need to assess. In the case of client side encryption, which is the market in which Proton positions itself, you can verify the security of the implementation by just looking at the client-side code.

If for some reason you end up needing to read the server-side code, then it would technically mean that client-side encryption has failed and does not deliver the necessary assurance.

If you think about it in terms of threat model, we are operating on the assumption that the provider may be malicious, or compromised. There is no context in which reviewing the source code of the server-side component would help us, because the provider would always be able to modify the source code, whether we read it or not.

On the other side if proton reveals the server-side part of the service, it would likely reveal nothing in terms of your security as a customer but it would reveal a lot of proprietary information that could help wannabe competitors.

There is not much you can do on the client-side either unless everybody is prepared to do a code-audit on every device after every update.

That's the thing, it doesn't. It's lip service, as is so much in the industry. It's a buzzword on the marketing materials.

Unless you compile it yourself, which in the case of the server VaultWarden (Rust implementation of a BitWarden server), you absolutely can, otherwise you cannot be sure you can trust it.

I didn't search for the password manager, here's the full list: https://github.com/orgs/ProtonMail/repositories

Huh, I frequently see advice online that says to use VPNs based in countries that are not one of the "fourteen eyes"/"five eyes".

Switzerland is strongly associated with EU/Western world.

The famous/traditional Switzerland bank privacy was severely weakened at US pressure.

Oh yeah, I agree with you. It just raises the question, is it even possible to find security related companies that won't cave to US pressure?

Proton caves to Swiss pressure with handing over the IP of a French climate activist, so American pressure is really neither here nor there.