Hacker News new | past | comments | ask | show | jobs | submit login

>model prevents any attacker who gains access to one of our servers from...

If an attacker gains access to your server, they can just inject javascript to gain access to whatever they want on the client's browser. I'm a big fan of Proton* products, and pay for a variety of their services.

However, I can't really get behind this method of data storage. But, it is the best option I've seen for centralized file storage. Syncthing is what I currently use for distributed storage, and I share encrypted files over that. Anyone have a better idea?




Keybase has KBFS, which is incredibly well thought through, but sadly their acquisition by zoom spells bad things for the platform...


I'm already suffering withdrawal even with no shutdown announcement by keybase. There just isn't anything as easy and comprehensive out there.

I don't use all keybase features actively (wallet, looking at you) but the small use I make of everything else warrants me saying I wished they had a paying tier before they sold themselves.


ProtonDrive, like other Proton products, will also have native apps, which doesn't use JS at all.


How many people are going to be using data storage through a web browser and not as a phone app or desktop background service?


ProtonDrive will launch as a web app first, but desktop and mobile apps will follow.


What if the phone app or the desktop uses JavaScript or a web view with JavaScript (and in the case of a desktop, it could even be an Electron app)?


> If an attacker gains access to your server, they can just inject javascript to gain access to whatever they want on the client's browser.

That's a little complicated right and out of the threat model of normal users no?

They mean to say if someone hacks into server and just copies the data, they will just have random nonsense.

For the javascript thing to work, you need to login after the server is compromised. And if they haven't realised their server is compromised by then, you shouldn't use them.


A few things: I think the "average" proton user is super technical and cares about this thing, or they wouldn't use it in the first place.

The threat model is likely law enforcement - they can "compromise" a server legally and restrict owners from notifying people, and have done so many times in the past.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: