This is great because it stops giving users to services which don't respect privacy. If you don't know CryptPad which provides forms but also many editors including Office with end to encryption, try it at https://cryptpad.fr
True.. Now for "first value" we have "create a pad in one click to work with your friends", also 1gb data for free.
There is Google Takout + Folder import to do mass imports.
There is work possible to improve but also through the browser it's tricky to make large volume imports reliable. Best path is an API which would also allow backup tools and down the line local syncing.
We never pretended the drive has local syncing. The drive is extremely useful for people to organize their documents inside CryptPad.
It is possible to create folders with any file types in it. Shared folders can be also created.
The workflow you describe with syncthing involves local synching.
We are not saying that syncing locally is not interesting. It's just a lot more work on top of the editor work, the online sharing, the e2ee, etc.. We work with the capacity we have. Also as I said, syncing opens the door to version compatibility issues, risks of mistakenly deleting data of your drive and high volume just for storage. This means for our hosting service (cryptpad.fr) management of much higher volumes. We are not even sure the 1gb free storage policy is sustainable for that use case. But we are working on a path towards this as we have plans for a CryptPad API.
Your last paragraph is quite insulting to the work we do, suggesting intention to trap people ? Did I read this right ?
I'm not really sure i want to continue the conversation unless you retract this. Our team is working hard on many fronts and does not deserve to be treated like that.
If you believe it's critical that the "link situation" be resolved, where is the pull request, or even the specification of the necessary change ?
I think the work you've done with cryptpad, while impressive on many levels and, I'm assuming, motivated by a desire to make secure document collaboration more accessible, is actually putting people at increased risk due to how bad this issue with the share URLs is.
I attempted to disclose the issue responsibly (in other words, not as a github issue), and urged you to make passwords mandatory for documents, or at least default with a prominent warning displayed for users foregoing the password. The response I received indicated that Cryptpad didn't consider this to be a vulnerability, but that you'd welcome changes to improve documentation.
You asked where my PR was: I gladly would submit one if I didn't expect it to be closed based on the response I had received prior, but I don't think documentation changes would cut it.
I wasn't intending to make this personal and I definitely wasn't saying that you (or your team's) motivations were unambiguously malicious or deceptive. My last paragraph was perhaps overly dramatic, but my impression is that Cryptpad positions itself as a general-purpose e2ee document collaboration suite, and one of the use cases I associate with that positioning, one of the less strict ones if I'm honest, would be something like:
> empower laypeople to collaborate on documents with reasonable confidence that nation-state actors won't be able to passively surveil those documents.
which is a much softer use case to satisfy than, say, providing halfway-decent protection from active, targeted surveillance (the space I believe Signal to be in, and also the space I'd love Cryptpad to be in)
So if those aren't among the kinds of things y'all think about when designing Cryptpad, then I'd appreciate if you made your overall project goals and use cases more explicit. Of course there are other valid reasons to desire document security, they're just not ones I tend to spend as much time thinking about.
Disclaimer: I'm the CEO of the company doing CryptPad.
The problem I have, is that you say the word "vulnerability" for CryptPad when we never promised to protect you from a badly configured computer.
If there is a vulnerability, it's unsecured browser syncing which would be exposing your browsing history to Google. Google Docs has anonymous links which are in that history too.
BTW I could not find any info about browser companies exposing the synced browser history. As far as I know It's encrypted on Chrome and Firefox. But maybe I'm wrong as I believe if people want to be sure why would they use browser sync ?
Note that in addition to passwords there are also Access configs where the server can block access to documents to specific users. This is an additional security which mitigates the issue of links that would be opened on a bad browser. Sharing links through CryptPad as also the recommended way to never have URLs opened by your browser.
When I mentioned PR, you could also fork and run your server with higher security settings.
If a team does not respond to your vision, you can indeed bitch about that team, or you can come and give more proof of your vision. Documentation also help ? Why not document that browser syncing would be risky for activists ?
So take this as a call to be constructive. Make a github issue and propose something that helps. Maybe indeed add a message and a link to more documentation about good and bad ways to use shared links.
About "> empower laypeople to collaborate on documents with reasonable confidence that nation-state actors won't be able to passively surveil those documents", did you read our white paper ?
Seems like Microsoft and Google employees have joined the room.
They might as well complain that cryptopad isn't secure because it is connected to electricity all the time. They'll never be satisfied, fortunately they are also relatively easy to spot.
Unfortunately, most users don't know how to setup the tools you are talking about. Additionally they end up having to share some document at some point or another. They end up with browser based tools and a shared server. Google most of the time for individuals. Most users want their data in one place for all use cases.
Network effects make it so that only tools that allow you to invite anybody to your document (guests without accounts included) end up gaining traction. Desktop apps might be able to achieve this using some web proxy so who knows, it might change in the future.
Our goal at CryptPas is to make it familiar for them to move from Google while having e2ee here to protect their privacy, which also gives them a reason to switch
The more people can get out, to any open alternative, the more alternatives can then decide to fight each other.
In the mean time, we should not try too much to get the rest of the world on our own workflow, just let all the different approaches strive.
BTW maybe CryptPad's API ( https://github.com/cryptpad/cryptpad-api-examples ) could help you solve the case where you do need to edit a document collaboratively from your computer. Would you be interested in a tool allowing to create a session for editing with CryptPad allowing to sync back changes or save the end result back to your computer ?
Thanks. Isn't vouching for other online instances a bit risky? Wouldn't you have to constantly verify the source is unmodified in an automated fashion for those instances you don't control?
We hope to be able to give an API in the future but there are a few concerns to allow sync tools to operate:
- server load and volume of data when syncing large volumes of data, especially for our flagship instance. CryptPad is currently used for realtime editing not for large data sync. We already host 6TB of data and it's unclear were that would lead us.
- version compatibility with apps not upgraded to the latest version of the API
These are similar reasons that kept us away from federation.
Our team is small and already a lot of work. Hiring is limited by our funding.
I feel you, but Drive is borderline useless and I can't sell any potential users on "you put all your data here but documents go there (but it still looks like you could put other stuff here but that's an illusion) unless you manually export them and then everything gets weird" - I'll count myself lucky if I can finish the sentence before they renew their existing cloud service.
Drive might be 'useless' to you in it's form because you want more from CryptPad (more features in it, more local sync, more anything), but it is very useful to organize your docs that you work on in CryptPad. It also allows shared folders and so on.
What's interesting is that surveying our users did not show local sync as hugely demanded. Mobile access comes up the highest.
Just sharing in case it's helpful to you. For someone like me, a feature rich API that can do nearly anything the UI can do is a major selling point and something that gets me to open my wallet. I am no doubt a niche case, but figured I'd share for what it's worth
We do believe having an API is valuable and a good selling point. It's also a great way to get an ecosystem to help us extend the product. Now it's also more responsibility to maintain compatibility. We want to be able to continue to upgrade services (in particularly cryptpad.fr). Apps using the API would need to continue to function or by security be locked out. This is a lot more work for the small team.
This is great because it stops giving users to services which don't respect privacy. If you don't know CryptPad which provides forms but also many editors including Office with end to encryption, try it at https://cryptpad.fr