> That's not end-to-end encryption. What do I have wrong here?
Apparently, email may not their main e2ee usecase. The CEO at Skiff wrote this on PrivacyGuides forums:
Our solution for external sharing was not intended for email. It is much more powerful to share E2EE real-time collaborative docs/files with subpages, embedded E2EE files, and so much more.
Curiously, in the same thread, there's is a mention of Trail of Bits auditing their codebase twice.
You haven't published the reports, scope, and full findings. We don't even know what Trail was testing. I don't think the security audit stuff matters at all, and Trail is a fine firm, but you can't use the mere existence of a pentest project this way.
Any security engineer would have a heart attack if any employee, friend, or colleague said "security audit stuff [doesn't] matter." I wouldn't use software that doesn't undergo security audits.
I am a security engineer. You can go reach out to whoever managed your assessment at Trail and ask them about me by name if you like. What you're saying doesn't make sense. Maybe you could make it make sense! But you'd need to start by disclosing what the actual project scopes for each of these projects was.
It is misleading to tell about audits in this context.
Your transparency statement clearly says that Security audits. This is different than privacy audits. You cannot audit privacy, since you can intentionally change the functionality of your software right after the audit.
For the same reason, you cannot share open-source version of your software and say that it respects privacy. That can be only said if you use reproducible builds, and for client software only.
Both security audits and sharing your software as open, is about security, not the privacy. Open-source software and security audits help to reduce unintentional issues. And in this context it means a lot.
Actually, that's completely false. Security audits are a standard, reputable process for software. Trail of Bits is probably the best (or one of very few top) firms in this category. Check out: https://github.com/trailofbits
Is Trail of Bits doing random checks on your running infrastucture to verify that you are not changing your software against your users?
No. That is not what security audits are. Security audits ensure that software does safely what you, as service orderer claim, in a single moment. Usually including checklist.
But they cannot guarantee that you don’t change software between audits.
That is why E2EE exists as then it does not matter and we don’t need to trust.
Open-source, security audited client for E2EE communication with reproducible builds is the magical, correct combination to ensure both security and privacy.
What exactly got tested in each of these assessments, and what conclusions did those assessments draw? I asked this upthread and I'm asking here again, because "we've had 4 audits" doesn't mean anything without that detail.
Apparently, email may not their main e2ee usecase. The CEO at Skiff wrote this on PrivacyGuides forums:
Curiously, in the same thread, there's is a mention of Trail of Bits auditing their codebase twice.https://discuss.privacyguides.net/t/skiff-mail-email-provide...