The inner circle so to speak
The thing is, ownership of any of these can change at any time. Bitwarden, Mullvad, and Tutanota could be sold to very different owners.
That is up to and including something like uBlock Origin, which only has one developer, and would suddenly be very different if that developer died and the project had to be forked.
You can never trust that the person who takes on the reigns has the same ideals as the people running them now.
Hell, Mullvad was abused to the point they removed access to Port Forwarding on their VPN service, which has led to many people needing to switch to crummier, shadier VPNs that still offer port forwarding access. That's not Mullvad's fault, but it is an example of them having to change their philosophy and what they offer because of abuse.
Trust should only go so far, and loss of trust should be very easy. There's not a good reason to keep "trusting" something when it has fundamentally changed from its initial ideals.
This is true and people should always be mindful of this. Additionally you should consider not just the ownership of the companies but also the infrastructure they rely on such as their rented servers, payment processors, on-site staff etc. However commercial VPNs remain a convenient compromise for many use cases. These services are probably fine for your shitposing needs but should not be relied upon for activism for instance.
I used to use proton until I saw them give info for a warrant. After that I gave up on the VPN thing. If I lived in a country with limited streaming options I might use them but
bruh, i can't be the only one confused why state farm's drive safe app was being touted...
the mole creates the tunnel for the road, and the shield is for the travelers' protection
Why do you trust a Germany based secure email over something like Proton? At least Mullvad is Sweden based.
Tutanota is German, which is part of the 14 eyes global surveillance network. I prefer my Switz Protonmail better.
https://www.engadget.com/protonmail-climate-activist-ip-swiss-french-authorities-233004304.html
Europol requested it. Even though you think your service is not under 14 eyes there still is gonna be many other problems.
You can always find problems with the service itself.
And that proves what exactly? Swiss law required them to hand over an IP address. Swiss ptivacy is not absolute. They have laws. An IP address didn't grant them access to the encrypted emails. Proton openly admits they had no idea who the user was. The activist should have used a VPN, which Proton also offers as a service, and then whatever activity trail they linked to the IP would have died at Proton's VPN network.
Five and eleven eyes doesn't matter if the service is encrypted and open sourced. Also, did you know that Switzerland has no superior privacy laws comparing to Germany? It's all marketing bluff.
Selfhosting an email is very hard but I think that at the end it’s worth it
I read some horror stories about folks who self-hosted for years and how they eventually quit and moved to an established email provider. It didn't seem like something I wanted to deal with.
Do you think using one of those federated email networks where it's invite only and between people you know would have any appreciable use cases in conjunction with an established provider? I can think of having a small org use it maybe but not between friends or family.
I might swap bitwarden by passbolt as it uses a more recent programming stack, although vaultwarden looks to be a good alternative too.
Not necessarily, plenty of good programs written in C89 for example.
With something that is heavily library dependent, having a more recent development stack may mean better maintained libraries but definitely not a sure thing.
Had anyone heard of or tried buttercup? Any thoughts?
I was mulling around the idea of using KeePass but it seems to be too inconvenient. The pretty UI and cool name makes me want to try buttercup.
KeePass + Syncthing is pretty convenient.
Buttercup looks to be using AES-CBC with PBKDF2 and no authentication, but I only took a very brief look so I may have missed important details. That's not secure if an attacker can alter the vault file, and PBKDF2 isn't a great KDF to use. If you use this, you definitely need a 128-bit or higher entropy passphrase (10 Diceware words). You usually want that anyway, but using a weaker string for your master password will be less secure than you expect compared to something using a modern KDF.
Thanks for the insightful response. I'm gonna spend some time searching for all those terms you mentioned because much of it is stuff I've only heard in passing or never heard of at all. I'll try to find what works well enough for me. Wish me luck!
