Honestly i found that whole excerpt to be pretty nonsensical.

Don’t see how that relates to what i said and then you quoted but reworded (why?). Plus it all just circles back into “its bad cause the UX is slightly more inconvenient”.

If the author had any substance to his argument it wouldn’t require laying out a ridiculous scenario just to get the reader to understand what in hell he is trying to say.

He basically tldrs the whole article a few sentences later with " I want it to be easy to use." The author never seriously considers if that’s worth the cost.

Author seems to ignore that FOSS projects tend to be much smaller teams without budget to create the user experience that private VC funded projects can.

Ths whole accountability argument seems to be pretty disingenuous, allowing anyone who wants to evaluate the source code is about as accountable as it gets.

The not-so-subtle “you will be lazy about what your doing if someone is not paying you not to be” vibe throughout this article is off putting to say the least.

I also find prioritizing user experience over the sharing of source code to be misguided. Allowing folks to gate keep knowledge and hide what they are doing is a big price just for a better user experience.

The real issue with FOSS is the same as with P2P networks. Most people are leechers whose only contribution is lip service.

My problem with these lists is they never provide any sort of evidence as to why these suggestions should be trusted. No discernable criteria that a suggestion in a category has to meet, no evidence the site fact checks its suggestions.

For the majority of connections you can. Some connections bypass your VPN and there is nothing you can do about it. Its been reported to Google by multiple groups, including Mullvad but Google refuses to fix this.

This. There really is no point in installing something like tinywall, when there is a built in firewall that has more functionality (granted its much less user friendly).

Lol OK. Seems like its to much for you to consider you poorly communicated your point anyway.

deleted by creator

I think if people read that comment and think they are being called dumb, that’s completely on them and probably a good time to look themselves in the mirror.

Nothing wrong with the design. Its literally just making thing easier at no cost to the user.

deleted by creator

“Basically then it degrades to a very strong password that can’t easily be phished.”

I’m disagreeing with this, in that you are still (hopefully) using 2FA with your vault. Therefore whatever your accessing in that vault whether its a TOTP token or a password is still protected by MFA and not just a “very strong password”.

Putting a TOTP token inside a vault protected by a strong password and another form of authentication is no less secure then having it be separate from the vault.

Not really. You still should be using MFA to access the vault itself before you can even get to the Token.

Yes but you would still have 2FA.

You would still be using 2fa to access your vault. So in effect anything in that vault has more then 2 factors of authentication as it requires MFA just to get to the password.

Yes but you would still have 2FA.

You would still be using 2fa to access your vault. So in effect anything in that vault has more then 2 factors of authentication as it requires MFA just to get to the password.

This seems more like a user issue then a security issue. If you are avoiding this feature because you have to idiot proof your security against yourself, your probably going to be compromised at some point anyway.

As for your example, this seems easily avoidable by

1. just have the vault timeout be set low (1 minute) and to logout.
2. Not leaving your password manager unlocked and unattended (wtf are you thinking lol)

Seems a bit odd to roll this out without having the ability to import from other authenticators (at least on android). Feels like a pretty basic feature.

Why do you think its not safe? If you trust bitwarden to protect your passwords what exactly do you think is going to happen?

Even if bitwarden is compromised in someway in the future, all that data is still encrypted and would still be highly unlikely to actually be accessed in any usable form.

The only risk is if you use a bad master password. Which is the biggest risk of using a password manager regardless.

You seem to be avoiding the fact component, which is they have proven through audits, yearly, their security is what you would want in a service that holds your data and have decided to instead rely on one instance (in 10 years of that service being around), that has nothing to do with the issue and your own feeling of how companies operate (FUD).

My point is Proton did something every legit business would do.

If your threat model is such that governments are going after you, you should be aware enough to not create an email with an IP that identifies you. That email issue was bad opsec not some specific problem with Proton.

Not every concern is but ones where concern is based solely on fear and hypotheticals are. This all eggs in one basket line of reasoning is FUD and has no real bearing in reality.

Even this email issue, it really has nothing to do with if you should trust proton in terms of OPs post. If you really believe Proton is going to sell you out, you wouldn’t use them anyway and Proton following the laws is something every legit business is going to do, not something specific to Proton. If you have the threat model of an activist you need to careful about your opsec as i explained in a previous comment.

Proton can see my traffic. I already know that. Any vpn provider you use could. Its not that i trust proton implicitly its that i trust them more then my ISP that would be able to see it if i did not use a vpn. Couple that with their record of audits and im not sure what else you could expect from them.