Add more documentation about where the data is sent

[castarco]

Currently there is no info about to what server(s) is the passwords data sent. I understand the data is encrypted, but for me this isn't enough, I can't be confident on a software that doesn't clearly expose this sort of info to their users.

I don't want to be sniffing my own connections to discover it.

P.D.: It also would be nice if users have the possibility of setting their own storage servers. I haven't seen any related option (I'm not talking about the "offline acces mode").

[kamilko]

As I understand whole application, this is not part of Encryptr but Crypton. But in Crypton doc there is also not too much about this, right now they are waiting for security audit, after that they will provide diagrams and full documentation (more here: Crypton Audits).

[daviddahl]

Crypton uses SRP for authentication so your password is never sent to the server. I will post a link to this code once I am back on my computer, the repo is here https://github.com/SpiderOak/crypton

[cceleri]

For the Mac OS X app, I found the server hostname in /Applications/Encryptr.app/Contents/Resources/app.nw/js/Encryptr.js. Looks like its defined as

window.crypton.host = "encryptrservice.crypton.io";

If you run this application yourself, it looks like you should be able to change window.crypton.host to whatever you want in Encryptr/src/app.js. I might work on a solution for myself where I store passwords on server I own using this application.

Can we include the server url for Encryptr (encryptrservice.crypton.io) in the README?

[daviddahl]

Yes, you can indeed run your own backend server if you want to. Is that the gist of what you would like in the readme?

[castarco]

Yep, but it would be even better to alloe change this setting with the GUI rather than having to modify the source code :p . El dia 12/09/2015 9:12 p. m., "David Dahl" notifications@github.com va escriure:

Yes, you can indeed run your own backend server if you want to. Is that the gist of what you would like in the readme?

— Reply to this email directly or view it on GitHub https://github.com/devgeeks/Encryptr/issues/182#issuecomment-139810327.

[fcheslack]

There also does not appear to be any indication of this before logging in. Even adding the "By SpiderOak" to the unlock/registration pages would be an improvement. Even better would be to include a link to some short text about where information is being stored.

Without being told, I assume an app of this nature primarily stores things locally and does not require an internet connection. I understand the reasons it works the way it does, but using it for the first time knowing nothing other than "password manager" I'd find the behaviour and requirements suspicious.

[FranciscoG]

+1 on adding a setting to change the Crypton server if you want to roll your own. Maybe put it in an advanced settings area.

I'd also like to expand on this request for more documentation and more clarity. Here's what I mean:

• I'm guessing from looking through SpiderOak's Github repos that SpiderOak created and owns Crypton and Crypton.io. This relationship should be noted with clarity in the README or some documentation within the repo. All it says now is "...powered by Crypton."
• I also see that Crypton.io charges $10/month for hosting services. Will we expect to be charged for Encryptr's cloud storage/syncing at some point?
• Related to my last point, is there any probability, no matter how small, that a pricing model of some kind will come down the line? Right now because there's no language that clearly states that the app, as it is now, will remain free forever along with the cloud services it uses, then I have to assume that at some point we could be charged. I like the app the way it is now and if you plan on adding premium features, but still allow a completely free version, then that's great! But I think people should know there's some kind of pricing model being developed.

And finally:

• I'd like more in-depth explanation on how data is stored in the cloud and in the app. Maybe show a diagram or something. In simple terms, walk me through the steps that happens when I save a new password. What's Encryptr doing locally and in the cloud? I assume because it's always syncing that I always have local copy of my db.

I use Encryptr all the time and love it. Great job! But I've also seen great free apps I've enjoyed using pivot for many reasons, a major one being financial, so pardon my skepticism. At least being open sources is somewhat reassuring.

[Klortho]

Here are my 2 cents. I understand wanting to keep technical details out of the web pages that the prospective user first sees, but I've just been checking this out for the first time today, and I think what is sorely missing is something along the lines, "Don't take our word for it, have a look at the source code ...".

IOW, I get a bad feeling when I read what sounds like a promotional brosure for a service that I'm considering placing a lot of trust in, and the tone is "We'll protect your data, just trust us ...". Others might have the exact opposite reaction, but for me, I always am reassured when there's an acknowledgement that it's prudent for the user to be skeptical.

[devgeeks]

I agree that the SpiderOak Encryptr page should mention that it's open source.

Up to the SpiderOak folks if they wanna add any more technical details of Crypton etc to the product site, I guess...

//cc @helveticade