Open castarco opened 9 years ago
As I understand whole application, this is not part of Encryptr but Crypton. But in Crypton doc there is also not too much about this, right now they are waiting for security audit, after that they will provide diagrams and full documentation (more here: Crypton Audits).
Crypton uses SRP for authentication so your password is never sent to the server. I will post a link to this code once I am back on my computer, the repo is here https://github.com/SpiderOak/crypton
For the Mac OS X app, I found the server hostname in /Applications/Encryptr.app/Contents/Resources/app.nw/js/Encryptr.js. Looks like its defined as
window.crypton.host = "encryptrservice.crypton.io";
If you run this application yourself, it looks like you should be able to change window.crypton.host to whatever you want in Encryptr/src/app.js. I might work on a solution for myself where I store passwords on server I own using this application.
Can we include the server url for Encryptr (encryptrservice.crypton.io) in the README?
Yes, you can indeed run your own backend server if you want to. Is that the gist of what you would like in the readme?
Yep, but it would be even better to alloe change this setting with the GUI rather than having to modify the source code :p . El dia 12/09/2015 9:12 p. m., "David Dahl" notifications@github.com va escriure:
Yes, you can indeed run your own backend server if you want to. Is that the gist of what you would like in the readme?
— Reply to this email directly or view it on GitHub https://github.com/devgeeks/Encryptr/issues/182#issuecomment-139810327.
There also does not appear to be any indication of this before logging in. Even adding the "By SpiderOak" to the unlock/registration pages would be an improvement. Even better would be to include a link to some short text about where information is being stored.
Without being told, I assume an app of this nature primarily stores things locally and does not require an internet connection. I understand the reasons it works the way it does, but using it for the first time knowing nothing other than "password manager" I'd find the behaviour and requirements suspicious.
+1 on adding a setting to change the Crypton server if you want to roll your own. Maybe put it in an advanced settings area.
I'd also like to expand on this request for more documentation and more clarity. Here's what I mean:
And finally:
I use Encryptr all the time and love it. Great job! But I've also seen great free apps I've enjoyed using pivot for many reasons, a major one being financial, so pardon my skepticism. At least being open sources is somewhat reassuring.
Here are my 2 cents. I understand wanting to keep technical details out of the web pages that the prospective user first sees, but I've just been checking this out for the first time today, and I think what is sorely missing is something along the lines, "Don't take our word for it, have a look at the source code ...".
IOW, I get a bad feeling when I read what sounds like a promotional brosure for a service that I'm considering placing a lot of trust in, and the tone is "We'll protect your data, just trust us ...". Others might have the exact opposite reaction, but for me, I always am reassured when there's an acknowledgement that it's prudent for the user to be skeptical.
I agree that the SpiderOak Encryptr page should mention that it's open source.
Up to the SpiderOak folks if they wanna add any more technical details of Crypton etc to the product site, I guess...
//cc @helveticade
Currently there is no info about to what server(s) is the passwords data sent. I understand the data is encrypted, but for me this isn't enough, I can't be confident on a software that doesn't clearly expose this sort of info to their users.
I don't want to be sniffing my own connections to discover it.
P.D.: It also would be nice if users have the possibility of setting their own storage servers. I haven't seen any related option (I'm not talking about the "offline acces mode").