privacytools / privacytools.io

🛡🛠 You are being watched. Protect your privacy against global mass surveillance.
https://www.privacyguides.org
Creative Commons Zero v1.0 Universal
3.12k stars 384 forks source link

🆕 Software Suggestion | Guardedbox #2420

Closed mercaderd closed 3 years ago

mercaderd commented 3 years ago

Basic Information

Name: Guardedbox Category: Safe secret sharing URL: https://github.com/guardedbox/guardedbox https://www.guardedbox.es/

Description

GuardedBox is an open-source online client-side manager for secure storage and secrets sharing.

It allows users to upload secrets to a centralized server and retrieve them at anytime and from anywhere. It also allows users to share their secrets with other users, individually or via groups.

Secrets are stored encrypted server-side. The encryption is performed client-side by JavaScript code. It is based on ECC-Curve25519 asymmetric encryption and AES256-GCM symmetric encryption. The ECC key pair is generated from the user login credentials during the registration and login processes, by means of PBKDF2.

The server knows the public key of every user. Any user can retrieve the public key of any other user and encrypt a secret for her, in a way that only that user will be able to decrypt it, using his own private key generated from his credentials. This is all done client-side by JavaScript code, minimizing the trust on the server, and using End to End (E2E) encryption between users.

The server does not receive the user password during the login process. Instead, a crypto-challenge is involved using digital signatures based on ECC-EDDSA with ED25519. When a user wants to perform a login, the server sends him a challenge. The user must sign it with his private key and send it back to the server. Again, this is all done client-side by JavaScript code.

Why I am making the suggestion

I think it is a very useful open source-tool for safe secrets sharing that can be used as a public service or as a private service within an organisation.

My connection with the software

I am a privacy enthusiast and I have no connection with the software rather than the company is from Spain, as I am.

gary-host-laptop commented 3 years ago

Please follow the issue template and add the name of the software in the issue name so that it makes it easier for PT team to decide wether or not to list it, like this: "Software Suggestion | [Software Name]

ghost commented 3 years ago

Hey,

This is my opinion, it's no way an objective description of this software. I have reviewed GuardedBox and tried it on my own for a few days, and I have some feedback to give regarding it and its future integration into Privacytools. I avoid talking about JAVA prom. language, here which for me is extremely heavy and not suitable for this use.

Starting with the good points, the code is overall serious and pretty good. The team behind the project has no strange history, has a decent privacy policy and relatively important and interesting security degrees/certifications. The interface UI/UX is very basic, the security in the code and in the webhoster (GCP) is really good, it's a pleasure to see that there are competent security people behind it. This software can also have a real interest in the corporate world or in some projects, it is quite interesting.

There are unfortunately a lot of problems that I see. Much problems.

I have no particular problem with Spanish, but the code is little to no documented and if it is in Spanish. This is quite a shame when an open source code depends mostly on the community. There is a crucial lack of translation (even in English !) and in my case I would say that it is a wrong direction to want to develop software outside of English as a base, to facilitate contributors and deployment.

The hosting is managed on Google GCP. On security, it is irreproachable, on privacy it's a aaaaaaaaaaaaa. Even if the information is encrypted in AES-9999999999, I'm not very happy to know that everything goes through Google for all that, it's a budgetary and practical choice above all, but in a software that defends privacy we try at least to place ourselves with a host that recognizes personal data a little.

There is no efficient sharing, thanks to a link, a mail. Each user must have access to the site (need to register inside), and no temporary link system can be created, which is a real lack for this kind of software. It is after all a small team (3 guys ?), almost no contributors (because code no really open source check below), and only one company that has to take all responsibility for this software (dev & money). Like many projects, this is a very dangerous gamble and an application that can at any time be unmaintained and exposed to imported security risks.

The biggest problem in my opinion is the open source side. The code has not been available for more than a year in an official way, and you have to contact them directly to get a version of the software (?). What is the point of developing an Open Source software if it is not to display it publicly and accept contributors. So we can't analyze the security of the code, improve the features, check the quality of the code. It's really a bad development line taken by the team and that's why I don't recommend this software. Especially since even if it is still being developed at the moment, you have to trust them in any case. Besides the lack of specific security audit, if only their code was public.

I don't think it's a good idea to reference one more piece of software that is so incomplete and whose development is risky. But I maintain that the team seems very serious and competent about security, I'm looking forward to contribute in case the code will be fully available on github, in some time when other features will be integrated (it's not in beta but it should be, they say it themselves).

freddy-m commented 3 years ago

Code has not been publically updated recently enough to be worth listing.