So I’ve been looking up VPN stuff, and in the process, I’ve stumbled on ProtonVPN, from the same people as ProtonMail. They’re now offering private cloud storage, and I’m wondering how private is it. e2e means I have to manage the keys on my device right? I don’t know how else it could realistically work, if they manage keys, they can access my keys etc?
I’m not sure about the specific service you’re talking about, but yes they’d provide you a client that manages keys and tokens on your devices. It’s possible that the client they gave you is malicious and broadcasts these keys or something, but if that client happens to be open source, you could read and vet the code.
If we were to really scrutinize it, technicall you need to do more than that and actually compile the code and run the code yourself. Suppose that you install an android app from their app store, they could actually just give you whatever package, not necessarily what is on their open source repository.
Coincidentally that’s why Signal does deterministic builds. You can validate the build process to make sure there’s not a compile-time injection.
Such attacks are not unheard of. Eventually it’s turtles all the way down.
While I was in college, I would debate with a classmate about whether or not to trust certain software (as a friendly exercise, we just it anyways) and I had brought up this particular hypothetical! At the time it was a joke, but now I have evidence that someone tried!
Not just someone, either. Ken Thompson.
That’s just one we know about because Ken is a friendly hacker. He never tried to spread it out into the world.
But what if he had? Or what if it leaked from the one host he tried it on?
Also, a lot of chips are now made in China. Have you physically inspected all the components in your computer?