HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ldubost

no profile record

Submissions

CryptPad Review: Replacing Google Docs

privacyguides.org
3 points·by ldubost·पिछला वर्ष·0 comments

comments

ldubost
·पिछला वर्ष·discuss
A good news as part of this is that the United Nations is gathering the endorsements using end to end encrypted software CryptPad Forms (https://cryptpad.fr/form/#/2/form/view/GvF3q-LsyL-OZgX4G0r2p...)

This is great because it stops giving users to services which don't respect privacy. If you don't know CryptPad which provides forms but also many editors including Office with end to encryption, try it at https://cryptpad.fr
ldubost
·पिछला वर्ष·discuss
True.. Now for "first value" we have "create a pad in one click to work with your friends", also 1gb data for free.

There is Google Takout + Folder import to do mass imports.

There is work possible to improve but also through the browser it's tricky to make large volume imports reliable. Best path is an API which would also allow backup tools and down the line local syncing.

Overall for people wanting more of CrytpPad, think about donating on OpenCollective https://OpenCollective.com/cryptpad

Ludovic from the CryptPad Team
ldubost
·पिछला वर्ष·discuss
I'm not sure which export you are talking about ? We have xlsx/docx/pptx import export (one by one).

What we don't have is local syncing with your computer.

Ludovic, from the CryptPad team
ldubost
·पिछला वर्ष·discuss
Thanks on behalf if the team.

Ludovic
ldubost
·पिछला वर्ष·discuss
Drive might be 'useless' to you in it's form because you want more from CryptPad (more features in it, more local sync, more anything), but it is very useful to organize your docs that you work on in CryptPad. It also allows shared folders and so on.

What's interesting is that surveying our users did not show local sync as hugely demanded. Mobile access comes up the highest.
ldubost
·पिछला वर्ष·discuss
We do believe having an API is valuable and a good selling point. It's also a great way to get an ecosystem to help us extend the product. Now it's also more responsibility to maintain compatibility. We want to be able to continue to upgrade services (in particularly cryptpad.fr). Apps using the API would need to continue to function or by security be locked out. This is a lot more work for the small team.

Ludovic from the CryptPad team
ldubost
·पिछला वर्ष·discuss
Interesting point. We should add some warnings about this.

Ludovic, from the CryptPad team.
ldubost
·पिछला वर्ष·discuss
We never pretended the drive has local syncing. The drive is extremely useful for people to organize their documents inside CryptPad.

It is possible to create folders with any file types in it. Shared folders can be also created.

The workflow you describe with syncthing involves local synching.

We are not saying that syncing locally is not interesting. It's just a lot more work on top of the editor work, the online sharing, the e2ee, etc.. We work with the capacity we have. Also as I said, syncing opens the door to version compatibility issues, risks of mistakenly deleting data of your drive and high volume just for storage. This means for our hosting service (cryptpad.fr) management of much higher volumes. We are not even sure the 1gb free storage policy is sustainable for that use case. But we are working on a path towards this as we have plans for a CryptPad API.

Ludovic, from the CryptPad team
ldubost
·पिछला वर्ष·discuss
Hi,

We have started work on this through sponsoring of openDesk: https://apps.nextcloud.com/apps/openincryptpad This allows editing of diagrams stores in Nextcloud using cryptpad. However the files are not e2ee in Nextcloud.

The API we build has now been extended to other file types and also support e2ee https://github.com/cryptpad/cryptpad-api-examples

Integration with the new web version of e2ee of Nextcloud could be possible now but we don't have capacity to develop this. Integration with other e2ee tools is also technically feasible.

What type of integration are you looking for ? We would be interested to understand the workflow you would find interesting.

Ludovic, from the CryptPad team
ldubost
·पिछला वर्ष·discuss
The choice depends of what you use and how you use Google Drive.

Nextcloud is great. It has the highest coverage towards the Google suite without e2ee.

I believe we at CryptPad have the highest with e2ee. If you go cloud e2ee is an important privacy and security factor.

If you self host it can also be depending on how you are able to protect your server.

CryptPad is more scoped around editing documents. I believe it's a simpler package around the pure google docs functionnality.

Nextcloud is better for storing many docs, photos etc.. And has file sync to your computer and a mobile app.

We don't have comparisons.. But maybe we should.

Here is an independent review of CryptPad: https://www.privacyguides.org/articles/2025/02/07/cryptpad-r...
ldubost
·पिछला वर्ष·discuss
"Signal has sacrificed ease of use in favour of security by refusing to release a web app for some time.. they're doing pretty OK in terms of number of users. I think it's also fine to choose a different balance and favour ease of use more, but concessions to security based on your team's priorities should at least be acknowledged."

Again you mention Signal, a org bootstrapoed with a promise of 100m$ and way more funding than us. They have apps for iOS, Android, Linux, Mac, Windows. Are you realizing the comparison you do ?

You say our concessions to security should be acknowledged. Check our white paper.. We do mention code hacking on the server. When did we say we protect you from your computer setup ?

You want us to warn users about links more visibly. Fine, make reasonable proposals ?

You want us to make desktop apps.. We want that too.. We tell you it does not fully solve the issues you mention.

You want us to drop web apps like Signal who does not do that. We tell you this would kill CryptPad.

Yes the way you overstate the issue instead of telling activist to run their own servers, with a browser they control on an OS they control, is indeed hurting. You mention users are not knowledgeable. This FUD reduces the trust in our work. Sure I understand you are trying awareness.. Which for us ends up being social pressure.

Open Source is simple.. Don't complain, code... Contribute...

Ludovic
ldubost
·पिछला वर्ष·discuss
Disclaimer: I'm the CEO of the company doing CryptPad.

The problem I have, is that you say the word "vulnerability" for CryptPad when we never promised to protect you from a badly configured computer.

If there is a vulnerability, it's unsecured browser syncing which would be exposing your browsing history to Google. Google Docs has anonymous links which are in that history too.

BTW I could not find any info about browser companies exposing the synced browser history. As far as I know It's encrypted on Chrome and Firefox. But maybe I'm wrong as I believe if people want to be sure why would they use browser sync ?

Note that in addition to passwords there are also Access configs where the server can block access to documents to specific users. This is an additional security which mitigates the issue of links that would be opened on a bad browser. Sharing links through CryptPad as also the recommended way to never have URLs opened by your browser.

When I mentioned PR, you could also fork and run your server with higher security settings.

If a team does not respond to your vision, you can indeed bitch about that team, or you can come and give more proof of your vision. Documentation also help ? Why not document that browser syncing would be risky for activists ?

So take this as a call to be constructive. Make a github issue and propose something that helps. Maybe indeed add a message and a link to more documentation about good and bad ways to use shared links.

About "> empower laypeople to collaborate on documents with reasonable confidence that nation-state actors won't be able to passively surveil those documents", did you read our white paper ?

Ludovic
ldubost
·पिछला वर्ष·discuss
I'm from the CryptPad Team.

We did not use this sentence. It's the person that posted this that wrote 'Google'

However we believe CryptPad can be part of the solution for both Google and Microsoft

Now the targets are different. Google has most of individuals and B2C. Microsoft is more the larger companies

At this point CryptPad seems to have more tracking on the individual market.

For companies, there are different approches like self-hosting. E2EE in companies is a niche market for which collaborative editing is new.

So 'Google' as an exit-target is probably yo the right goal
ldubost
·पिछला वर्ष·discuss
We have started working on that.

The load time currently depends on the size of your drive/share folders etc..

Public links are now bypassing some actions. We hope to bypass more in the future

Ludovic
ldubost
·पिछला वर्ष·discuss
Your last paragraph is quite insulting to the work we do, suggesting intention to trap people ? Did I read this right ?

I'm not really sure i want to continue the conversation unless you retract this. Our team is working hard on many fronts and does not deserve to be treated like that.

If you believe it's critical that the "link situation" be resolved, where is the pull request, or even the specification of the necessary change ?

Ludovic
ldubost
·पिछला वर्ष·discuss
It might have been a long time ago because we have invitation links in teams:

https://forum.cryptpad.org/d/5-improve-onboarding-for-teams

We even implemented links that can be used multiple times before an expiration date.

Concerning the privacy of emails, YOU had the emails, but the SERVER ADMIN does not.. To send an email from the server, the server would need to receive the emails in clear.

As a side note, when you invite somebody to a service by letting the service send the email, you are leaking their email to that service, so to be respectful of people's privacy, we should not send the invite without their consent receive first. I get that nobody does that and there is a sort of implicit consent and that the risks of misuse of the email ate low.. If we ever implement that feature we would have to show a warning.

Ludovic
ldubost
·पिछला वर्ष·discuss
I'm from the CryptPad team

This workflow works for you ! Great !

Unfortunately, most users don't know how to setup the tools you are talking about. Additionally they end up having to share some document at some point or another. They end up with browser based tools and a shared server. Google most of the time for individuals. Most users want their data in one place for all use cases.

Network effects make it so that only tools that allow you to invite anybody to your document (guests without accounts included) end up gaining traction. Desktop apps might be able to achieve this using some web proxy so who knows, it might change in the future.

Our goal at CryptPas is to make it familiar for them to move from Google while having e2ee here to protect their privacy, which also gives them a reason to switch

The more people can get out, to any open alternative, the more alternatives can then decide to fight each other.

In the mean time, we should not try too much to get the rest of the world on our own workflow, just let all the different approaches strive.

BTW maybe CryptPad's API ( https://github.com/cryptpad/cryptpad-api-examples ) could help you solve the case where you do need to edit a document collaboratively from your computer. Would you be interested in a tool allowing to create a session for editing with CryptPad allowing to sync back changes or save the end result back to your computer ?

Ludovic
ldubost
·पिछला वर्ष·discuss
I'm from the CryptPad team

There is our white paper on the security features of CryptPad: https://blog.cryptpad.org/2023/02/02/Whitepaper/

In terms of audits, we don't have the funding for formal audits but a couple years ago the European Community paid a bug bounty https://commission.europa.eu/news/european-commissions-open-...

We received some interesting reports but not as much on the cryptography than on web related issues

Ludovic
ldubost
·पिछला वर्ष·discuss
I'm from the CryptPad team.

We hope to be able to give an API in the future but there are a few concerns to allow sync tools to operate:

- server load and volume of data when syncing large volumes of data, especially for our flagship instance. CryptPad is currently used for realtime editing not for large data sync. We already host 6TB of data and it's unclear were that would lead us. - version compatibility with apps not upgraded to the latest version of the API

These are similar reasons that kept us away from federation.

Our team is small and already a lot of work. Hiring is limited by our funding.

Ludovic
ldubost
·पिछला वर्ष·discuss
I'm the CEO of the company developing CryptPad.

Our main promise to our users is that server operators cannot read the users data.

About code alteration attacks, we have mentioned them here in an article exposing ways to use CryptPad in secure ways https://blog.cryptpad.org/2024/03/14/Most-Secure-CryptPad-Us...

I won't respond in detail, at least today, to all your criticism of our work but I will say two things:

CryptPad might not be at the level of privacy or security you want (which one do you want BTW ?), but with such discourse you are sending users to stay handling their data on Google which seems to be the opposite of what you seem to want. We will of course consider on our end that CryptPad greatly enhances privacy and security compared to the situation where everybody's data is in clear at Google or Microsoft.

You mentioned " I did share all of the above with the CryptPad team, and was told they don't intend to address the above issues". If you can dig out our response it would be helpful ? At least my position as CEO is that we intend to solve the issues we can solve with the funding we have. As an example, we have always been interested in finding a solution to the "code attack". However the desktop app or code signing does not fully solve the issue as you still need to trust who builds the desktop app or signs the code, even when signed. Full trust requires audit of the code at every change. Can you name me one app that you can fully trust ? Have you audited it ?

I'm not saying improvements cannot be done and we'd love to do a desktop app but we have to choose our battles. We would still have to see if people install and use it ? Signal is a mobile app.. How many have it on their computer ? How many use slack instead ? (When a billionaire gives 100M$ to CrytpPad, we'll be happy to have our choices challenged compared to those of Signal). If one is listening our OpenCollective is here https://OpenCollective.com/cryptpad

We'd love to do more both for privacy and security and ease of use, but for that we need more funding.

Our belief is that privacy and security will be won again on the Internet step by step by getting users to any non BigTech tools including CryptPad and then improve them step by step. If we have the users, we have higher chances to have the funding to improve the tools.

Your vision seems to be more extreme and would likely fail to bring anybody to such a platform as it would lack ease of use (at least with the level of funding we have).

Until now, your criticism is not helping getting the users out of Google or Microsoft.

Ludovic, CEO of XWiki SAS