Jump to content
cutalion

Open source

Recommended Posts

I do not want to save all my passwords in the Enpass application because it's not open source.

I like that it looks great on linux, android and ios. I'd happy to pay for the apps.

But how can I be sure, that it does everything right?

 

  • Like 2

Share this post


Link to post
Share on other sites

Hi @cutalion

Thanks for your question here on Enpass Forums. We are really happy to see your concerns about the security of your data. 

Yes, Enpass is not an open source software because of the nature of our business. 

First things first, its the security of your data. Instead of our own proprietary code for Cryptography, we have moved to SQLCipher (which is an open source Cryptography Engine) and is being used in worldwide. You can read more about security-in-enpass here

Being an offline software, your data is never stored on our servers and never leavs your system in unprotected way. You can verify this by using network sniffers on your device.

For more you can go through our Security FAQs here https://www.enpass.io/kb/mac-os-x/

Cheers!

  • Like 2

Share this post


Link to post
Share on other sites
On 6/14/2016 at 2:07 PM, Hemant Kumar said:

Enpass is not an open source software because of the nature of our business.

That you want to sell the software doesn't mean you cannot distribute the source code. Actually, the forum software you're using for this community does it like this. If you buy Invision Power Board, you'll get the source code. It doesn't have to be open source licensed.

On 6/14/2016 at 2:07 PM, Hemant Kumar said:

Being an offline software, your data is never stored on our servers and never leavs your system in unprotected way. You can verify this by using network sniffers on your device.

The fact that Enpass isn't submitting all my passwords to enpass.io right now doesn't mean anything. I'm currently using iptables to restrict Enpass from doing so, but I don't know yet how to archive the same thing on my unrooted Android :D

Edited by fnkr
  • Like 2

Share this post


Link to post
Share on other sites

@fnkr I agree that it would be really cool if Enpass were completely open source (or at the very least, the code for the password generator). As someone who tries to do everything using FOSS I'm willing to use it because the core crypto part of it is open source/cryptographer-reviewed (SQLCipher), with some kind of awesome sauce on top to make it user-friendly/cross-platform (thanks to NW.js, I'm guessing?) I guess I also trust them also because their business model is pretty transparent, and the fact that they are ownCloud-friendly.

Have you tried looking at the Enpass app with Wireshark? ;)

Edited by 4oo4

Share this post


Link to post
Share on other sites

@4oo4 No, I haven't yet because:

On 7/12/2016 at 10:31 AM, fnkr said:

The fact that Enpass isn't submitting all my passwords to enpass.io right now doesn't mean anything.

And I don't worry about it because:

On 7/12/2016 at 10:31 AM, fnkr said:

I'm currently using iptables to restrict Enpass from doing so

 

Share this post


Link to post
Share on other sites
On 7/12/2016 at 4:31 AM, fnkr said:

That you want to sell the software doesn't mean you cannot distribute the source code. Actually, the forum software you're using for this community does it like this. If you buy Invision Power Board, you'll get the source code. It doesn't have to be open source licensed.

The fact that Enpass isn't submitting all my passwords to enpass.io right now doesn't mean anything. I'm currently using iptables to restrict Enpass from doing so, but I don't know yet how to archive the same thing on my unrooted Android :D

Would a no-root firewall like NetGuard solve your problem on Android?

Share this post


Link to post
Share on other sites
On 12/07/2016 at 5:31 AM, fnkr said:

I'm currently using iptables to restrict Enpass from doing so

Do you mean you launch Enpass as another user and block all connections from that username with iptables?

Edited by anewuser

Share this post


Link to post
Share on other sites
On 8/12/2016 at 6:57 PM, lnh said:

Would a no-root firewall like NetGuard solve your problem on Android?

Basically yes, but I'm already using another app that provides a VPN service (Shadowsocks).

Quote

(2) Can I use another VPN application while using NetGuard

If the VPN application is using the VPN service, then no, because NetGuard needs to use this service. Android allows only one application at a time to use this service.

Source: https://github.com/M66B/NetGuard/blob/4ff9a2b/FAQ.md#FAQ2

 

On 8/12/2016 at 10:45 PM, anewuser said:

Do you mean you launch Enpass as another user and block all connections from that username with iptables?

Yes. The second user is necessary because iptables does not have the ability to filter packets by application. Another solution would be firejail with --net=none.

Share this post


Link to post
Share on other sites
On 14/08/2016 at 8:06 AM, fnkr said:

Yes. The second user is necessary because iptables does not have the ability to filter packets by application. Another solution would be firejail with --net=none.

I actually know about firejail, but launching Enpass (and other programs) with it on startup will not hide their windows automatically in the system tray.

Share this post


Link to post
Share on other sites

Even if it was open-source, I would still pay for Enpass (even the desktop app). I'll gladly help the devs of a great product. AFAIK, it is possible to make money and FOSS :) 

 

Or at least do a security audit !

Edited by Angristan

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...