This is not true of software running on the company's servers. But when code is pushed out into the world, it can, at least, undergo some scrutiny/testing by people outside the company. That's just a fact of life when software isn't open source. Running closed-source software on our own computers involves a level of trust in the authors of that software. What we've learned from Snowden is that any cloud provider can be secretly made to bend to their governing body's will. Their web-based products require a level of trust in 1Password (the company) that none of us should be willing to place in any company. What I can see is that 1Password is pushing users towards a model that's fundamentally insecure. It's great that you recommend 1Password based some other criteria, but I'm not sure why your recommendation should mean anything to me unless you've been given some privileged access to their code that the rest of the world doesn't have and if you have been given that type of access, it's irresponsible of you to denounce other products unless they've denied you similar access. They post blog updates on vulnerabilities (e.g.) after releasing fixes. Enpass does seem to handle security incidents in a pretty responsible fashion. Not being a security researcher or having access to either product's code, I'm not sure how I could be expected to perform that level of evaluation, but I've built systems that have passed security reviews and, from a non-privileged access point of view, I see little difference between the two. Since neither of them are open source, I haven't put energy into making sure either of them is secure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |