So I have used e2ee chat app Signal and password manager like Lastpass and encrypted ProtonMail for a year
At first, I trusted what I have been told: client side, local encryption etc.
and while I try to grasp more understanding on the term open source, I found a bit confusing, and do not seems to able to get an answer, and try to think if my trust was offered too easily.
When one says an app or service is open source, I realize that the source code can be reached by the public, and the code is free to be used, modified etc. One of my concern lying on the first part, when the code is open to public, everyone can audit it, find problem or vulnerability.
Of course it is good, but how can one be sure that the open source app, take Signal as an example, would summit to apple app store the same software generated by the source code exactly, is there any way to confirm? Because I think one of the benefit of opening the code is that, you do not need to trust the publisher indeed, you can verify yourself. But if there is a part of the process that the publisher can cheat, it just ruins the whole magic.
And, says it is run on iOS or windows, if the code of the OS is not fully disclosed like linux, is that mean however robust the security and encryption the software is, the OS can still find a way to cheat, and there is still a ring in the chain of “trust ” lying on the OS itself? just do not want to be paranoid, but suppose if there is some hidden agenda in iOS or windows, are they able to undermine all the hard work done be these app?
I understand there is a difference between source code and binary code. But of any proprietary software like Lastpass or Dashlane ( of course they are both not open source, but not sure if they have disclosed their code, especially on the front end), the software downloaded on the computer is already the binary code
at the mean time, if I access those vaults with a browser, at least I can right click and show the element, go through the source code, and while all encryption is done on the client side, making them no way to cheat ( I am not sure). is that mean using web to access is more “cheat proof ” than using an app, on which you cannot verify unless they release the source code and leave yourself to compile?
I am a bit lost here, on one hand, those “zero knowledge”, open source and disclosed source with the webpage, do all the encryption on the front end is trying to tell the customer: you do not need to trust me, just go and check the code.
but seems there is still so must Trust has to be paid on using those service, believing they will, and no other party would try to interfere them to (like the OS), uphold those claims. I also found those concepts driving me a bit dizzy