Homepage    |    GitHub    |    API    |    FAQ

Secure upload with E2EE - don't bet the farm on it (yet)

Joplin is open source, and it has been reviewed (at least once). That is good. But before you put these very personal data of yours into your notes and have them upload to the server you love, read this care fully and think again.
Bruce Schneier on open source

Why does this matter ? because reviewed, screened and virus-checked or not, every time the open source code is changed, this invalidates the last security review. And no review would anyway detect malware inside the code libraries used to build Joplin.
So don't bet the farm on E2EE. The next time you update your joplin app, the upload may go elsewhere than expected. Joplin is a great tool, but understand the limitations. It is certainly good for 95% of your private notes. The rest belongs somewhere else.

Open source doesn't mean it's more secure, it means it can be independently audited. And every time someone changes the code, it can be seen in the commits. That's the only promises that can be made.

Beyond that, security is achieved like in any project, commercial or not. We follow good security practices, we listen to security researchers who contact us and provide vulnerability PoC, we add test units to ensure there's no regressions, etc.

For having worked on both open source and commercial projects, I would argue that open source projects are generally more secure because their source code is more visible. In old ugly entreprise web services, you'll have stuff like MD5 to hash passwords, cache that hold private user data, logs with passwords, etc. No-one knows about it because it's closed source. Developers occasionally will look at all that with horror, but it will be low priority for management - as long as they don't get government mandated audits, they don't care much.

That won't happen in an open source project because any blatant security issue like this will result in a GitHub issue with thousands of comments, discussions about on Reddit, Hacker News and elsewhere. So the project will either have to fix it or pretty much die because no-one will use it.


I tend to say that what you say, what Schneier says, and what I say is all perfectly compatible with each other, no statement made seems to negate or relativize (significantly) what was said by the other.