April 2022 status: The public instance list goes live


We have been talking about our project site for a while. Its main purpose is to improve communication about CryptPad (the open-source project) and to differentiate it from Cryptpad.fr (the flagship instance we administer). Last week we added an important feature to the site: the list of public CryptPad instances.

Screenshot of the updated project site. Clicking "Try CryptPad" takes visitors to the public instance list

The purpose of this list is to make the meaning of "open-source" clearer, as most people don't otherwise know or care about it: CryptPad can be hosted by anyone who likes, and they are free to offer the service, even in a commercial capacity. For us the development team, this list is also a new way for instance administrators to contribute to the project. Cryptpad.fr exists to provide financial support for development through its paid plans. Administering this instance, for example responding to support tickets, is a significant part of our workload. When a third-party instance accepts to take care of "free" users and their associated support questions it effectively helps us to dedicate more time to improving CryptPad itself for everyone.

Publishing this list is not straightforward however, especially for a privacy-focused project like CryptPad. What if we inadvertently direct people to a careless or malicious instance that puts their data at risk? To address this we put in place a set of criteria that an instance has to meet in order to be listed:

  • It has to be up-to-date with the latest version, meaning the latest security fixes will be applied
  • It has to pass a comprehensive series of tests to ensure all recommended security settings are enabled
  • Some basic information has to be provided such as the location where encrypted data is hosted and a privacy policy

In addition to this the instance administrators have, of course, to opt-in for their instance to be listed.

As of today the list is still short, with only 2 instances aside from CryptPad.fr. However we expect to see this number rise as more of the ~20 administrators who have opted in bring their instance in line with the requirements.

In addition to the list requirements, we have released two versions this month that take a stronger stance on enforcing correct configuration for all CryptPad instances. We want to prevent CryptPad from providing a false sense of security to users while being misconfigured by administrators and actually putting user information at risk. This is why from version 4.14.0 and 4.14.1 CryptPad will not work unless the security guarantees we expect are actually implemented.

Over the coming weeks we plan to add more information to the project site. Some time ago we launched a survey in which we asked people to tell us what they love about CryptPad. Their responses will be displayed on the home-page. We will also be promoting hosted instances with "Your Own CryptPad" aimed at different sectors: education, NGOs, and enterprise. These will be installed and maintained by the development team for organizations who want the benefits of their own instance.