Hacker News new | ask | show | jobs
by huhtenberg 1869 days ago
Privacy-first finance app should really have a self-hosted option front and center. That's not even negotiable.

That's because otherwise the privacy property of the app hinges on a trust in vendor and the assumption that they won't serve some funny JS on the next page reload. The one and only way to address this is to provide a self-hosted, completely self-contained version. There's really no way around this. It's not a matter of encrypting things or storing them locally, it's a matter of divorcing yourself as a developer from users' data. Right now, it's a packaged deal.

PS. Looks very nice though. Clearly lots of thought went into the design and UX elements. This part is really well done!
2 comments
devinsit 1869 days ago
Yep, I agree. If you want perfect security and a 100% trust-less solution, then uFincs certainly isn't it.

But I like to think that, at least when put in contrast with other products on the market, choosing to do these privacy/security related things is better than not.

I elaborate on this further in our security doc (https://ufincs.com/policies/security#the-catch) and the FAQ (https://ufincs.com/faq#is-a-ufincs-a-trustless-system).

link
huhtenberg 1869 days ago
Well, the thing is that if you say "privacy-first", you are pitching to people who care about this sort of thing. For these people the fact that uFincs is not self-hosted is an instant no-go. And for people who don't see it as a problem, the privacy angle doesn't matter much either. See the disconnect? You have a good product, for sure, but the pitch needs a revision.
link
devinsit 1869 days ago
Oh I'm well aware of the disconnect. I just disagree that there are only people who care about privacy to the degree that they have to self-host everything. I believe there's room to ride the line between being 'privacy-first' (in that we care about privacy, first and foremost) and offering convenience (i.e. providing a web app).

I'm sure my customers who signed up with ProtonMail and Fastmail addresses can attest to that fact.

And for those who do fall all the way to the self-hosting side, well, there's plenty of other options on the market! Of course, there's nothing stopping us from being one of those options, it's just not our priority at this very moment.

link
fragileone 1868 days ago
Thing is anyone even passingly interested in privacy will start questioning it - is it open-source? Can it be self-hosted? Is it available as a desktop app? It's privacy theatre unless the privacy can be proven.
link
mathrando 1868 days ago
Why not team up with the ProtonMail people to build a browser extension that verifies and logs javascript sigs/hashes? Corporate clients may like it. Gives them an IOC for the next big supply chain issue.

I don't know enough about browsers or js to know if its difficult or not.

link
qshaman 1869 days ago
https://github.com/awesome-selfhosted/awesome-selfhosted#mon.... A bunch of self hosted alternatives, some of them with nice UI as well.
link
devinsit 1869 days ago
Firefly III (https://www.firefly-iii.org/) in particular is a pretty good self-hosted solution.
link