This month's status is a bit delayed, the team has been busy dealing with urgent issues (detailed below) or being off during May bank-holiday season.

⚠️ CryptPad.fr sandbox domain flagged as malicious by “Google Safe Browsing”

We received reports that Google Safe Browsing had flagged our sandbox domain as malicious. At first this only appeared when clicking a link inside a CryptPad document to an outside site. This is because we have a confirmation step when leaving CryptPad, a security measure to protect against phishing attemps which redirects users through our sandbox domain. The warning was displayed in Google Chrome but also in other browsers that rely on Google Safe Browsing as a source for security advisories, such as Firefox.

We submitted the “detection problem” form multiple times without any effect. We held off implementing other solutions at first (changing our sandbox domain) because we feared that it would make it harder to prove that our domain was flagged in error, entering into a cat and mouse game where we would have to keep changing domains.

However after 10 days and no action from Google, we received more worrying reports. Anti-virus software was blocking access to CryptPad.fr, this time affecting the whole service instead of only link redirection. The sandbox domain is used throughout CryptPad as a security measure so it is likely that the initial advisory spread to various lists and was generalised. We decided to change the sandbox domain as an immediate fix, as some users were locked out of their drives. We were also able to submit a new request via Google's “Search Console” which was reviewed in under 12 hours, clearing our domain of any flags.

Everything is now back to normal for CryptPad.fr users. We will be making changes to the link redirection process in order to prevent this type of error from happening again. This did highlight that security measures can sometimes backfire, and that as web-app providers we are at the mercy of powerful gatekeepers.

📦 Moving out of Fosstodon to our own instance

In 2022 we had chosen Fosstodon as our home on the Fediverse after an internal debate on whether or not to run our own Mastodon instance.

In the last couple of weeks people confronted the Fosstodon admins about some problematic positions taken by a member of their moderation team. Instead of acknowledging the issue the team doubled down leading to a wave of instance administrators either de-federating straight away or announcing their intention to do so after 7 days of notice period. The Fosstodon admins have since stepped down and announced a replacement indicating a possible change of course but too little too late to stop the de-federations.

Since the start of the project, CryptPad communication have been “Fediverse first”. Mastodon is the social media that is most aligned with our values, it's also where we have our biggest community so the prospect of loosing lots of followers was a scary one. This finally pushed us over the edge to reclaim control over our communications and set up our own instance. Social.xwiki.com is our new home on the Fediverse, managed by our parent company to host us at @CryptPad@xwiki.com as well as their other open-source projects.

📢 Journées du Logiciel Libre

In April, Fabrice will be present at Journées du Logiciel Libre in Lyon (JDLL) on May 24th and 25th. He will give a talk about CryptPad and more generally talk about data privacy on the 25th at 5PM CEST. The talk will be in French.

Contrary to what have been announced last month, there won’t be any CryptPad booth this year. However, Fabrice will be present during the whole week-end if you want to talk about CryptPad.

📰 CryptPad in use & in the news

We were delighted to see our product receiving press coverage and/or being used by journalists this month.

FOSS Force article

Following the news that the United Nations have been using CryptPad Forms, Larry Cafiero had an in-depth conversation with CEO Ludovic Dubost about CryptPad.

This article has been echoed by a couple of other outlets such as It's FOSS and Slashdot.

The Linux Experiment

We're very happy to see that Nick, the host of this popular show about Linux, has started using CryptPad Forms to gather feedback from his audience.

Radio CSIRT

Many thanks to this cyber-security podcast for mentioning our latest release in their 19th April episode (in French).

XDA Developers (again)

We're delighted to see another piece from XDA about CryptPad, this time highlighting 5 reasons to use CryptPad instead of Google Docs.

Le Monde

Finally we are very happy to see journalists at Le Monde using CryptPad (once again) to share their sources for an article about drone warfare in Ukraine (in French).

🔭 Next Up

• We are still hard at work on the upgrade to OnlyOffice 8. We have hit a few blocking bugs but hope to release 2025.3.1 in the coming weeks.