Jump to content

(Archived) Is anyone worried about our data not being stored encrypted?


Recommended Posts

As I understand it, whatever we put into online notebooks in Evernote, are stored unencrypted on the Evernote servers. I know Evernote says that their servers are very well protected, but our data is still available to a good hacker or thieves, should they decide to raid the data center. Not to mention, if you're tin-foil hat kinda guy, how the government is looking into your personal notes on a weekly basis :D

I'm only bringing this up because I've started to look at online backup services such as Mozy, Backblaze, iDrive etc. All of them of course stores your data encrypted, but some of them also allows you to define your own private encryption key, meaning the key never leaves your head/source computer. Also means, if you forget the key, your backup data is lost. It's a risk (if you forget/lose the key) but it gives better security.

So that made me think about Evernote. The only thing between all my personal notes, invoices, top secret missilie defense intelligence and to-do lists, are my username and a password - a password which I think is not even needed if somebody has physical access to Evernote servers. I do encrypt notes that have sensitive information but it's too cumbersome having to encrypt everything that you'd rather not have 'out there'.

(I'm not paranoid - but I'm also not totally confident about putting everything 'out there' without encryption).

What do you think, do you worry about it or not?

Link to comment

Well (and I'm not wanting to trivialize anything) in my case the answer is 'no'; and I have a whole range of tin-foil bonnets, which get changed according to mood and season and the vagaries of fashion.

Link to comment

This has been already discussed at great length. Please read this thread:

viewtopic.php?f=30&t=9583&hilit=wide+open+databases#p37565

In a nutshell, EN is not a backup service, like the ones you mentioned.

In order for them to index your notes, they need to know what the notes say. That cannot be done if the data is encrypted & they don't have the password.

Per the thread linked above, if you have any notes that contain sensitive information, you should either encrypt the sensitive text on that note or not put it in a sync'd EN notebook.

Link to comment

In order for them to index your notes, they need to know what the notes say. That cannot be done if the data is encrypted & they don't have the password.

I would like to debunk this myth. I know that "we can't encrypt your data otherwise we couldn't search it" is the company line. But it's not true.

For instance, Mint.com and Yodlee both store millions of records of customer bank transactions. And they also store them in an encrypted fashion. Yet they allow me to log in and search my transactions. See, e.g. http://www.thetaoofmakingmoney.com/2006/10/04/51.html. (Note that Mint.com uses Yodlee as its backend, so Yodlee transaction storage is the same as Mint.com storage).

How is this possible? Well, I couldn't find it on their sites, but I can think of 2 possibilities:

1. they could decrypt your entire datastore at the time of your login, or at any time that the search index needs to be updated (ie when you add or change a record)

2. they could decrypt just the search index when you log in; and decrypt any accessed data as needed; and have a search scheme that allows them to update the search index when you change a record without needing to decrypt your entire data store first.

Those are just off the top of my head -- there could be other solutions. The point is that websites DO exist that provide both secure data storage AND searching -- so the two are not mutually exclusive.

Link to comment
The point is that websites DO exist that provide both secure data storage AND searching -- so the two are not mutually exclusive.

I can't speak to your examples. But I do know that my offsite backup option (Jungle Disk) does allow you to add an encryption key. It's not stored on their site anywhere & so they warn you, if you forget it, your data is G. O. N. E. gone.

Perhaps Yodlee's "multiple rotating keys" are a technology that is pretty much required for a financial institution (b/c computer noob customers are going to be plenty peeved if they can never recover their data?) but is too costly for other ventures such as Jungle Disk & Evernote.

Link to comment
  • Level 5

No matter how secure a site is, there is always someone who wants more. For instance, a commenter said the following about Yodlee:

"I’d feel a little better if there was a security key (USB dongle that is unique and time-coded) that I must posess even to access my password-protected the Yodlee system (doesn’t American Express offer these?). This is called multi-factor authentication (am I really who I say I am?) Yodlee appears to use only a password to protect all my passwords. If it lacks any added security factor, Yodlee security falls way short of state of the art."

(http://www.thetaoofmakingmoney.com/2006/10/04/51.html)

On the latest Evernote podcast (#18) Andrew Sinkov, the Evernote VP of Marketing, said he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.

Link to comment

Yes, "can't search encrypted content" is an intentionally abbreviated reply. The longer version would be:

If a server has access to encrypted data, and access to the keys required to decrypt that data (for searching, display on the web, etc.), then anyone who successfully attacks that server has access to your data. If someone can gain control of that server, then the encryption has absolutely no value (other than making things slightly inconvenient). The attacker can make the server decrypt the data and read whatever she wants.

Meaningless encryption offers the illusion of security, which is frequently more dangerous than intentionally and transparently omitting encryption.

The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys. This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc. If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key).

This is actually what we do for the "encryption" feature within Evernote ... if you select some text in a note and encrypt it, that is encrypted with your passphrase, and Evernote does not have any secret "back door" to read your encrypted data. This is why you can't search for the contents of encrypted regions from the web ...

I.e. you're talking about an opaque file storage service, like one of the secure backup services. Not "Evernote." While these sorts of services have their place, that's not what Evernote's consumer service aims to be.

Link to comment
  • Level 5

Dave, thanks for the additional information. I've been adding your comments to my Evernote program.

In additional to what you said above, I have the following bullet points that help give some additional insight into the data control systems you are using.

* Evernote mitigates these risks through a layered set of security policies and technologies.

* Your login information is only transmitted to the servers in encrypted form over SSL, and your passwords are not directly stored on any of our systems.

* There's no uber-index of contents of accounts ... we maintain separate user search indices of each user on decentralized storage with no cross-access between individual servers.

* Like a secure banking site, we encrypt the connections via SSL so that someone on your network can't see your data go by. Your checking balance is not encrypted in your bank's databases, however, and your notes are not encrypted within Evernote.

* Our Privacy Policy and Terms of Service restrict what we can (and would) do with your data ... in particular, we have never (and will never) give your own data to other parties.

* When you add a note to the service, it is secured like your email would be at a high-end email provider. This means that your notes are stored in a private, locked cage at a guarded data center that can only be accessed by a small number of Evernote operations personnel.

* Physical access to all storage (online and offline-backup) requires multiple authentication factors in protected facilities, and is restricted to only the four full-time IT/Operations staff that maintain the servers.

* Even Phil, the CEO, doesn't have passcards and keys to the data center. Security policy says that the departure of any such staff will result in full rekey and change of all passwords, etc.

* Administrative maintenance on these servers can only be performed through secure, encrypted communications by the same set of people. All network access to these servers is similarly protected by a set of firewalls and hardened servers.

* If you have some notes that you only want to access from a single computer, you can place these into a "Local Notebook" on our Windows or Mac client. Notes in a Local Notebook are never transmitted to our service, so they aren't accessible from the web, or from your other computers.

And from Phil Liben:

Full HTTPS encryption is one of the benefits of an Evernote Premium account. Premium users have all of their data (logins and data transfer) automatically encrypted with HTTPS. Free users get HTTPS for logins but normal HTTP for other data. It's expensive for us to encrypt all data transfer (especially all the images), so we can only afford to do it for premium users.

Link to comment

The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all. I.e. we just store a big blob of data that can only be decrypted by a client that has the keys.

OK, except that of course you could store numerous small blobs, instead of one big one.

This would mean: no web interface, no "thin" mobile clients, no image processing/OCR, etc.

Why? Why not just ask for the password when you get to the webpage? At that time, the server can decrypt a few of the small blobs that are needed for display (e.g. the note title list, the notebook list, and the search index).

This is the way it worked when I worked on a website that securely stored user records -- we just decrypted records as-needed using a customer-provided password. Of course, you cache the decryption key for the duration of the session so that you can decrypt more blobs of data without asking for a password over and over. That's why Bank of America's website times out -- because they have cached your key and want to know when to release it. (BofA also uses Yodlee).

If you lose/forget your personal encryption key/passphrase, then your data is basically unrecoverable (since Evernote doesn't keep a copy of the key).

Right.

I.e. you're talking about an opaque file storage service, like one of the secure backup services. Not "Evernote." While these sorts of services have their place, that's not what Evernote's consumer service aims to be.

Nope. I'm talking about yodlee.com, mint.com, bankofamerica.com, etc: all websites that are (a) secure; (B) store your data in encrypted form; and © provide robust search capabilities.

Link to comment
No matter how secure a site is, there is always someone who wants more. For instance, a commenter said the following about Yodlee:

"I’d feel a little better if there was a security key (USB dongle that is unique and time-coded) that I must posess even to access my password-protected the Yodlee system (doesn’t American Express offer these?). This is called multi-factor authentication (am I really who I say I am?) Yodlee appears to use only a password to protect all my passwords. If it lacks any added security factor, Yodlee security falls way short of state of the art."

(http://www.thetaoofmakingmoney.com/2006/10/04/51.html)

On the latest Evernote podcast (#18) Andrew Sinkov, the Evernote VP of Marketing, said he stores his tax returns on Evernote. He said it could be kept local, but he prefers to keep it sync'd via the server.

The time coded USB dongle may be similar to a thingie we have at work for creating direct deposit entries. Everyone who is authorized to access this capability has a "token" that is issued by the bank. The token changes the key every few minutes. When you log in, you must not only provide your login & password, but the key that's currently displayed on the token. IOW, just because someone may have your login & password doesn't mean they can gain access b/c they also need the key from the token that changes every 2-3 minutes 24/7. AND...the token is tied to your login. So if I don't have my token, I can't use my login & my co-worker's token. That's tantamount to entering a valid login with an invalid password. Again, a technology that's viable for a financial institution.

FWIW, as much as I love & use EN, I would not, could not store my tax returns in an EN sync'd notebook. Sam I am.

I think password encrypted PDFs may be ok...but I've not explored that option, since I have been utilizing other methodologies that work for me. If I felt comfortable with password encrypted PDFs, I would not mind storing them in EN sync'd notebooks.

Link to comment
Well (and I'm not wanting to trivialize anything) in my case the answer is 'no'; and I have a whole range of tin-foil bonnets, which get changed according to mood and season and the vagaries of fashion.

I just caught that... B):lol::lol:

Link to comment

dan7000 - encrypting your data with your password means that if you forget your password, the data is permanently unrecoverable.

If a web service allows you to change your password once you've forgotten the old one (e.g. by supplying an email address), then they are absolutely not doing what you describe. For example, the Bank of America does have access to your banking, regardless whether you forget your password (or even if you never log in to their site). They use normal databases (non-encrypted) and then protect those databases carefully.

We've chosen to build a service for people that allows you to access your memories for years and years, rather than discarding all of those memories if you ever forget your password. There were 4575 requests to our "forgot password" page yesterday (a Sunday), and we don't plan to tell all of those people "sorry, your data is now lost forever."

You can, of course, just use Local notebooks and then back up your whole database with one of those "encrypted backup" services if that's really the way you want to use Evernote.

Link to comment

I'm a brand new user of Evernote, and one of my concerns has been the lack of encryption.

However, I certainly do NOT need all my notes encrypted--far from it! Maybe only 1% to 5% would actually need real encryption.

But for those things that really do need to be encrypted, how do I do it? Is there a feature built into Evernote that will allow you to encrypt a note? I know Microsoft has that feature in their OneNote 2010 product (which I'm beta testing) and I really love being able to use encryption when needed.

And yes, I do have an online backup service I use that is 100% encrypted, but it's just a backup service.

Any help you can provide would be appreciated. Thank you.

Link to comment
I'm a brand new user of Evernote, and one of my concerns has been the lack of encryption.

However, I certainly do NOT need all my notes encrypted--far from it! Maybe only 1% to 5% would actually need real encryption.

But for those things that really do need to be encrypted, how do I do it? Is there a feature built into Evernote that will allow you to encrypt a note? I know Microsoft has that feature in their OneNote 2010 product (which I'm beta testing) and I really love being able to use encryption when needed.

And yes, I do have an online backup service I use that is 100% encrypted, but it's just a backup service.

Any help you can provide would be appreciated. Thank you.

The search function is your friend. B)

search.php?keywords=encrypt&terms=all&author=engberg&sc=1&sf=all&sr=posts&sk=t&sd=d&st=0&ch=300&t=0&submit=Search

Link to comment

G_a_c ... select text that you want to protect within any of your notes and then you can right-click to Encrypt Selected text.

I use this to encrypt passwords, social security numbers, etc.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...