Jump to content

(Archived) 5.1.1 RC


dlu

Recommended Posts

Hello Folks!

 

We have a new RC that is largely bugfixes. Two improvements that are worth testing are encryption. To you guys, there shouldn't be any change. But on our side we're now using AES-128. We also have added in rich Contact Notes for those who scan in business cards from the ScanSnap Evernote Edition

 

 

You can join the beta track by going to Tools >> Options and checking "Update to prerelease version when available"

 

You can also get the beta here:http://cdn1.evernote.com/win5/prerelease/Evernote_5.1.1.2304.exe

Link to comment
  1. Can you confirm that if it's desired to upgrade existing notes from RC2 to AES128 that Encryption needs to be turned off and then back on (for each encrypted instance)?

 

It'd be nice to think EN has replaced the worse-than-useless RC2 encryption, but I suspect dlu means the client to server encryption.

 

I'll be glad to be wrong though.

Link to comment
  • Level 5
  • Can you confirm that if it's desired to upgrade existing notes from RC2 to AES128 that Encryption needs to be turned off and then back on (for each encrypted instance)?
 

It'd be nice to think EN has replaced the worse-than-useless RC2 encryption, but I suspect dlu means the client to server encryption.

 

I'll be glad to be wrong though.

Not that you mention it, it does read that way.

What would there be to test then on the client side?

And I remain perplexed on why limit the client to a specific SSL transport cipher?

On the Evernote server side they support (apart from ECDH for forward secrecy) a full range of ciphers.

Yes they prefer AES to RC4, but moreover the server side prefers AES256 not 128.

So to make the narrative fit, while the client side has the full OpenSSL library at it's disposal, they would be limiting it to a single cipher, rather than the usual SSL negotiation of best available?

Link to comment

The AES-128 encryption is in the client. It update it, you should update the text you have encrypted. For example if you encrypted "1234" you can decrypt it and change it to "1234-" or something similar, and upon re-encrypting the clienet will use AES-128.

Link to comment

The AES-128 encryption is in the client. It update it, you should update the text you have encrypted. For example if you encrypted "1234" you can decrypt it and change it to "1234-" or something similar, and upon re-encrypting the clienet will use AES-128.

 

That's excellent news, thanks.

Link to comment

Hi dlu. This may be related to the latest release, can't tell what it's all about: http://discussion.evernote.com/topic/51953-whats-the-function-of-updated-from-social-search/. You get it by right-clicking on a note in the note list, but the last two entries don't appear to do anything.

Thanks! Just commented on that thread. You should only see those options for "Contact Notes"

Link to comment

The AES-128 encryption is in the client. It update it, you should update the text you have encrypted. For example if you encrypted "1234" you can decrypt it and change it to "1234-" or something similar, and upon re-encrypting the clienet will use AES-128.

 

Thanks.

 

There's an apparent security hole with the client-side encryption, in that sync may store an un-encrypted version in the history if it happens while the text is un-encrypted. (This is obviously also an issue when a note is created but not yet encrypted.)

 

How do you recommend to ensure this doesn't happen? Trigger a manual sync first?

 

Many thanks, Martin

Link to comment

 

There's an apparent security hole with the client-side encryption, in that sync may store an un-encrypted version in the history if it happens while the text is un-encrypted. (This is obviously also an issue when a note is created but not yet encrypted.)

 

How do you recommend to ensure this doesn't happen? Trigger a manual sync first?

 

EN can't know in advance that you intend to encrypt something. I could decide today to encrypt part of a note I created last week, so all those revisions of the note before I encrypt will be stored in the history unencrypted.

 

I guess by triggering a manual sync first, you're assuming that the auto-sync time counter resets so you've got at least 15 mins to enter and encrypt new text without the risk of it getting synchronised before encryption? (15 mins being the shortest period one can configure auto sync to occur.) If that's the case, this is a good idea. Can anyone tell us if the auto-sync timer resets like this?

Link to comment

Interesting problem. Does need to be resolved though otherwise it does make the encryption next to useless. They might not know what you want to encrypt ahead of time, but they do know after the fact. Encryption could flow backwards through the notes encrypting and decrypting as necessary. Is it CPU heavy? Sure, but security is meant to be thorough and history is a pro feature (so....)

 

Just thinking out loud, not providing a solution per se. 

Link to comment
  • Level 5*

Not possible to automate this, as far as I can tell; Evernote can't go back and convert old decrypted content because they don't have the decryption keys, right?

Link to comment

I never switch on the automatic sync option for several reasons:

  • encrypted text may be stored unencrypted before the encryption is performed
  • I want to sync only when all my notes  are OK and verified. This way I prevent accidently note syncs with corrupted data.
  • if something goes very wrong with the data in one of my devices, I don't want  my other devices be infected with the corrupted data by auto sync.
Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...