burabil 16 Posted March 14, 2019 Posted March 14, 2019 Following your advice on this post, I have changed my password. That wasn't enough, because I had to revoke access from my devices manually via your website. Maybe, you should mention that in that post. Moreover, in the Windows version, I could still access the notes. The windows version (6.17.6.8292 (308292) Public (CE Build ce-62.1.7539)) asked me my password to sync my notes, but I could still access the existing ones, the ones that were downloaded before changing the password and revoking access. This seems to be a security issue in that version, because I have tried with iOS and Android and on both devices, I couldn't access my already downloaded notes, which seems to be the correct behavior to me. I recommend that 1. You revoke all access from all devices as soon as someone changes their password. 2. You revoke access to the existing notes if someone cannot provide the new password.
Level 5* DTLow 5,749 Posted March 14, 2019 Level 5* Posted March 14, 2019 It's a good point, we should revoke access to unknown devices in addition to changing our password. I'm not usually concerned about my known devices. My understanding is that revoking access will cause devices to log off when they go online. The new password is required to log on.
Level 5* EdH 1,670 Posted March 14, 2019 Level 5* Posted March 14, 2019 The problem is signing off of a Windows or Mac client does not revoke access to any notes stored locally. They are largely plain text on the hard drive in their respective databases. To really make Evernote secure, it would need to both log the user off and wipe local content, similar to the Wipe Device commands available in Office 365 for mobile devices.
Level 5* DTLow 5,749 Posted March 14, 2019 Level 5* Posted March 14, 2019 36 minutes ago, EdH said: They are largely plain text on the hard drive in their respective databases. Just wondered about Windows and the "in their respective databases" Are the note contents really plain text? I'm using a Mac and the note contents are plain text. There's a content.enml text file for each note.
dconnet 529 Posted March 14, 2019 Posted March 14, 2019 2 minutes ago, DTLow said: Are the note contents really plain text? No. It's a sqlite database.
Level 5* DTLow 5,749 Posted March 14, 2019 Level 5* Posted March 14, 2019 1 hour ago, dconnet said: No. It's a sqlite database. Assuming we're using database software, what would we see for the note contents. I'm guessing a BLOB object but I'm unable to verify. I have no ideas on viewing that kind of object.
dconnet 529 Posted March 14, 2019 Posted March 14, 2019 It's hidden in there in some weird way, sorry, I don't remember how (the structure pre-dates me and my work has just been thru our access functions)
Level 5* EdH 1,670 Posted March 14, 2019 Level 5* Posted March 14, 2019 3 hours ago, dconnet said: No. It's a sqlite database. but it isn't encrypted, right? It is just plain text in the database. So there is no inherent protection of the .exb file, or is that not correct? And on the Mac, it is plain text in its format. I've seen the note files.
dconnet 529 Posted March 18, 2019 Posted March 18, 2019 On 3/14/2019 at 4:34 PM, EdH said: but it isn't encrypted, right? It is just plain text in the database. So there is no inherent protection of the .exb file, or is that not correct? That's correct.
Level 5* CalS 5,311 Posted March 18, 2019 Level 5* Posted March 18, 2019 56 minutes ago, dconnet said: That's correct. That's correct that that is not correct?
dconnet 529 Posted March 18, 2019 Posted March 18, 2019 31 minutes ago, CalS said: That's correct that that is not correct? It's an unencrypted sqlite database.
Level 5* EdH 1,670 Posted March 18, 2019 Level 5* Posted March 18, 2019 2 hours ago, CalS said: That's correct that that is not correct? Yes.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.