Evernote attachment security?

[WilliamL 658]

Hi all, I am seeing a lot of discussion and concern expressed by some users of Craft and Amplenote regarding attachment storage. I don’t really understand it but it seems the nature of the storage is that attachments have a random generated link that would be accessible to people who knew it. Security by obscurity they are calling it. Now the chances of anyone finding the links is naturally very low but the possibility they could be found is concerning some. 

How does Evernote handle attachments? Is it the same method? 

Asking out of curiosity to see how different services handle attachments. If I’m honest the idea they could be found isn’t one I’m thrilled by, how many things did we think couldn’t happen and somehow folks with bad motives find a way. 

[PinkElephant 8,273]

The following link was pointing to a note. I have changed it in 3 positions. You just need to convert these 3 characters back to make it work.

https://www.evernote.com/shard/s747/sh/78e30678-cbb5-4103-91ad-515da1a829b1/1s5xEVM7aj1HORR_YIETzMPEmuJKCOc63PfqLm-_wmfquVfzduNzQ20h0A

Just 3 positions exchanged, you got all the rest already working. Try to guess it !

OK, this is guessing 3 out of 95. If you want to do it randomly, you need to create 95 characters - and hope you got each one right.

 

Don't panic ! Walk to the lifeboats calmly. Women and children first. Orchestra, please keep on playing !

[agsteele 2,974]

To be honest, the weakest link in the storage of note attachments is likely to be the user's device. Anyone able to break into your device then has access to your data. Attachments are held locally as PDFs or whatever with a long random name.

Hacking into your data on the servers really isn't a likely weak point. More likely would be unauthorised access to your account via a fishing attack or similar.

[mackid1993 973]

I think the concern is Amplenote does not encrypt attachments at rest. As far as I am aware EN attachments are encrypted at rest i.e. on the server. This is different from zero knowledge as Evernote holds the encryption keys rather than the user. Amplenote encrypts note content at rest but not attachments. I couldn't possibly imagine using a service such as Amplenote that claims to focus on security but leaves out such a critical piece.

[WilliamL 658]

11 hours ago, mackid1993 said:

I think the concern is Amplenote does not encrypt attachments at rest. As far as I am aware EN attachments are encrypted at rest i.e. on the server. This is different from zero knowledge as Evernote holds the encryption keys rather than the user. Amplenote encrypts note content at rest but not attachments. I couldn't possibly imagine using a service such as Amplenote that claims to focus on security but leaves out such a critical piece.

Thanks, that makes more sense! I was reading the concern and thinking what on earth, is this normal.  I’m not sure about Crafts policy for attachments - there are similar questions and concerns being asked there, some of my attachments are quite private, pdfs of meetings or scans of medical letters (they are stored in Evernote tho), so I would want to know that people couldn’t be finding some odd back door into them. 

[Jon/t 1,376]

I think there would also be an authorisation check as well so if anyone guessed a URL there would be a check to see if they had permission to view it... being logged into the correct account for example.

[mackid1993 973]

14 hours ago, WilliamL said:

Thanks, that makes more sense! I was reading the concern and thinking what on earth, is this normal.  I’m not sure about Crafts policy for attachments - there are similar questions and concerns being asked there, some of my attachments are quite private, pdfs of meetings or scans of medical letters (they are stored in Evernote tho), so I would want to know that people couldn’t be finding some odd back door into them. 

I was misinformed. I spoke with Amplenote's developers. They host their attachments with AWS and they are encrypted at rest on the server much like Evernote uses Google cloud.