Jump to content

(Archived) Dropbox vs Evernote regarding security


Recommended Posts

Posted

Security exists in at least two places...sending data and the data as it resides on the "cloud" server.

This particular post is addressing how the data is stored on a cloud server...

People tend to think Dropbox is more secure that EN. Dropbox tends (IMO) to propogate this fallacy. I've seen their blurb on security.

"All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password"

Any time a cloud service can tell you your encryption password (click "forgot password') and/or can help you restore your data, your data is NOT secure from hackers. Do you think hackers are smart enough to be able to hack into a cloud server but not smart enough to figure out where the encryption passwords are located??? Although there is no 100% security from hackers, unless the data is encrypted using a password the "host" does not have access to, then your data is not very secure from hackers. IOW, if you do not provide a second, encryption password & you are warned that if you forget it, you will not be able to recover your data, then the "host" is storing the encryption password somewhere. And hackers can get to it. That's what they do.

Jungle Disk (a TRUE backup/encryption cloud) says, if you encrypt your "bucket" & forget your password, you are SOL. They cannot help you recover your data.

Truecrypt, another TRUE encryption app, also says, if you forget your encryption password, kiss that baby good by. They cannot help you.

Evernote states any text you encrypt in Evernote notes is not indexed...same reason as above. And if you forget the password, they cannot help you recover it.

So...if you feel comfortable putting something into Dropbox (without using a WINRAR'd file or Truecrypt container or some such), then you should feel equally comfortable putting that info into Evernote.

Posted
Let me give a quick explanation of how it works:

Every file is split down into 4 MB blocks, which is then transferred to the DB servers via SSL.

This is the data transmission part - EN has recently added that for the free users & that was a contribution to this week's problems.

Once the block reaches the server, it is subsequently encrypted with it's own unique SHA-256 key (IIRC). This key is stored in the database, alongside with the hash of the block. All blocks are associated to each accounts using said hash, and when downloaded via the client or web interface it's decrypted using the previous key.

Now, as I've understood it that database is only available to the server software, not the DB team. However, it stands to reason that the DB credentials needs to be stored in a readable manner, and as such those hashes and their accompanying keys are indeed available to the database administrator.

At the risk of repeatedly repeating myself ( :) ), you think someone is smart enough to hack into Dropbox but not figure out how to retrieve the encryption passwords???

Think of the encryption password as your key to your safe deposit box.

I have to admit, IME, Dropbox really likes to talk the talk & it's really deceptive, on their part.

FWIW, I use Dropbox myself...but I don't appreciate their stance on this particular topic. I think they are intentionally trying to mislead people.

For people who are overwhelmed by this info, all you have to do is ask a very simple question. "If I forget/lose my password, will my data be lost?" If they say "no", it's not very safe from hackers. If they say "yes", it's pretty safe from hackers, provided you use a good encryption password. And be sure you keep that password someplace so you won't lose it!

Posted

Thanks, B&F.

Just to give you a little bit of a real-world perspective on this: we've had a handful of people over the years contact us to attempt to retrieve their lost encryption passwords, and the reaction was overwhelmingly positive - in the end.

However, until it really sunk in that their notes were well and truly lost unless they, themselves, remember the passwords, and that we honestly have no way of retrieving them, at all, we have been ... well, not treated with the nicest of manners.

I believe that there is a certain type of security that some people wish to have, and that may not necessarily be what other people perceive to be secure.

Posted

Zero cloud services are unhackable, the question is which ones are harder to hack, in this case EN or DB? With sufficient time and computing resources any encryption can be broken (even if its a million years its less than infinity). Is EN better? Is it good enough? Again the model needs to be (for every one) encrypt on the client, store dumb on the cloud.

  • Level 5
Posted
Zero cloud services are unhackable, the question is which ones are harder to hack, in this case EN or DB? With sufficient time and computing resources any encryption can be broken (even if its a million years its less than infinity). Is EN better? Is it good enough? Again the model needs to be (for every one) encrypt on the client, store dumb on the cloud.

a million years?

I don't think there is a large demand for military grade encryption in Evernote. The company has identified a customer niche and Evernote seems to satisfy a lot of people. And they included enough flexibility to accommodate local non-sync'd notebooks that are as secure as you want them to be and encryption ranging from word/phrase/account #/password encryption all the way to incredibly strong 3rd party encryption such as Truecrypt.

Posted
Thanks, B&F.

Just to give you a little bit of a real-world perspective on this: we've had a handful of people over the years contact us to attempt to retrieve their lost encryption passwords, and the reaction was overwhelmingly positive - in the end.

However, until it really sunk in that their notes were well and truly lost unless they, themselves, remember the passwords, and that we honestly have no way of retrieving them, at all, we have been ... well, not treated with the nicest of manners.

I believe that there is a certain type of security that some people wish to have, and that may not necessarily be what other people perceive to be secure.

You're welcome, Heather. I can imagine that the users were less than kind...but I'm glad they turned out positive, in the end. You're right in that everyone has a different comfort level when it comes to security. But it's annoying when I see people ragging on Evernote about security & then throw Dropbox up as the poster child. :D

Zero cloud services are unhackable,

I don't believe anyone has made that claim - at least certainly not on this board.

the question is which ones are harder to hack, in this case EN or DB? With sufficient time and computing resources any encryption can be broken (even if its a million years its less than infinity). Is EN better? Is it good enough?

That's not something I can answer, nor can you. I'm convinced both services have made their servers as unhackable as possible.

Again the model needs to be (for every one) encrypt on the client, store dumb on the cloud.

Not sure what "dumb on the cloud" means. But as far as encrypted data, I keep a lot of stuff in Evernote. I have over 32,000 notes. If EN servers were to get hacked, I really don't care if someone knows I clipped a bunch of Lifehacker web pages, what songs I want to buy, what size underwear my husband wears, what changes I made at work last week or gets their hands on my contact prescription, a vi editor manual, my dishwasher manual, the reviews that helped me decide which pizzelle maker to get or the work orders for my air conditioning unit.

OTOH, I don't put anything with my SSN in Evernote. I know some people do & we even have Lifelock subscriptions (the tv/radio commercial where the owner gives out his SSN.) But I do keep those in the cloud with Jungle Disk, which does allow users to encrypt the data on the JD servers.

The difference between the two is EN makes it MUCH easier to find what I'm looking for and it's easy to access on my (new!) iPhone 4g or pretty much any computer with an internet connection. Jungle Disk, OTOH, is less accessible b/c I need my encryption password to access things and there's no search option. I'm pretty good at using accurate folder & file names, so that's less of an issue. But still not as easy or fast as using Evernote. But I tend to rely upon JD more as a cloud backup in the event of a total loss (IE house fire, theft of all computer equipment including my backup drives, etc.) It even saved my soy bacon a few months ago, when a drive crashed & my local backup drive had not been updated in a few months. (Jungle Disk runs every night.)

  • 4 months later...
Posted

Dave & Heather,

Can I ask you a question?

After the Sony farce, which luckily didn't effect me, I am taking a deeper look at all the cloud services I use. Particularly ones I pay for, like EN.

I think that it is brilliant that you guys have rolled out secure data transfer between all your clients and servers, but what happens to my data when it hits your servers? How is it secured, hosted and more importantly, is my personal data (password, billing, payment and address) kept and encrypted separately?

Thank you for you time and for the fab service so far.

Tim

Posted

Tim,

I've actually been getting notices for weeks about that little old Sony thing - but since I only ever use virtual credit cards to buy anything small like that online (Thanks Citibank!) this just means I get another free year of ID monitoring. Woo hoo!

In all seriousness, your data is transferred to our servers via SSL, but is not encrypted on our servers (except for the bits you've manually used our feature to encrypt, or attachments you've uploaded already encrypted.) The reason for this is we need to index the data within your account so that it is searchable, and cannot do that for any part that is encrypted. Your data is additionally protected by your keypair (username/password), and cannot be accessed by anyone who does not validate with that key.

As for your billing data, none of that is stored in our system at all. Depending on how you paid, it will be stored in either iTunes, Google, Paypal, or our direct payment vendor, CyberSource. When you go to the "Payment" page within Evernote, we're running an API call to their pages to display the information and populate the fields on a temporary basis for your session only. It does not reside with us at all.

Posted

Wow.

Thank you for such a quick clear response.

I don't use Evernote in a way that needs any form of server encryption but just wanted to understand what happens to the data.

Cheers

Tim

  • 3 weeks later...
Posted

And if you don't want to take my word for it (that Dropbox's encryption does not protect your sensitive data from prying eyes), have a look at this recent Lifehacker article. Note the part that says:

"if you thought Dropbox couldn't decrypt your data, you were wrong. "

The article goes on to explain how to use Truecrypt in conjuction with Dropbox to protect your sensitive data.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...