Jump to content

(Archived) SSL Sign-on


Recommended Posts

Posted

It's great that Evernote's Premium service offers secure log-in. SSL security is one of my top motivations to purchase the Premium account because often the Evernote browser page is persistently open. And for me, it's not merely to protect my notes.

As a rule of thumb I try to use SSL whenever offered as part of best-practice hygiene on the net. To ping through a dedicated pipe makes it a lot tougher for sniffer malware to pounce on a system, both my system .and. Evernote's.

But the log-in pages 'default' to Evernote's insecure http:// pages although I can easily add the extra .s. to get to Evernote's SSL pages for secure sign-on. And I've looked for a sign-on page that will loop sign-off and sign-on using https://, but all default sign-on pages seem to point only to http://....

Maybe this SSL issue can be put on the midnight to-do list??

Thanks,

Brian

Posted

Yes, this was a mistake in the last build. The login page is being served by http, but the web form itself submits your data via https:

This means that your password is not going in the clear, but the current setup doesn't make this obvious to the user. For various security best-practices reasons, the login page itself should also be SSL to mitigate against man-in-the-middle attacks and spoofing.

We'll address this in the next update.

Thanks

Posted

As if there's a coding team looking over our shoulders, among the short list that is helping Evernote gain attention in the wide wide web is the terrific response to customer issues. Tweaking SSL sign-on pages within 24 hours is just one example. :-)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...