brianhayes 1 Posted June 24, 2008 Posted June 24, 2008 It's great that Evernote's Premium service offers secure log-in. SSL security is one of my top motivations to purchase the Premium account because often the Evernote browser page is persistently open. And for me, it's not merely to protect my notes. As a rule of thumb I try to use SSL whenever offered as part of best-practice hygiene on the net. To ping through a dedicated pipe makes it a lot tougher for sniffer malware to pounce on a system, both my system .and. Evernote's. But the log-in pages 'default' to Evernote's insecure http:// pages although I can easily add the extra .s. to get to Evernote's SSL pages for secure sign-on. And I've looked for a sign-on page that will loop sign-off and sign-on using https://, but all default sign-on pages seem to point only to http://.... Maybe this SSL issue can be put on the midnight to-do list?? Thanks, Brian
engberg 89 Posted June 24, 2008 Posted June 24, 2008 Yes, this was a mistake in the last build. The login page is being served by http, but the web form itself submits your data via https: This means that your password is not going in the clear, but the current setup doesn't make this obvious to the user. For various security best-practices reasons, the login page itself should also be SSL to mitigate against man-in-the-middle attacks and spoofing.We'll address this in the next update.Thanks
brianhayes 1 Posted June 25, 2008 Author Posted June 25, 2008 As if there's a coding team looking over our shoulders, among the short list that is helping Evernote gain attention in the wide wide web is the terrific response to customer issues. Tweaking SSL sign-on pages within 24 hours is just one example. :-)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.