(Archived) A more secure way of sharing notes

[bluesgeek 12]

I just discovered a sharing feature of OfficeDrop which I feel is going to make me and some of my clients feel more comfortable with sharing of individual documents.

With OfficeDrop you can require the recipient of a shared document invitation to enter into a web form the email address at which they received the invitation in order to access it. This is in addition to the document URL being unique for each share.

So if the user shares the document with two recipients, each will access it at a different URL and using a different email address form entry.

Now, Evernote is not primarily a sharing app, but I thought to point this out, as I am looking at a workflow in which I will be copying some documents I'm storing in EN over to OD, in order to use their more secure sharing method.

[dlu 628]

You can require an evernote login to access a notebook. Does that solve the issue for you?

[BurgersNFries 2,407]

Honestly, I don't know why having to enter the email address makes sharing "more secure". Sounds like something someone dreamed up to make users feel better, while not increasing security at all. First, if the URL is unique, what are the chances someone will stumble upon it? Secondly, if someone you've shared with is going to pass the URL along to someone else, don't you think they will be smart enough to specify the additional info required (email address) to access the data???

[bluesgeek 12]

Haha, Burgers, you raise a good question.

In the case of the OfficeDrop URLs (which are made up of 33-character numeric/lower-case alpha strings), the chances would be 36 to the 33rd power. I have no idea how easy it would be for someone to hack that.

But, as you say, requiring some 2nd-level action in order to gain access to a web page may increase the perception of security, and in the end, with my clients' sensitive data, I have to consider their perceptions.

And of course, someone interested in passing along the data would be smart enough to include the email address, but they could just as easily pass along any credentials. So, that's not the issue.

I could point out that the unique URL provided by OfficeDrop is unique for each share. So, if you share the same page with two people, each gets their own unique URL.

It may help to know that in my case, I am trying to balance my desire to have some sort of credentialling with the desire to not inordinately inconvience my clients. So, dlu, requiring the creation of an Evernote account would be asking too much. (Which is also why I'm trying to avoid having to deal with encrypting the document.)

Thanks, both of you, for offering your help. Do you have any other thoughts on this?

[BurgersNFries 2,407]

There are different levels of security for various information we are sharing & each of us have to draw our own line. IMO, if having a unique URL isn't good enough for you in a particular situation, you should send the document in a password encrypted (not just password protected) document (IE PDF). Additionally, do not send the encryption password via email (b/c if the encrypted document and the email with the password were sitting on the recipient's ISP server for a while, potentially, a hacker could read both emails.) Rather, call the recipient & give them the password that way or use a code that the recipient already will know. This is how our accountant sends out tax returns, since he does it all electronically, now. The encryption password is the last X numbers of the first person's SSN/EIN number.

[bluesgeek 12]

Thanks, Burgers.

To your point, I am dealing with my clients' data on my accounting service, and they run the gamut from those who freak out over having their redacted check images in any online environment less secure than the 3-tier authentication provided by their financial institution, to those who can' be bothered logging in to my accounting service, instead demanding from me everything as a simple PDF attachment. I thought that the OfficeDrop solutilon would be an okay compromise.

Believe me, my workflow is primarily Evernote-centric, and I find it a PITA to have to go outside of Evernote to handle my documents. I would prefer being able to have some sort of credentialling of shared Notes and Notebooks, but short from my sharing recipients the creation of a an Evernote account.