Jump to content

Evernote encryption details please?


Recommended Posts

1. What encryption does evernote use?

2. Is it just for the local storage or it's stored encrypted on the cloud as well

3. Can the evernote employees access it in any way?

4. WHere is the encryption password stored and how?

Link to comment

1. What encryption does evernote use?

2. Is it just for the local storage or it's stored encrypted on the cloud as well

3. Can the evernote employees access it in any way?

4. WHere is the encryption password stored and how?

Regarding #2, when you encrypt text with EN's encryption, it's encrypted across all devices as well as the server.

Regarding #3, no because...

Regarding #4, Evernote does not keep your encryption password. That would defeat the purpose of encryption. More info here:

http://discussion.evernote.com/topic/14989-dropbox-vs-evernote-regarding-security/

Link to comment
  • 1 month later...
  • 2 months later...
  • Level 5

The Prism Surveillance program has certainly brought security to the forefront, but Evernote could have increased their encryption strength already. Other companies have.

Security experts have ridiculed Evernote's weak crypto. For instance, earlier this year:

March 2013 - Steve Gibson (GRC.com) was surprised to learn about Evernote's weak crypto. "... everybody's doing 256-bit AES, which blows away [Evernote's ancient] 64-bit RC2."

The next week, after doing more research in the Evernote docs, he came on even stronger.

Evernote says they don't have enough staff members to get the certificate for strong crypto, so they're sticking with the ancient 64 bit. He said, It's really not the security you want.

More information from arstechnica's risk assessment about Evernote's substandard crypto can be found here:
http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/

Link to comment

Thank you for the link, jbenson2.

 

I think Evernote should really improve the encryption algorithms.

For a company with employees that have worked in the Internet security area, they must act. I hope that that there will be some improvements this year as mentioned in the acticle.

Link to comment
  • 1 month later...

1,2. Evernote doesn't encrypt your notes in local and the cloud.

3. I believe that Evernote employees will never access our notes.

4. In Mac, Evernote stores everything as plain texts in ~/Library/Application/Evernote folder

 

If you need Evernote encryption, you can try to use MacFort to encrypt Evernote with password,

this software is great if you have a MAC version of Evernote.

 

See:http://www.madowsoft.com/how-to-encrypt-evernote-with-password-protection.html

Link to comment
  • Level 5*

1. What encryption does evernote use?

2. Is it just for the local storage or it's stored encrypted on the cloud as well

3. Can the evernote employees access it in any way?

4. WHere is the encryption password stored and how?

1. I'd recommend encrypting attachments and then uploading (I use PDFs with 256-bit encryption). The Evernote encryption is not sufficient for anything sensitive, in my opinion.

2. The data is encrypted locally and on the cloud by Evernote, but again, it is insufficient for sensitive data.

3. Yes, Evernote employees can and do access your account in certain instances (http://evernote.com/legal/privacy.php). This is important to know if you are under any kinds of non-disclosure agreements or agreements to take security precautions.This kind of employee access to data is actually not uncommon on the cloud, so if you want something to be secure, then you need to encrypt it yourself in Evernote.

4. I don't know how the encryption password is stored, but again, the encryption Evernote provides is so weak that I think it is a moot point.

Link to comment
  • 4 weeks later...

The Prism Surveillance program has certainly brought security to the forefront, but Evernote could have increased their encryption strength already. Other companies have.

Security experts have ridiculed Evernote's weak crypto. For instance, earlier this year:

March 2013 - Steve Gibson (GRC.com) was surprised to learn about Evernote's weak crypto. "... everybody's doing 256-bit AES, which blows away [Evernote's ancient] 64-bit RC2."

The next week, after doing more research in the Evernote docs, he came on even stronger.

Evernote says they don't have enough staff members to get the certificate for strong crypto, so they're sticking with the ancient 64 bit. He said, It's really not the security you want.

More information from arstechnica's risk assessment about Evernote's substandard crypto can be found here:

http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/

 

 

 

 

 

 

 

The same article also mentions the weak MD5 hash EN uses to store our passwords.  Lets hope they upgrade to a more secure algorithm soon...

 

I have decided NOT to renew (this would be my 3rd year in several months) if these issues are not addressed.  

Link to comment
  • 1 month later...

EN made a really great step with 2-factor-authentification. The next step must be a better encryption algorithm.

 

I have been pondering subscribing to Premium and using Evernote to help us make an attempt at going paperless in the home but I cannot get over how Evernote essentially has no encryption.  I cannot in good conscience subscribe and then upload things like bank statements, utility bills and credit card statements to this service knowing it's sitting there ripe for the picking by folks who manage to access their servers or potentially be abused by rogue employees.  2 factor authentication, while nice, does nothing to eliminate the thread of your data that is stored on Evernote's servers.

Link to comment
  • Level 5*

EN made a really great step with 2-factor-authentification. The next step must be a better encryption algorithm.

 

I have been pondering subscribing to Premium and using Evernote to help us make an attempt at going paperless in the home but I cannot get over how Evernote essentially has no encryption.  I cannot in good conscience subscribe and then upload things like bank statements, utility bills and credit card statements to this service knowing it's sitting there ripe for the picking by folks who manage to access their servers or potentially be abused by rogue employees.  2 factor authentication, while nice, does nothing to eliminate the thread of your data that is stored on Evernote's servers.

Hi. Welcome to the forums. Please see my post above about encrypting PDFs before uploading them. I'd be happy if Evernote gives us the ability to encrypt a notebook with 256-bit zero knowledge (only users have their passwords), but anything short of that might as well not be encrypted at all (in my opinion). I hope we'll get this, but in the meantime, I'd encrypt it yourself. The good thing about Evernote is that you can throw anything into it.

Link to comment
  • Level 5

Keep in mind that encrypted PDF's are not searchable while encrypted.

So in Evernote, that means strong well-written descriptive titles, more key words, and more tags.

Link to comment
  • 2 months later...
  • Level 5

The bits aren't as significant as the method though Grumpy.

RC2 is broken. AES is not.

What we don't know is _how_ AES128 is used to be fair. You can use the best and strongest encryption protocols, do it wrong, and be just as useless.

So hoping for another tech blog entry.

It's fascinating to follow a security researcher rip through a list of products with good sounding buzzwords in their release notes get picked apart into a useless disarray based on _how_ they implemented it.

And it's a shame even when they might try hard and then make the mistake of taking the defaults in the likes RSA's BSafe and use the slow broken random number generator that the NSA paid them $10 million set as the default.

Link to comment
  • 10 months later...

I know it is fixed now, but for the reason why they did this in the first place, you have to remember that before 2010 the process for getting export approval was more difficult. The 64-bit limit was the limit set for "No License Required" (NLR) back in 2000 for mass market encryption, which came from the Wassenaar Arrangement (it still required a notification, but since October 2000 that was as simple as sending an email). You may remember this time as when strong encryption became exportable, and that was true, but there is even now still a process of getting export approval for doing so. In 2010 BXA made the process of getting export approval easier.

Link to comment
  • Level 5*

I know it is fixed now, but for the reason why they did this in the first place, you have to remember that before 2010 the process for getting export approval was more difficult. The 64-bit limit was the limit set for "No License Required" (NLR) back in 2000 for mass market encryption, which came from the Wassenaar Arrangement. You may remember this time as when strong encryption became exportable, and that was true, but there is even now still a process of getting export approval for doing so. In 2010 BXA made the process of getting export approval easier.

 

Thanks! But, I think the issue was more that they did not update the encryption after the process became easier, and it is only this year that it can finally be said to be at the industry-standard. As you said, though, it is fixed now, and that is a good thing. 

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...