Jump to content

Other companies are using harder-to-crack code


Recommended Posts

  • Level 5
Posted

Other companies are fighting back against the NSA by using harder-to-crack code to shield their networks and online customer data from unauthorized U.S. spying.

Companies such as Google, Yahoo, Facebook, Microsoft, Apple.

It would be reassuring to see Evernote's name added to the list and increase their security from the rather archaic and easily broken 64-bit RC2 to a more robust 256-bit AES.
 

http://www.bloomberg.com/news/2013-11-15/silicon-valley-nerds-seek-revenge-on-nsa-spies-with-super-coding.html
 

  • 2 weeks later...
  • Level 5
Posted

But lets not stop there.

 

The internal encryption is one thing.

Evernote could/should re-order the cipher suites as the above companies are to enable Forward Secrecy on the Evernote properties.

Currently not the case:

https://www.ssllabs.com/ssltest/analyze.html?d=evernote.com&s=204.154.94.73

 

Or in a more clear form they could join this list at EFF.org

https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what

 

This in the context of the CTO's comment

http://www.v3.co.uk/v3-uk/news/2259987/v3-hot-seat-evernote-cto-dave-engberg/page/2:

What keeps you awake at night?

Ensuring the integrity of Evernote customer data. I worry about ways that our users' data could get lost or compromised and how this can be prevented.

Evernote can expect to be compelled to hand over their expired or current SSL private keys.  Forward Secrecy is the antidote to that.

 

crypto-survey-graphic.png

  • Level 5
Posted

CWB - that is an interesting chart and another indication of how Edward Snowden's leaks are forcing companies to tighten up their security.

 

I was pleased to see Dropbox was green bars completely across the columns.

They can do more, but they are ahead of almost all of the others.

  • Level 5*
Posted

CWB - that is an interesting chart and another indication of how Edward Snowden's leaks are forcing companies to tighten up their security.

 

I was pleased to see Dropbox was green bars completely across the columns.

They can do more, but they are ahead of almost all of the others.

 

Not exactly. The EEF has been doing their "Who Has Your Back?" survey since 2011, well before Snowden came on the international scene. In fact, the push for more security has been going on for some time.

https://www.eff.org/deeplinks/2011/04/who-has-your-back-depth-fighting-user-rights

 

Their attempt to measure encryption is a new outgrowth of their original program, but while it's a nice chart, it doesn't tell the whole story. Dropbox has encryption, yes. However,  they hold the keys, and if they receive a government request then they un-encrypt your data and hand it over to the government. In addition, employees can also view your data, because they have the key. Dropbox used to lie about this.

http://www.wired.com/threatlevel/2011/05/dropbox-ftc/

 

2011 was a tough year for Dropbox, but it was a wake-up call for me. Nowadays, I prefer SpiderOak. Although it looks the same on the chart, it has a zero-knowledge policy, and I find that a lot more re-assuring than Dropbox's, which, for all intents and purposes, is about the same as having an un-encrypted database (in my amateur opinion).

 

http://www.christopher-mayo.com/?p=1081

 

http://www.christopher-mayo.com/?p=288

 

Dropbox could do a lot more (so could Google, Microsoft, and others), and I really hope that they will. I am also hoping that Evernote will make some of the changes cwb has suggested. From my perspective, though, as long as it doesn't work with zero-knowledge, then there isn't any point. Curiously, if I understand the current encryption of text, it actually is zero-knowledge, though it is obviously not very strong encryption. A huge step forward would be to strengthen the encryption of what Evernote is already doing. Of course, the next step (I hope) would be to encrypt notebooks, multiple notes, etc. Encrypting each and every selection of text (like going through documents with a black marker redacting text) is unfeasible. 

  • Level 5
Posted

Yes, you need both.  Not just one or the other.

 

And indeed, all of dropbox's green checkmarks are for naught if they have a recurrence of their previous oops where for periods of time after a software update, any password gives access rather than just the correct one.

  • 3 months later...
  • Level 5
Posted

Just a ping.

Unlike Dropbox, Facebook, Google, Microsoft, Linkedin, Twitter, still no Forward Secrecy on the SSL.

 

https://www.ssllabs.com/ssltest/analyze.html?d=evernote.com&s=204.154.94.73

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.  MORE INFO »

 

But we did get the swap out of RC2 to AES.

 

Looking forward to the "Sexy" encryption.

http://techcrunch.com/2013/08/07/foundation-evernotes-phil-libin-on-building-a-hundred-year-old-startup/

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...