Level 5 jbenson2 2,147 Posted November 15, 2013 Level 5 Share Posted November 15, 2013 Other companies are fighting back against the NSA by using harder-to-crack code to shield their networks and online customer data from unauthorized U.S. spying.Companies such as Google, Yahoo, Facebook, Microsoft, Apple.It would be reassuring to see Evernote's name added to the list and increase their security from the rather archaic and easily broken 64-bit RC2 to a more robust 256-bit AES. http://www.bloomberg.com/news/2013-11-15/silicon-valley-nerds-seek-revenge-on-nsa-spies-with-super-coding.html Link to comment
Level 5 cwb 225 Posted November 28, 2013 Level 5 Share Posted November 28, 2013 But lets not stop there. The internal encryption is one thing. Evernote could/should re-order the cipher suites as the above companies are to enable Forward Secrecy on the Evernote properties. Currently not the case: https://www.ssllabs.com/ssltest/analyze.html?d=evernote.com&s=204.154.94.73 Or in a more clear form they could join this list at EFF.org https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what This in the context of the CTO's comment http://www.v3.co.uk/v3-uk/news/2259987/v3-hot-seat-evernote-cto-dave-engberg/page/2: What keeps you awake at night? Ensuring the integrity of Evernote customer data. I worry about ways that our users' data could get lost or compromised and how this can be prevented. Evernote can expect to be compelled to hand over their expired or current SSL private keys. Forward Secrecy is the antidote to that. Link to comment
Level 5 jbenson2 2,147 Posted November 28, 2013 Author Level 5 Share Posted November 28, 2013 CWB - that is an interesting chart and another indication of how Edward Snowden's leaks are forcing companies to tighten up their security. I was pleased to see Dropbox was green bars completely across the columns.They can do more, but they are ahead of almost all of the others. Link to comment
Level 5* GrumpyMonkey 4,319 Posted November 29, 2013 Level 5* Share Posted November 29, 2013 CWB - that is an interesting chart and another indication of how Edward Snowden's leaks are forcing companies to tighten up their security. I was pleased to see Dropbox was green bars completely across the columns.They can do more, but they are ahead of almost all of the others. Not exactly. The EEF has been doing their "Who Has Your Back?" survey since 2011, well before Snowden came on the international scene. In fact, the push for more security has been going on for some time.https://www.eff.org/deeplinks/2011/04/who-has-your-back-depth-fighting-user-rights Their attempt to measure encryption is a new outgrowth of their original program, but while it's a nice chart, it doesn't tell the whole story. Dropbox has encryption, yes. However, they hold the keys, and if they receive a government request then they un-encrypt your data and hand it over to the government. In addition, employees can also view your data, because they have the key. Dropbox used to lie about this.http://www.wired.com/threatlevel/2011/05/dropbox-ftc/ 2011 was a tough year for Dropbox, but it was a wake-up call for me. Nowadays, I prefer SpiderOak. Although it looks the same on the chart, it has a zero-knowledge policy, and I find that a lot more re-assuring than Dropbox's, which, for all intents and purposes, is about the same as having an un-encrypted database (in my amateur opinion). http://www.christopher-mayo.com/?p=1081 http://www.christopher-mayo.com/?p=288 Dropbox could do a lot more (so could Google, Microsoft, and others), and I really hope that they will. I am also hoping that Evernote will make some of the changes cwb has suggested. From my perspective, though, as long as it doesn't work with zero-knowledge, then there isn't any point. Curiously, if I understand the current encryption of text, it actually is zero-knowledge, though it is obviously not very strong encryption. A huge step forward would be to strengthen the encryption of what Evernote is already doing. Of course, the next step (I hope) would be to encrypt notebooks, multiple notes, etc. Encrypting each and every selection of text (like going through documents with a black marker redacting text) is unfeasible. Link to comment
Level 5 cwb 225 Posted November 29, 2013 Level 5 Share Posted November 29, 2013 Yes, you need both. Not just one or the other. And indeed, all of dropbox's green checkmarks are for naught if they have a recurrence of their previous oops where for periods of time after a software update, any password gives access rather than just the correct one. Link to comment
Level 5 cwb 225 Posted March 20, 2014 Level 5 Share Posted March 20, 2014 Just a ping.Unlike Dropbox, Facebook, Google, Microsoft, Linkedin, Twitter, still no Forward Secrecy on the SSL. https://www.ssllabs.com/ssltest/analyze.html?d=evernote.com&s=204.154.94.73The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. MORE INFO » But we did get the swap out of RC2 to AES. Looking forward to the "Sexy" encryption.http://techcrunch.com/2013/08/07/foundation-evernotes-phil-libin-on-building-a-hundred-year-old-startup/ Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.