Jump to content

Evernote and POODLE


Recommended Posts

  • Evernote Staff

Yesterday, Google researchers announced a vulnerability in version 3.0 of the SSL protocol. Google’s advanced acronym-generation algorithm dubbed this issue POODLE (for “Padding Oracle On Downgraded Legacy Encryption”).


 


Even though the SSL 3.0 protocol has been superseded by secure alternatives for at least a decade, most existing operating systems and Internet applications are willing to speak this old dialect for backward compatibility. Unfortunately, this willingness could be exploited by attackers to force modern web browsers and servers to communicate insecurely.


 


The researchers found that an attacker with control over your network connections (for example, on a public wifi network) could trick your web browser into leaking your personal “cookies.” These cookies could be used to assume your identity on secure web services like Evernote.


 


Web browser vendors are working to push updates that would mitigate this risk by removing SSL 3.0 support from their software, but it may take months for these changes to trickle out to the majority of Internet users. Until that time, users of any service that still offers SSL 3.0 communications will be vulnerable to attack.


Evernote has determined that the only way to ensure that our users are protected from this vulnerability is to disable SSL 3.0 support on all of our servers so that they will only communicate with secure TLS. This will prevent attackers from tricking your browser into using the insecure protocol and stealing your identity.


 


This Friday morning, we will disable SSL 3.0. The majority of Evernote users should not see anything different after the change. Unfortunately, there are two types of users who may have problems connecting to Evernote after SSL 3.0 is disabled.


 


First, people who access Evernote through extremely old web browsers like Internet Explorer version 7 or earlier may see security errors on www.evernote.com, as well as other sites like Twitter that have made this change. To fix this problem, install a more recent web browser.


 


Second, people who have installed Evernote on Windows XP may see networking errors during synchronization if they never installed Service Pack 3 and Internet Explorer 8 on their computers. These people should be able to fix the problem by installing Service Pack 3 and Internet Explorer 8 via Windows Update (or from Microsoft’s web sites).


 


We apologize in advance for the disruption this will cause to users of those old browsers and operating systems, but we feel that this is the best way to protect all Evernote users from attack.


 


You can find more comments and the original post on the Evernote Tech blog.


Link to comment

Hi,

 

In response to a recent email detailing these measures, I made sure that my windows XP system was updated and Service Pack 3 was installed along with Windows Explorer 8, yet evernote still does not synch.  What to do now?

Link to comment
  • Level 5*

Check out the Evernote Knowledge Base for more information on the POODLE security vulnerability, if you are affected, and what to do if you are: https://evernote.com/contact/support/kb/#!/article/101867943

i don't understand. the user said he took all of the suggested steps and it still isn't syncing. i read the kb page, but i don't see anything relevant to his problem there. maybe i am missing something.

Link to comment
  • Evernote Expert

This will not affect users who use evernote apps for their communication and not Evernote Web? And this bug wont affect users who have 2 fac installed. Am i right? 

Link to comment
  • Level 5*

The tomsguide page suggests that it's a good idea to switch off SSL3 in any browsers you might use to ensure security -and presumably to switch on TLS if it isn't already enabled.  This applies to all browsing at any time,  not just use of Evernote.

Link to comment
  • 1 month later...

I have a bit of a mystery on my hands.

 

For several weeks the EverNote Windows 7 app has not been able to sync for weeks. It fails every time... 

 

- My first thought was my app was out of date so I updated it. Nope, same problem recurs. Cannot sync.

- Then I thought it was a server problem so I checked the server status log. No current issues

- Then I thought it was my internet connection so I tried logging into the Evernote portal. No problem logging into to portal from my laptop

- Then I thought the app may have an old password embedded in inside that was preventing it from syncing with the servers, so logged out of the app. Now I cannot log back into the app.

- The app login error messages say "Cannot reach servers"

 

Any suggestions about what the problem(s) could be??

 

Mal

Link to comment
  • 3 weeks later...

Any solution to your problem MRaddalgoda?  I started having this same issue this about a week ago.  I have Windows 7.  "Can't connect to server.  Please try again later."

 

I've restarted computer.  Unchecked SSL 2.0 and SSL 3.0.  I've updated Evernote for Windows.  I've uninstalled and reinstalled Evernote for Windows.  I can access and sync from Android Phone and Tablet as well as the Web Browser version, but not from the Windows application.  Logged out and tried to log back in and now I can't even log in.

 

Any help appreciated.

Link to comment
  • Level 5*

Any solution to your problem MRaddalgoda?  I started having this same issue this about a week ago.  I have Windows 7.  "Can't connect to server.  Please try again later."

 

I've restarted computer.  Unchecked SSL 2.0 and SSL 3.0.  I've updated Evernote for Windows.  I've uninstalled and reinstalled Evernote for Windows.  I can access and sync from Android Phone and Tablet as well as the Web Browser version, but not from the Windows application.  Logged out and tried to log back in and now I can't even log in.

 

Any help appreciated.

 

Hi - so what happens when you try to log in?  "Wrong user name/ password"?

Link to comment

Yes, i should have mentioned that in my earler post. Sorry for that.

 

I did try the settings as mentioned in #9. I am already waiting on for my support ticket, evernote team is trying to resolve as i guess a lot of users are affected.

Hope to see a fix soon.

Link to comment
  • Level 5*

Yes, i should have mentioned that in my earler post. Sorry for that.

 

I did try the settings as mentioned in #9. I am already waiting on for my support ticket, evernote team is trying to resolve as i guess a lot of users are affected.

Hope to see a fix soon.

 

I'm not sure that the Evernote team is trying to resolve anything at this stage,  and I am sure that not many users are affected - what's actually happening when you try to sync?  And what OS are you using,  with which version of Evernote?

Link to comment
  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...