Mr.White 0 Posted January 30, 2015 Share Posted January 30, 2015 Hi folks, I'm interested in learning more about encryption in Evernote. I've downloaded the OS X client and figured out how to go about encrypting some text within a note, but I'm concerned about the fact that Evernote uses insecure HTTP to transfer the contents of any given note from my local machine to your servers. First off, that's just plain bad. Bad. Bad. Bad. Bad. Shame on you. You need to get with the program and use SSL/TLS *everywhere*. No exceptions. This makes you look amateur. So my questions are: If my note syncs in-between the time that I type the string that I'd like to encrypt and the time that I complete the encryption, then the string of text would be transmitted to your servers over insecure HTTP? In one of your help docs I read in the comments that you only offer this to your premium clients. Is that correct, or has that changed? The reason that was given for only offering SSL to premium clients is that it's "too expensive" to offer this as a default feature. That's bullshit. And you know it. I'm okay with the idea that you just hold it back for premium clients, but the idea that it's going to burn so much more infrastructure that you couldn't possibly afford it because it would be a huge cost to your bottom-line is both greedy and economically impossible. It also creates the unnecessary intonation that SSL is some sort of luxury, which is detrimental to the on-going process of locking down the internet in general. As a major app, you should have a better policy in this regard. You're in a position to lead and educate your massive user base, instead you're making it out like SSL is unnecessary and expensive. And you know better. I guess that last one isn't much of a question, but it's hugely disappointing to find out that you're so careless with how data is transmitted and that you're using cost as an excuse for a rotten security philosophy. Link to comment
This topic is now archived and is closed to further replies.