Gnikf 1 Posted March 2, 2013 Share Posted March 2, 2013 1. What encryption does evernote use?2. Is it just for the local storage or it's stored encrypted on the cloud as well3. Can the evernote employees access it in any way?4. WHere is the encryption password stored and how? Link to comment
Level 5* Metrodon 2,184 Posted March 2, 2013 Level 5* Share Posted March 2, 2013 http://evernote.com/contact/support/kb/#/article/23480996 Link to comment
BurgersNFries 2,407 Posted March 2, 2013 Share Posted March 2, 2013 1. What encryption does evernote use?2. Is it just for the local storage or it's stored encrypted on the cloud as well3. Can the evernote employees access it in any way?4. WHere is the encryption password stored and how?Regarding #2, when you encrypt text with EN's encryption, it's encrypted across all devices as well as the server.Regarding #3, no because...Regarding #4, Evernote does not keep your encryption password. That would defeat the purpose of encryption. More info here:http://discussion.evernote.com/topic/14989-dropbox-vs-evernote-regarding-security/ Link to comment
Gnikf 1 Posted March 4, 2013 Author Share Posted March 4, 2013 thank you guys, very helpful answers I suppose 64-bit RC2 is easy one to break? Link to comment
Philius 1 Posted April 22, 2013 Share Posted April 22, 2013 A good PC needs only a few seconds to break 64-bit RC2! Link to comment
evernote-fan 34 Posted June 30, 2013 Share Posted June 30, 2013 I think the revealed spy programs (PRISM, tempora) explain why the US doesn't allow the export of stronger encryption methods... http://evernote.com/contact/support/kb/#/article/23480996 Link to comment
Level 5 jbenson2 2,147 Posted June 30, 2013 Level 5 Share Posted June 30, 2013 The Prism Surveillance program has certainly brought security to the forefront, but Evernote could have increased their encryption strength already. Other companies have.Security experts have ridiculed Evernote's weak crypto. For instance, earlier this year:March 2013 - Steve Gibson (GRC.com) was surprised to learn about Evernote's weak crypto. "... everybody's doing 256-bit AES, which blows away [Evernote's ancient] 64-bit RC2."The next week, after doing more research in the Evernote docs, he came on even stronger.Evernote says they don't have enough staff members to get the certificate for strong crypto, so they're sticking with the ancient 64 bit. He said, It's really not the security you want.More information from arstechnica's risk assessment about Evernote's substandard crypto can be found here:http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/ Link to comment
evernote-fan 34 Posted June 30, 2013 Share Posted June 30, 2013 Thank you for the link, jbenson2. I think Evernote should really improve the encryption algorithms.For a company with employees that have worked in the Internet security area, they must act. I hope that that there will be some improvements this year as mentioned in the acticle. Link to comment
cosmos 0 Posted August 9, 2013 Share Posted August 9, 2013 1,2. Evernote doesn't encrypt your notes in local and the cloud.3. I believe that Evernote employees will never access our notes.4. In Mac, Evernote stores everything as plain texts in ~/Library/Application/Evernote folder If you need Evernote encryption, you can try to use MacFort to encrypt Evernote with password,this software is great if you have a MAC version of Evernote. See:http://www.madowsoft.com/how-to-encrypt-evernote-with-password-protection.html Link to comment
Level 5* GrumpyMonkey 4,319 Posted August 9, 2013 Level 5* Share Posted August 9, 2013 1. What encryption does evernote use?2. Is it just for the local storage or it's stored encrypted on the cloud as well3. Can the evernote employees access it in any way?4. WHere is the encryption password stored and how?1. I'd recommend encrypting attachments and then uploading (I use PDFs with 256-bit encryption). The Evernote encryption is not sufficient for anything sensitive, in my opinion.2. The data is encrypted locally and on the cloud by Evernote, but again, it is insufficient for sensitive data.3. Yes, Evernote employees can and do access your account in certain instances (http://evernote.com/legal/privacy.php). This is important to know if you are under any kinds of non-disclosure agreements or agreements to take security precautions.This kind of employee access to data is actually not uncommon on the cloud, so if you want something to be secure, then you need to encrypt it yourself in Evernote.4. I don't know how the encryption password is stored, but again, the encryption Evernote provides is so weak that I think it is a moot point. Link to comment
evernote-fan 34 Posted August 9, 2013 Share Posted August 9, 2013 EN made a really great step with 2-factor-authentification. The next step must be a better encryption algorithm. Link to comment
jacksnack 9 Posted September 5, 2013 Share Posted September 5, 2013 The Prism Surveillance program has certainly brought security to the forefront, but Evernote could have increased their encryption strength already. Other companies have.Security experts have ridiculed Evernote's weak crypto. For instance, earlier this year:March 2013 - Steve Gibson (GRC.com) was surprised to learn about Evernote's weak crypto. "... everybody's doing 256-bit AES, which blows away [Evernote's ancient] 64-bit RC2."The next week, after doing more research in the Evernote docs, he came on even stronger.Evernote says they don't have enough staff members to get the certificate for strong crypto, so they're sticking with the ancient 64 bit. He said, It's really not the security you want.More information from arstechnica's risk assessment about Evernote's substandard crypto can be found here:http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/ The same article also mentions the weak MD5 hash EN uses to store our passwords. Lets hope they upgrade to a more secure algorithm soon... I have decided NOT to renew (this would be my 3rd year in several months) if these issues are not addressed. Link to comment
Chris Epler 0 Posted October 21, 2013 Share Posted October 21, 2013 EN made a really great step with 2-factor-authentification. The next step must be a better encryption algorithm. I have been pondering subscribing to Premium and using Evernote to help us make an attempt at going paperless in the home but I cannot get over how Evernote essentially has no encryption. I cannot in good conscience subscribe and then upload things like bank statements, utility bills and credit card statements to this service knowing it's sitting there ripe for the picking by folks who manage to access their servers or potentially be abused by rogue employees. 2 factor authentication, while nice, does nothing to eliminate the thread of your data that is stored on Evernote's servers. Link to comment
Level 5* GrumpyMonkey 4,319 Posted October 21, 2013 Level 5* Share Posted October 21, 2013 EN made a really great step with 2-factor-authentification. The next step must be a better encryption algorithm. I have been pondering subscribing to Premium and using Evernote to help us make an attempt at going paperless in the home but I cannot get over how Evernote essentially has no encryption. I cannot in good conscience subscribe and then upload things like bank statements, utility bills and credit card statements to this service knowing it's sitting there ripe for the picking by folks who manage to access their servers or potentially be abused by rogue employees. 2 factor authentication, while nice, does nothing to eliminate the thread of your data that is stored on Evernote's servers.Hi. Welcome to the forums. Please see my post above about encrypting PDFs before uploading them. I'd be happy if Evernote gives us the ability to encrypt a notebook with 256-bit zero knowledge (only users have their passwords), but anything short of that might as well not be encrypted at all (in my opinion). I hope we'll get this, but in the meantime, I'd encrypt it yourself. The good thing about Evernote is that you can throw anything into it. Link to comment
Level 5 jbenson2 2,147 Posted October 21, 2013 Level 5 Share Posted October 21, 2013 Keep in mind that encrypted PDF's are not searchable while encrypted.So in Evernote, that means strong well-written descriptive titles, more key words, and more tags. Link to comment
Level 5 cwb 225 Posted January 11, 2014 Level 5 Share Posted January 11, 2014 Now updated to AES128 Link to comment
jacksnack 9 Posted January 11, 2014 Share Posted January 11, 2014 Now updated to AES128 Can you clarify? Link to comment
Level 5* GrumpyMonkey 4,319 Posted January 11, 2014 Level 5* Share Posted January 11, 2014 Now updated to AES128 Can you clarify?Encryption of text blocks in Windows using the most recent beta will be 128 instead of 64 bit. Link to comment
Level 5 cwb 225 Posted January 12, 2014 Level 5 Share Posted January 12, 2014 The bits aren't as significant as the method though Grumpy. RC2 is broken. AES is not. What we don't know is _how_ AES128 is used to be fair. You can use the best and strongest encryption protocols, do it wrong, and be just as useless. So hoping for another tech blog entry. It's fascinating to follow a security researcher rip through a list of products with good sounding buzzwords in their release notes get picked apart into a useless disarray based on _how_ they implemented it. And it's a shame even when they might try hard and then make the mistake of taking the defaults in the likes RSA's BSafe and use the slow broken random number generator that the NSA paid them $10 million set as the default. Link to comment
Yuhong Bao 0 Posted December 5, 2014 Share Posted December 5, 2014 I know it is fixed now, but for the reason why they did this in the first place, you have to remember that before 2010 the process for getting export approval was more difficult. The 64-bit limit was the limit set for "No License Required" (NLR) back in 2000 for mass market encryption, which came from the Wassenaar Arrangement (it still required a notification, but since October 2000 that was as simple as sending an email). You may remember this time as when strong encryption became exportable, and that was true, but there is even now still a process of getting export approval for doing so. In 2010 BXA made the process of getting export approval easier. Link to comment
Level 5* GrumpyMonkey 4,319 Posted December 5, 2014 Level 5* Share Posted December 5, 2014 I know it is fixed now, but for the reason why they did this in the first place, you have to remember that before 2010 the process for getting export approval was more difficult. The 64-bit limit was the limit set for "No License Required" (NLR) back in 2000 for mass market encryption, which came from the Wassenaar Arrangement. You may remember this time as when strong encryption became exportable, and that was true, but there is even now still a process of getting export approval for doing so. In 2010 BXA made the process of getting export approval easier. Thanks! But, I think the issue was more that they did not update the encryption after the process became easier, and it is only this year that it can finally be said to be at the industry-standard. As you said, though, it is fixed now, and that is a good thing. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.