Jump to content
evernote-fan

Encryption between Evernote data centers?

Recommended Posts

Snowden's documents revealed that the internal traffic between Google's data centers (and Yahoo and others) has been spied by the NSA. Now Google, Yahoo and Microsoft want to encrypt the traffic between there data centers.

 

As far as I know, Evernote has also two data centers and all the data is mirrored.

 

So my question is: Is the traffic between Evernote's data centers encrypted?

Share this post


Link to post

There's also the point that Google et al apparently aren't allowed to comment on 'official' spying,  so I don't think Evernote is likely to be able to say much,  if anything.  Plus I'd really prefer that they don't discuss anything to do with their security arrangements (or lack of) in a public forum.  I always assume that someone is going to be able to snoop anything I put online no matter what precautions I take - up to and including using encryption software that might already have a convenient backdoor somewhere.  If you have anything you'd prefer to keep secret it's better not to put it online at all...

Share this post


Link to post

Google, Yahoo and others, in fact are commenting, and they are adding encryption between data centers.
It would be reassuring to hear something similar from Evernote on this recent revelation.

 

http://www.informationweek.com/security/risk-management/nsa-fallout-google-speeds-data-encryption-plans/d/d-id/1111483

http://techcrunch.com/2013/11/18/yahoo-will-follow-google-in-encrypting-data-center-traffic-all-traffic-between-company-and-customers-by-q1-14/

 

I believe history will show that Edward Snowden's actions were a major factor in encouraging the private sector to fight back against the US government's spying on citizens.
 

  • Like 1

Share this post


Link to post

Evernote might not need to 'add' encryption - they seem pretty savvy about the security aspects of their activities and have probably already taken any steps they deem economically and technically necessary ..  and yes,  I remember of course that they got burned (at least) once,  but there's a lot of that going around..  but I still don't think it's in anyone's best interests to make anything but the most general of statements - which are then going to be picked apart,  disbelieved and criticised anyway by those who choose to do so.  Sometimes the best response is no response at all.

Share this post


Link to post

Gaz, you don't, by chance, work for the GCHQ?  :)

Share this post


Link to post

Snowden's documents revealed that the internal traffic between Google's data centers (and Yahoo and others) has been spied by the NSA. Now Google, Yahoo and Microsoft want to encrypt the traffic between there data centers.

 

As far as I know, Evernote has also two data centers and all the data is mirrored.

 

So my question is: Is the traffic between Evernote's data centers encrypted?

 

Can you point to a source for that?  It seems to go a little beyond what I've read.

http://evernote.com/business/features/security-and-privacy/

http://blog.evernote.com/tech/2011/05/17/architectural-digest/

 

Backed up to a second data center at least once per day isn't functionally quite the same as mirroring.

In the realm of encrypted datalinks there's a behavioral difference.

 

I don't see that Evernote has quite the functional requirement that a Google, Amazon, Apple, or Yahoo has for regionalized real time synced datacenters.  They seem to just run the one primary one, and archive to a secondary which I'm guessing could be promoted to a primary in some disaster recovery mode.

 

Regardless, without Forward Secrecy (Diffie-Helman) in the client/server SSL key exchange, intra-datacenter encryption would be pointless effort.  If the data between you and them is exposed, it matters not if it's secured between datacenters.

 

See: http://discussion.evernote.com/topic/46973-other-companies-are-using-harder-to-crack-code/?p=244841

Share this post


Link to post

I am confused though Gazumped.  I could swear your Avatar shows your glasses as transparent/clear.  The above replies clearly shows them to be rose colored ;)

  • Like 3

Share this post


Link to post

Actually, I wouldn't be surprised if there is encryption, assuming the data centers are spread far apart, because they might be sending the data regularly over the Internet using SSL. But, cwb is correct that without PFS, it may be a moot point.

I am hoping Evernote will be more forthcoming with security practices (to the extent it is safe to do so) and develop more encryption options to strengthen our security, but I also cut them a little more slack than I would for behemoths like Microsoft and Google. This is complex, expensive, and time-consuming stuff that large companies can address more quickly. There are benefits to being a small company, of course, but not for something like this. I'd recommend patience. After all, it has only been a few months now since the big revelations came out.

  • Like 2

Share this post


Link to post

Plus I'd really prefer that they don't discuss anything to do with their security arrangements (or lack of) in a public forum.

I'd rather see Evernote be more open about their security - and follow in the footsteps of Dropbox, Google, Twitter, and others by encrypting data center links, implementing PFS, etc — and communicating publicly about it. Here's my reasoning on this:

  • Internet companies rely solely on trust - if people don't trust you, they won't give you their data.
  • Trust can only be built through transparency, and therefore, communicating about HOW you intend to protect your users' data.

 

Re: your point that Google and others "aren't allowed to communicate on government spying" - it's quite the contrary. They actually wrote an open letter to President Obama and Congress:

 

"We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change."

 

Evernote might not need to 'add' encryption - they seem pretty savvy about the security aspects of their activities and have probably already taken any steps they deem economically and technically necessary ..

It's the "probably" that doesn't make me comfortable. If Evernote were more open about this, there would be no need to blindly trust their savviness.

 

We know they have used MD5 to hash passwords in the past, and there is no evidence that this isn't still the case. In the meantime, MD5's been considered "cryptographically broken and unsuitable for further use" since 2010. So much for "savvy".

  • Like 1

Share this post


Link to post

And the RC4 encryption especially how it's used in Evernote is in worse shape than the MD5 use. [edit: refills coffee cup and reboots memory] er... RC2

Put together with the non-diffie hellman SSL, and I'm uneasy shooting in the dark but it makes me uncomfortable in this context, the CTO's previous government work in smart card/credential validation.

I'm holding off to see what they announce in this area, but up to now, what they offer, and what they leave unsaid, makes it seem like just enough theater to make the unobservant feel secure, while the barn door is actually just about as wide open as it can be (a little bit better than ROT13 or pig latin I'll grant).

To the point that I assume no encryption security, at rest or in transit. I don't bother with the encryption, it's little better than plaintext, and I assume no transport security.

The authentication improvements on the other hand are really nice, and well needed. I happily use all of the features they offer there.

Share this post


Link to post

Re: your point that Google and others "aren't allowed to communicate on government spying" - it's quite the contrary. They actually wrote an open letter to President Obama and

I suspect that what Gazumped meant here was that, should Evernote be served with a FISA warrant, they would not even be allowed to acknowledge that it had happened.

  • Like 1

Share this post


Link to post

I know from Germany, as the had to make it public, that there are plenty of instances that the police or whoever had a warrent and just sniffed through certain peoples data without a problem.

It came up when cell phone customers got charged by mistake for the data transmission from their cell to the police.

Share this post


Link to post

Back to my main theme I think - 

 

Evernote may not be able to say very much for legal reasons;  they may think it unwise to say anything that would confirm or deny whether encryption is in place or if so at what level,  because any information they release does make it a little easier for someone to work out how and where to target an attack.  Or at least know where not to waste any resources.  (And it might just start a competitor thinking - "So that's how I do it...")

 

Evernote may be preparing a release as we speak.  Or not.  But - end of the day - they own the company.  What they do to 'service' our data within the regulations is pretty much up to them unless there's an issue and a rabid crowd of users start tossing their legal weight around.  There's all sorts of commercial and practical reasons why they'd want to be pretty careful though - a quiet life and their good reputation among them.  

 

I won't waste energy worrying about this when there may or may not be a problem;  we don't - and probably never will have - full information;  and any fix is out of our hands anyway.  

 

On the basis of the information that's available,  use the services they provide,  or don't - your decision.  No amount of discussion is likely to generate enough information to satisfy any reservations - and if it did it would be like Evernote pointing to its own glass jaw and saying "Go on then,  hit me - I dare you..."

Share this post


Link to post

Even though this issue direct affects Evernote, it is much bigger. Our desires as users, and the wishes of the tech giants - Google, Apple, Facebook, Yahoo, Linkedin, Microsoft and Twitter - might just be moot. These huge companies clearly realize people won't use technology that can't be trusted.

These global businesses are trying to serve customers in hundreds of countries around the world. People in countries outside the USA are saying very vigorously "we don't want the U.S. spying on us". And these users are saying "maybe we shouldn't use these products".

example: http://rt.com/news/germany-nsa-merkel-writers-669/

 

So it is critical for these global business to get some clarity so they are not viewed as honeypots by the US government.

Interesting point - None of the big telecom backbone providers  signed the letter - no AT&T, no Verison, no Level3. These companies are actually the low level networks the NSA uses to tap into the data.

So if Google and Evernote decide to harden themselves against the NSA spying, but the NSA can still tap into the network backbone, what can they really do about it? Sophisticated encryption (not easily broken 64-bit RC2) is the only solution that I trust.
 

  • Like 1

Share this post


Link to post

 

So if Google and Evernote decide to harden themselves against the NSA spying, but the NSA can still tap into the network backbone, what can they really do about it? Sophisticated encryption (not easily broken 64-bit RC2) is the only solution that I trust.

 

 

Not sure I follow that quite.  What else would Google and Evernote "hardening" be other than encryption.  They aren't powerless against network backbone tapping.  Perfect Forward Secrecy on the SSL session is the solution to that.  It took a few mouse clicks and rebooting the server on my stuff.  Then they can be compelled to give up their current or expired private keys, and your sniffed packed still can't be decrypted. 

 

Backbone sniffing is a data transport issue.

the "not easily broken 64-bit RC2" (and I think you must mean non-key escrowed here) is a data at rest issue, protecting against a court order or national security letter compelling them to grant access to your data while at rest on the Evernote servers (though I'll grant, it also an extra transport encryption if implemented with that intent).

 

Without PFC in the SSL wrapper though no matter what Evernote gives for note/notebook encryption, you still won't be able to use https://www.evernote.com or your decryption key and the encrypted data will be revealed by a backbone tap.

That still leaves a legitimate court order or national security letter to compel Evernote to cooperate.  And your PC and it's evernote client are trivially willing to reveal your secrects with a spearphishing attack (waiting for you to decrypt something just once.)

 

This should all just work in proper fashion with credible, transparent, effective, intelligence oversight.

Share this post


Link to post

This article (unfortunately only in German) reports that Phil Libin said at LeWeb in Paris that Evernote supports the Global Government Surveillance Reform campaign but not officially because Evernote has not been asked.

 

He said that's good that the NSA spy affair has been revealed at the beginning of the cloud development and not in ten years. Trust in the cloud must be rebuilt.

  • Like 1

Share this post


Link to post

 

 

So if Google and Evernote decide to harden themselves against the NSA spying, but the NSA can still tap into the network backbone, what can they really do about it? Sophisticated encryption (not easily broken 64-bit RC2) is the only solution that I trust.

 

 

Not sure I follow that quite.  What else would Google and Evernote "hardening" be other than encryption. 

 

Sorry, my attempt at diplomacy did not work.

 

Bottom line: I don't believe that Evernote will go down the road of strong encryption across their data centers. Their attempt at hardening might be quite a bit different from what most users would expect. And with the lack of transparency, it is anyone's guess what Evernote eventually does.

 

This brings us back to Gaz's original comment - we can only use Evernote in a multi-platform environment with non-sensitive data.

Share this post


Link to post

This article (unfortunately only in German) reports that Phil Libin said at LeWeb in Paris that Evernote supports the Global Government Surveillance Reform campaign but not officially because Evernote has not been asked.

 

He said that's good that the NSA spy affair has been revealed at the beginning of the cloud development and not in ten years. Trust in the cloud must be rebuilt.

Good link, Heise is always the best place for these information.

The important part is that he wants that we the people ask the goverment to change the law and that it could be done in six month or less.

 

The Global Goverment Surveillance Reform campain has a different reason that you think.

It cost google and Co money when the NSA or others are using there service, so they just don't want to have to pay for being spyed on.

Share this post


Link to post

Tada...

 

Quietly released...

 

Evernote for Windows 5.1.1.2304 RC Release Notes
  • Improvements:
    • Note Encryption uses AES-128
  • Like 2

Share this post


Link to post

 

Tada...

 

Quietly released...

 

Evernote for Windows 5.1.1.2304 RC Release Notes
  • Improvements:
    • Note Encryption uses AES-128

 

 

It isn't sexy, and it isn't between data centers, but it is an improvement!

Share this post


Link to post

 

Tada...

 

Quietly released...

 

Evernote for Windows 5.1.1.2304 RC Release Notes
  • Improvements:
    • Note Encryption uses AES-128

 

 

Good catch! thanks

 

Good bye to the easily broken 64-bit RC2.

 

Evernote security is headed in the right direction. Yay!

Two Factor Authentication and AES-128 are both available.

 

Next step? perhaps a move to a more robust 256-bit AES.

Share this post


Link to post

 

 

Tada...

 

Quietly released...

 

Evernote for Windows 5.1.1.2304 RC Release Notes
  • Improvements:
    • Note Encryption uses AES-128

 

 

It isn't sexy, and it isn't between data centers, but it is an improvement!

 

 

Well...

Not in the way we were thinking, but technically it is right?

Unlike the areas good to address to protect the all of the data, at least the bits you encrypt yourself with AES, is encrypted in situ.  And that means in their internal High-Availability duplication between servers, in their backups, and to any warm/cold standby datacenter(s).

 

(Yes we had that before, it's just that the encryption wasn't really worth using).

Share this post


Link to post

×
×
  • Create New...