Mr.White 0 Posted January 30, 2015 Share Posted January 30, 2015 Hi folks, I'm interested in learning more about encryption in Evernote. I've downloaded the OS X client and figured out how to go about encrypting some text within a note, but I'm concerned about the fact that Evernote uses insecure HTTP to transfer the contents of any given note from my local machine to your servers. First off, that's just plain bad. Bad. Bad. Bad. Bad. Shame on you. You need to get with the program and use SSL/TLS *everywhere*. No exceptions. This makes you look amateur. So my questions are: If my note syncs in-between the time that I type the string that I'd like to encrypt and the time that I complete the encryption, then the string of text would be transmitted to your servers over insecure HTTP? In one of your help docs I read in the comments that you only offer this to your premium clients. Is that correct, or has that changed? The reason that was given for only offering SSL to premium clients is that it's "too expensive" to offer this as a default feature. That's bullshit. And you know it. I'm okay with the idea that you just hold it back for premium clients, but the idea that it's going to burn so much more infrastructure that you couldn't possibly afford it because it would be a huge cost to your bottom-line is both greedy and economically impossible. It also creates the unnecessary intonation that SSL is some sort of luxury, which is detrimental to the on-going process of locking down the internet in general. As a major app, you should have a better policy in this regard. You're in a position to lead and educate your massive user base, instead you're making it out like SSL is unnecessary and expensive. And you know better. I guess that last one isn't much of a question, but it's hugely disappointing to find out that you're so careless with how data is transmitted and that you're using cost as an excuse for a rotten security philosophy. Link to comment
Level 5* jefito 5,589 Posted January 30, 2015 Level 5* Share Posted January 30, 2015 As far as I know, Evernote doesn't use plain HTTP for synchronization:* https://blog.evernote.com/tech/2011/05/17/architectural-digest/* https://blog.evernote.com/tech/2014/10/16/evernote-and-poodle/* https://evernote.com/contact/support/kb/#/article/23480996 (Note: I'm pretty techie, but I'm not a network engineer, so you could probably tell me mostly anything about this stuff and I'd have to believe you). I wasn't aware that this is a premium-only thing, and couldn't find any citations. Do you have one? Link to comment
Mr.White 0 Posted January 30, 2015 Author Share Posted January 30, 2015 Right here: https://blog.evernote.com/blog/2008/04/15/evernote-privacy-and-security/ Link to comment
Level 5* jefito 5,589 Posted January 30, 2015 Level 5* Share Posted January 30, 2015 Uh, the article that you linked to is from 2008. Try: https://evernote.com/contact/support/kb/#/article/23258452. Link to comment
Level 5* GrumpyMonkey 4,319 Posted January 30, 2015 Level 5* Share Posted January 30, 2015 Yeah. Evernote is not using PFS, but otherwise, it appears to be industry standard security. The encryption has also improved in recent years. One of the really nice things, which I hope we'll see expand from text to entire notes and notebooks, is that the encryption is zero knowledge. Link to comment
gbarry 2,658 Posted January 30, 2015 Share Posted January 30, 2015 We have a security overview here as well: https://evernote.com/security/ Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.