Jump to content
Mr.White

Can I trust Evernote Encryption?

Recommended Posts

Hi folks,

 

I'm interested in learning more about encryption in Evernote. I've downloaded the OS X client and figured out how to go about encrypting some text within a note, but I'm concerned about the fact that Evernote uses insecure HTTP to transfer the contents of any given note from my local machine to your servers.

 

First off, that's just plain bad. Bad. Bad. Bad. Bad. Shame on you. You need to get with the program and use SSL/TLS *everywhere*. No exceptions. This makes you look amateur.

 

So my questions are:

 

If my note syncs in-between the time that I type the string that I'd like to encrypt and the time that I complete the encryption, then the string of text would be transmitted to your servers over insecure HTTP?

 

In one of your help docs I read in the comments that you only offer this to your premium clients. Is that correct, or has that changed?

 

The reason that was given for only offering SSL to premium clients is that it's "too expensive" to offer this as a default feature. That's bullshit. And you know it. I'm okay with the idea that you just hold it back for premium clients, but the idea that it's going to burn so much more infrastructure that you couldn't possibly afford it because it would be a huge cost to your bottom-line is both greedy and economically impossible. It also creates the unnecessary intonation that SSL is some sort of luxury, which is detrimental to the on-going process of locking down the internet in general. As a major app, you should have a better policy in this regard. You're in a position to lead and educate your massive user base, instead you're making it out like SSL is unnecessary and expensive. And you know better.

 

I guess that last one isn't much of a question, but it's hugely disappointing to find out that you're so careless with how data is transmitted and that you're using cost as an excuse for a rotten security philosophy.

Share this post


Link to post

As far as I know, Evernote doesn't use plain HTTP for synchronization:

https://blog.evernote.com/tech/2011/05/17/architectural-digest/

https://blog.evernote.com/tech/2014/10/16/evernote-and-poodle/

https://evernote.com/contact/support/kb/#/article/23480996 

(Note: I'm pretty techie, but I'm not a network engineer, so you could probably tell me mostly anything about this stuff and I'd have to believe you).

 

I wasn't aware that this is a premium-only thing, and couldn't find any citations. Do you have one?

Share this post


Link to post

Yeah. Evernote is not using PFS, but otherwise, it appears to be industry standard security. The encryption has also improved in recent years. One of the really nice things, which I hope we'll see expand from text to entire notes and notebooks, is that the encryption is zero knowledge.

Share this post


Link to post

×
×
  • Create New...