
Show HN: Turtl – A secure, encrypted Evernote alternative - orthecreedence
https://turtl.it/
======
smcleod
I'm sorry but I don't think you should call this an Evernote alternative.

\- No iOS client (Although the site does say coming soon)

\- No Firefox webclipper

\- No Web interface

\- Large / heavy application

\- No Drawing / Diagram support

\- The app is not native, it's seems it's a web frame

It's interface doesn't feel very snappy, it feels like it's built with in a
Javascript framework perhaps?

Evernote has been around for a long time and has grown to 110MB uncompressed /
installed, this app is 100MB and it's only in its early stages and has hardly
any features implemented yet - that's worrying to me.

Looking at OSX's power utilisation Turtle appears to often utilise one CPU
core heavily under load where Evernote seems to thread processes more
efficient and ends up using around 60% less power on my 2015 Macbook in the
use I put it through which was common activities such as adding and removing
notes, copy / pasting text, launching and closing the app etc...

What I do _really_ like is that it uses Markdown, that's something sorely
missed in Evernote.

I'm really sorry to be quite harsh, I really do love when people try to
improve software by creating their own alternative and that's something that's
sorely needed in the land of Evernote like apps, however I don't think this
comes close to a possible alternative.

~~~
orthecreedence
Thanks for the honest feedback! The app IS a web frame, both on desktop an
mobile. TBH it's pretty much the only way I can maintain it on 4 (and soon 5)
different platforms efficiently.

I will say this: Turtl will queue encryption/decryption in background threads
so it does utilize cores while doing heavy processing. As far as how it
utilizes cores in the main UI, that's really up to the underlying javascript
engine, which most likely will be single-threaded unless instructed otherwise.

> I'm really sorry to be quite harsh

Not harsh at all. Turtl is a start, a goal. Evernote has so many features and
so many use-cases for so many people. I agree saying it's a viable alternative
right now isn't entirely true, but for those who value privacy over features,
Turtl is worth a look.

~~~
ultramancool
To your credit, the feature you're adding is far more important to me than any
of the minor Evernote features the parent mentions. So don't sell yourself
short.

I currently find myself stuck syncing text files using SyncThing or ownCloud
or making notes in my KeePass database just to get the level of privacy I want
in this.

I saw Turtl before and this makes Turtl highly appealing to me, I'll
definitely be trying it out more thoroughly as it looks like mobile support
has matured since last I tried it.

One thing I seem to remember having an issue with was DPI scaling support, I
use 4k screens at home and at work, but everything was blurry as the apps
didn't support DPI scaling - any chance this has been addressed?

Another issue I seem to remember was self-hosting, I'd most likely self-host
it (though I'll definitely chip you a donation if it's all working), but I
didn't see any way to configure the server used - did I miss something or has
this been added now or would I need to recompile to do this?

Thanks for all your hard work.

EDIT: Just tried it again - DPI scaling on Windows is now working and there
appears to be a button to change the server. Sweet. I'll be moving in to this
tonight if all goes well. Thank you again. This looks like an excellent
product.

I noticed your page doesn't have a donation link though and since I intend to
self-host I can't send you anything, any chance you can put one up?

EDIT2: Hmm, noticing something strange here - I thought the DPI scaling was
working when I saw the notes in the main screen looked very sharp,
[http://i.imgur.com/BfSDcca.png](http://i.imgur.com/BfSDcca.png) but when I
view notes expanded it seems to lose its sharpness. See
[http://i.imgur.com/gpJ7zsC.png](http://i.imgur.com/gpJ7zsC.png)

I'm not sure what the reason for this is but I've noticed similar problems
with Atom and other browser based solutions so perhaps this is unavoidable for
now, in any case it's much better than it was before.

~~~
nickik
My solution to this problem is to use LastPass. The crypto is about as good as
you can get, the only problem is that its not Opensource. LastPass runs
literally everywhere, every browser, every device.

Markdown support in the notes would be quite nice. The UI could be improved
for that usecase as well.

I really like having only app for those use cases.

I really like that I can use my Yubikey for 2f authentication over NFC.

------
sarciszewski
[https://github.com/turtl/js/blob/2ca59900d71284795e278e75585...](https://github.com/turtl/js/blob/2ca59900d71284795e278e75585787ca767e9766/library/tcrypt.js#L192-L195)

Nothing says secure like PBKDF2-SHA1 with 50 rounds.

[https://github.com/turtl/js/blob/2ca59900d71284795e278e75585...](https://github.com/turtl/js/blob/2ca59900d71284795e278e75585787ca767e9766/library/tcrypt.js#L577)

...or timing attacks on MAC validation. (Yeah, you switched to GCM, but a
downgrade attack could potentially be used to find a valid MAC for a chosen
ciphertext without the attacker knowing the key...)

~~~
mrmondo
"When the standard was written in 2000, the recommended minimum number of
iterations was 1000, but the parameter is intended to be increased over time
as CPU speeds increase. As of 2005 a Kerberos standard recommended 4096
iterations,[2] Apple iOS 3 used 2000, iOS 4 used 10000,[3] while in 2011
LastPass used 5000 iterations for JavaScript clients and 100000 iterations for
server-side hashing"

source:
[https://en.wikipedia.org/wiki/PBKDF2](https://en.wikipedia.org/wiki/PBKDF2)

*Edit: Oh.. it's PBKDF1....

~~~
logicallee
how can anyone take anything seriously that requires 1000 iterations. if
iterations had an exponential function then the difference between 1000
iterations and 10,000 is ridiculous, like the difference between 16 bit
encryption (no such thing, this would be a joke) and 160 bit encryption.

But if it's not exponential, then adding thousands of iterations doesn't do
much. Maybe instead of 1 day to break it, now it takes 1000 days, or instead
of spending $4,000 on CPU time now you need to spend $4M to crack it. Big deal
- it's just as broken.

So can anyone explain the math here? How can they seriously suggest linearly
increasing the number of iterations over time?

~~~
sarciszewski
Attackers can use special hardware (ASICs, for example) to perform a lot of
low-memory but CPU-intensive calculations quickly. Modern KDFs emphasize a
property called memory-hardenss: It should be reasonably fast on consumer
devices, require a reasonable amount of memory, and trading off memory usage
should require an absurd CPU slowdown.

PBKDF2 doesn't have this property, so if you're forced to use it, the standard
recommended iteration count is 86000.

50 is a joke.

~~~
logicallee
so it's not really exponential - if ridiculous amounts of memory somehow
became very cheap and available, then it would break it? this is quite
different from the exponential properties most encryption has. I would expect
"ridiculous amounts of memory" to mean "more bytes than the number of atoms on
Earth", that sort of thing. It sounds like rather than these kinds of
theoretical limits, they chose much more practical limits - which seems a lot
more dangerous and less future-proof, but I guess I'm not an expert.

~~~
sarciszewski
As attackers get better, we can just up the ante. More rounds, more memory
usage, etc.

If you're building software in 2016, you want to use one of the following for
turning a password into a crypto key:

    
    
        - Argon2
        - scrypt
        - bcrypt
    

PBKDF2 should be your last resort. Don't fall back to a simple hash function.

~~~
logicallee
that makes zero sense. something encrypted in 2001 isn't supposed to magically
become plaintext in 2016 because "attackers get better." it's fundamentally
not the promise of encryption. (I thought.)

~~~
sarciszewski
Uh, no. AES was originally only slated to survive until 2030. Advances in
cryptanalysis are hard to predict, but attacks always get better.

------
phillc73
I was going to rail against another app I could be interested in which forces
an Android installation through Google's Play Store.

Then I noticed the link to sources on GitHub and the ability to build the APK
oneself.[0] I will certainly try this. Thank you for the option.

[0] [https://github.com/turtl/mobile](https://github.com/turtl/mobile)

------
orthecreedence
Hi everyone, creator of Turtl here. It's getting late here (2:15 am) so if you
ask a question or have feedback, I'll be able to get back to you in a few
hours. Thanks for checking out my project!

~~~
satai
Hi May I have two recommendations? \- put more screenshots on the web page to
apetize us \- if you provide server... provide it as an Docker image too, so
it's easy to test

Looks good anyway, I am going give it a try.

~~~
orthecreedence
Thanks! Lots of people are requesting docker images, so this sounds like the
way to go. I'll look into it.

------
segphault
It's really neat to see that the backend is built with RethinkDB and Common
Lisp. I am looking forward to setting up my own instance from source and
playing around with it. Great project.

------
V-2
I feel the UI (of the desktop version) is a bit lacking.

Within one minute from installing it, the following happened.

I added a note: a text note, fine. So a side bar opens...

Why is it only ever a side bar? I have a 1920px wide monitor - not really
unusual - but you're forcing me to edit my notes in a fixed 700px sidebar, the
rest of the screen estate just darkened out. Evernote lets me use all my
screen.

But I've typed some stuff in. So, I'm clicking on "Add text note", the first
most obvious call-to-action that catches my eye. A dialog pops up: "The note
has unsaved changes. Really leave?". Well, I just clicked on "Add text note",
what do you mean?

Only after a while I realized that I'm not supposed to click on the most
prominent (white on black) caption bar at the top, but on the greenish "Add"
in bottom right corner. Even though the title does say "Add text note", which
is as explicit as it gets.

Okay, time to edit my note. It opens in preview mode by default, I still have
to click on a floating button to make it editable - another little mental
bump, but okay.

I can click on an eye icon to get a preview of the note. Once I do that, the
eye icon vanishes, and I'm left with an uneditable note. That's quite weird,
normally the "eye" icon would just be replaced with a symbol indicating return
to edit mode, allowing to switch back and forth with no fuss. Makes sense,
especially sice it's easy to anticipate that the preview function would often
be used just to quickly catch a glimpse of whether our work (markup, etc.)
looks fine, and further we go, it's not a Rembrandt painting : )

Not here, though - I click on the eye, but in order to resume editing I have
to move mouse cursor to the left now, and tap on the "<-" back button. Or, as
it turns out, anywhere outside of the magical 700px wide (36% of my screen)
get-things-done area.

I guess I'm sort of a power user (I'm a software dev for starters), so these
confusions don't stop me for more than 5 seconds each. It is frustrating
nevertheless, because being computer-savvy, I'm not used to that. And when my
mum clicks "Add text note" only to be asked if she really wants to cancel all
changes, I can tell you she'll look like a deer in headlights rather than
mumble "what's this bs" as I did ; )

I understand you're an indie dev, but hallway usability testing doesn't
require hiring focus groups etc., all it takes is have a few people sit in
front of the monitor and watch them go at it

------
colordrops
I saw the "pricing" link at the top and was about to shit all over this for a
privacy oriented app being closed source, until I scrolled to the very bottom
and saw the innocuous open source note. May want to emphasize that more.

~~~
orthecreedence
This app has been a balance between advertising the fact that it's open source
and just presenting itself as a "privacy app" without shoving it in people's
faces. Maybe it should be a bit more prominent (and thanks for reading to the
bottom)!

To be clear, the pricing section only applies if you connect Turtl to our
hosted service. If you run your own server, the only pricing that applies is
the price you pay for the server you run it on.

~~~
NoGravitas
I actually love this business model: web/api server and clients are all Free
Software, and the developer or company behind it runs the "canonical" hosted
service. I hope it works out for you.

------
kumarski
Evernote made the mistake of going multiplatform really aggressively and too
much scope creep. I'm glad to see they're scaling back a lot of their scope
creep.

Goo on you for trying to do this. Be ambitious and swing for the fences.
Evernote's product crashes frequently.

~~~
julianz
On which platform? I use Evernote a lot on Windows and Android, and a bit on
iOS, and haven't seen a crash in a very long time.

~~~
V-2
Out of my experience it's stable on Windows, although lacking in other
departments (eg. no dark theme)

------
triplesec
I'm glad of an alternative, mostly because Evernote being the last bad option
to date, has terrible UX. And the search is substandard. I use it because I
can use it on mobile and desktop, and back it up frequently to multiple
formats in case Evernote dies, or wipes my data in error.

(Please everybody who uses note apps, back them up now to external files!)

------
magicmu
I've been looking for alternatives to Evernote for a long time now, but
haven't found a viable one. Thanks for making this, I'll definitely check it
out!

------
jaybuff
Apple notes (in iOS 9 and El Capitan) is also a secure, encrypted Evernote
alternative: [https://support.apple.com/en-
us/HT202303](https://support.apple.com/en-us/HT202303)

------
design55
Coming from an academic/artistic background, very very far away from the TECH
industry, I've found turtl really helpful for cataloging research for upcoming
projects. I think it has really great potential for people working in project
based industries who need confidential platform to store large amounts of
research. Although many people do not have a need for privacy in their
bookmarking, it is definitely a major consideration in many other professions
outside of TECH. Although it may not be as smooth running as Evernote right
now, I think that privacy for my research is a trade off worth noting.

------
kusuriya
This is pretty sweet but the UI does leave some to be desired. It would be
awesome to have a UI similarish to onenote or a few others where on the left
side you have a list of your boards, then either on the left or right side
(users pick) you have a list of items in the board, then the rest of the
screen is whatever the item is. It is a really nice start and has a lot of
potential but without a web version it just wont replace anything I use right
now since you dont seem to support any of the BSDs and I do a lot of switching
between Windows Linux and OpenBSD

------
hirokiky
I tried it. I like this app, especially this tile interface. And it won't
scramble all of things into notes like evernote. bookmarks, files, notes are
separated. seems nice.

cons:

\- You need to take certifications for OSX app \- it's scare to install un-
certificated apps \- Uploading file and images should be merged \- I don't
want to care whether it's image or not, App should detect, isn't it cool? \-
The note editor, it's too poor to use. and default height of textarea is too
thin. expand it to users want to write something.

------
claudius
[http://i.imgur.com/sDzAMjg.png](http://i.imgur.com/sDzAMjg.png)

That’s a rather large font size.

~~~
orthecreedence
Well yeah, we need a callout or customers won't know where to look.

In all seriousness though, it seems the site has linux/chrome issues. I am
looking into it.

Thanks for the screenshot =]

~~~
Gracana
It has IE11 issues also.
[http://i.imgur.com/flVRw9M.jpg](http://i.imgur.com/flVRw9M.jpg)

------
oadam
On macbookpro 13", safari, header background takes 50% of webpage area. Chrome
and FF looks good.

------
oliv__
Just a heads up: I'm being shown the _Windows x64_ button and I'm using a Mac
(OS X 10.10) and Firefox.

There is only one button on the front page but you seem to support multiple
platforms so I'm assuming this is a bug?

~~~
Kadin
Same thing happened to me. If I hadn't dug around a little I would have
assumed it's a Windows-only app and moved on.

------
natch
Does it run on my own server, encrypting data with keys the server never sees?

~~~
orthecreedence
Yes.

------
formichunter
Is it possible, or maybe I should offer, to encapsulate this in docker using
docker-compose? I find it easier and cleaner to try new things out running
docker-compose up.

~~~
orthecreedence
By all means, if you want to take on this project I'd gladly advise and link
to it from the server page. I don't know enough about Docker to be useful for
that portion, but I can certainly help in getting the server set up properly.

~~~
formichunter
I'll work on this tonight, EST, but if someone beats me to it please don't
hesitate to link to them first. Thanks for the reply.

------
s_q_b
Evernote is _so good_ that I just can't see myself transitioning. I wish the
best services would offer strong encryption as a default.

~~~
afro88
This is the game these companies play - they provide a service so slick that
people will use it regardless of the privacy concerns.

And of course I am one of those people... I use Evernote because I can take
notes anywhere very easily (in my browser, my OS, my phone) and then have
access to them always in sync very easily, online and offline. Couple that
with nested tags and saved search queries and I unfortunately see no
competition, regardless of privacy measures. I don't care if my data is
encrypted properly if I don't have easy access to it.

~~~
mrmondo
Like almost all 'cloud' services, I treat all data in Evernote as non-
confidential and thus don't keep private information within it and I take
regular backups. Do I trust a hobby / standard web-dev project as any more
secure just because they day it is and might have an extra layer of encryption
- no.

~~~
orthecreedence
This is important: there's a _trust_ barrier to entry here. Why trust some
random guy on the internet? You wouldn't. Nor would I expect anyone to
actually pour through the source code to determine if the crypto is sound.

Sometime soon I'm hoping to get enough cash rounded up for a security audit
and get a few thumbs up from the security community so at least you won't be
taking my word for it. Not only that, I'd love to make the product rock-solid.
As much crypto as I've studied in the past few years, nothing beats an expert
looking things over.

------
ipixny1004
[http://www.prweb.com/releases/2016/02/prweb13198898.htm](http://www.prweb.com/releases/2016/02/prweb13198898.htm)
Centrallo 2.0 Global Productivity App Adds Evernote Import Wizard to Its List-
Making Features and Adds Former Evernote Executive Heather Wilde to Its Team

------
polm23
Is something wrong with the CSS on the site? Everything looks kind of overly
large in my browser (Desktop Linux Chrome).

~~~
phlyingpenguin
Just to add in a screenshot, here's what it looks like on my copy of Chrome on
Linux: [http://i.imgur.com/6YPbAg6.png](http://i.imgur.com/6YPbAg6.png)

------
yazriel
Nice app. Please please add any sort of import capability

(You can look at simplenote export/import csv/json format)

------
philodendron
I really like the idea of a secure Evernote alternative. For me, however, the
by far most important feature is decentralization. Until someone builds this
I'm stuck using org-mode and a git repo...

~~~
r3bl
It is decentralized:
[https://turtl.it/docs/server/](https://turtl.it/docs/server/)

You only use their servers if you want to.

------
steaminghacker
See also [http://lexiy.com](http://lexiy.com) secure notes, but not documents.

------
dutchbrit
Are you using truecrypt? Isn't that a dead project with security issues?

~~~
Kadin
It's a forked project with leadership-drama issues, but several ongoing audits
haven't turned up any serious security issues.

The original anonymous maintainers apparently tried to kill it, for reasons
that aren't clear, by saying that it's insecure. It seems to have been a red
herring, and their suggestions of alternatives were comically bad.

Lots of people are still using the last Truecrypt release, or one of the
several forks that have sprung up that have attempted to improve upon it in
various ways (sometimes in incompatible ways, though). Hopefully the situation
will stabilize with one clear winner in the future.

------
ommunist
Why on Earth people are not using git? on iOS it is Working Copy app. any good
client for Android?

~~~
orthecreedence
I think the Android client is good, but I am biased. iOS coming soon.

