
Tell HN: All Quip and Evernote documents are stored unencrypted on their servers - arikr
I was surprised when a friend told me this recently, so I figured there may be a few other people on HN who&#x27;d like to know.<p>To HN: What motivation would they have for doing this? Particularly given Evernote&#x27;s imperfect security record, seems to be an especially bad idea to store all notes in plain text. Can&#x27;t imagine the chaos that would be caused by an Evernote or Quip hack.
======
tedmiston
Similarly uncommonly known: All Dropbox Paper documents are publicly
accessible by anyone with the URL by default. There's no way to change the
default either. I get the improbability of someone guessing a URL with a long
hash but if they obtain it any other way, such as from the HTTP request or
browser history, other people still have full access to your docs.

------
arikr
I was incorrect: Evernote is encrypted, Quip is not

> Encryption at Rest

> In late 2016, we began migrating the Evernote service to the Google Cloud
> Platform (“GCP”). Customer data that we store in GCP will be protected using
> Google’s built-in encryption-at-rest features. More technically, we use
> Google's server-side encryption feature with Google-managed encryption keys
> to encrypt all data at rest using AES-256, transparently and automatically.
> You can find additional information on how encryption at rest protects your
> data here.

Good job Evernote! Bad job Quip.

------
wmf
I would bet that 90% of SaaS is storing everything except passwords
unencrypted.

------
amk_
"Search everything" is a big value prop for Evernote. You can't search E2E
encrypted database records without transporting them to the client and
decrypting them there.

~~~
seveneightn9ne
The OP isn't surprised they don't use E2E encryption - that's mostly reserved
for the most security-conscious use cases, because as you say, there's a lot
of usability to gain from having read access from the server. However, at-rest
encryption is a total no-brainer.

------
nxsynonym
I switched to Bear Note for this reason, among others.

Bear is built on CloudKit. I'm not versed enough to know if it's the best out
there, but it's better than plain text for sure.

~~~
zack12
Bear is amazing! The only issue i have is how do they make money. Math doesn't
favor them. I hope they acquire enough users to justify that price point

------
gabrielcossette
Another reason to host your own encrypted
[https://standardnotes.org](https://standardnotes.org)

