

Evernote app upgrades are unencrypted over HTTP - phkn1
http://httpshaming.tumblr.com/post/95194653711/evernote-checks-for-update-over-unencrypted-http

======
schrodingersCat
Thank you for bringing this to my attention. As an avid Evernote user, I will
shoot them a feature request email. MITM attacks are a real problem (how do
you think Gamma's Fin–Fisher was deployed?), and there is no excuse for this
not to be implemented on such a popular app.

------
FroshKiller
I'm actually a little relieved after clicking through. The post is only
talking about app updates, not syncing updates to your notebooks.

~~~
phkn1
Right you are. Fixed the title. The the app does sync the notes themselves
over SSL.

But this is still a risk, as the link to the app that does the syncing could
be blocked to maintain a vulnerability, downgraded to a vulnerable version, or
potentially compromised...

~~~
hjlklhj
> But this is still a risk, as the link to the app that does the syncing could
> be blocked to maintain a vulnerability

If you can mitm the dns or ip you can still do this even with https.

> downgraded to a vulnerable version

does the app allow "upgrading" to a lower version number automatically?

> or potentially compromised

the app enforces signed updates, no?

That said, they really should get https going for the updates.

~~~
phkn1
>If you can mitm the dns or ip you can still do this even with https.

Strictly speaking you'd need a compromised DNS _and_ a compromised CA
(possibly with a wildcard certificate). Certificates provide assurance of
identity as well as encryption (that's why public key encryption works). No
matter where the connection comes from. (EDIT: If I compromise DNS for an SSL
secured site I only get half an attack.)

> does the app allow "upgrading" to a lower version number automatically?

I'm not as familiar with the app update mechanisms in respect to enforcing
monotonic version numbers. I don't have proof it enforces this, however.

> the app enforces signed updates, no?

The author says it best here:

[http://httpshaming.tumblr.com/post/95160721901/but-its-
signe...](http://httpshaming.tumblr.com/post/95160721901/but-its-signed)

~~~
hjlklhj
>>> But this is still a risk, as the link to the app that does the syncing
could be blocked to maintain a vulnerability

>>If you can mitm the dns or ip you can still do this even with https.

>Strictly speaking you'd need a compromised DNS and a compromised CA (possibly
with a wildcard certificate). Certificates provide assurance of identity as
well as encryption (that's why public key encryption works). No matter where
the connection comes from. (EDIT: If I compromise DNS for an SSL secured site
I only get half an attack.)

My comment here was for the "the link to the app that does the syncing could
be blocked to maintain a vulnerability" argument. That you don't need a CA
for. Just throw a NXDOMAIN from the dns.

edit: please note that I very much agree that update checks should be over
https. It's just that I think that it's not a panacea and should be
accompanied by e.g. code signing, enforcing updating version, etc.

~~~
phkn1
Agreed. Defense in depth is key.

