
Laverna – Store your notes anonymously and encrypted - markbot
https://laverna.cc
======
scorpion032
A good start. But...

The USP of Evernote isn't that you can take notes from anywhere as much as
anything can be a note (An audio clip, your current location, a picture etc)
and that can be very well organised, grouped and saved in the cloud and
offline on demand.

It's basically a "database" for the non techies: Save everything in there and
query by tags, organise by books or search in the content and meta data.

~~~
pknight
And that there is an app for most platforms. I'd actually love to see an open
source version of OneNote (pen based abilities, search performance and OCR
capabilities) more than Evernote.

~~~
spacemanmatt
Yup, mobile was the first thing I looked for. I can barely stand most browser
apps anymore.

------
sdevlin
The web is not a secure medium for this kind of application.*

This is because all the encryption features they tout depend implicitly on
content (HTML and JavaScript) the server sends you every time you use the
application. Because you receive this content anew on every usage, there's no
way to verify what you're getting. Today it might be fine, but tomorrow it
might contain a key logger or subtle cryptographic flaws.

You also can't depend on the community for help verifying this content,
because it can be distributed selectively. The mass of users might get benign
content while interesting targets get backdoored software.

* It might be safe to distribute something like this as an installable sandboxed web application. I'm actually not 100% certain. But the no-install-just-browse-to-this-url model is definitely insecure.

~~~
orthecreedence
The best way is a browser extension, but even that has its pitfalls (firefox
especially since there's no real sandboxing).

It's never a good idea to do crypto over a website.

~~~
sdevlin
> The best way is a browser extension, but even that has its pitfalls (firefox
> especially since there's no real sandboxing).

I would be greatly interested if you could expand on some of the pitfalls of
browser extensions and how they differ among browsers. Thanks in advance!

~~~
orthecreedence
I think the general pitfalls of a browser extension is that you're essentially
trusting that the browser, which is acting almost as an OS in terms of
separating the memory contents of different extensions, to work correctly. The
idea is if you have an extension doing crypto, an extension that is syncing
data with google has no way of reading the data from the crypto extension. You
also have to make sure the same applies for websites as well...extensions
should be able to grab data from sites, but not vice versa. Without this kind
of perfect separation, your crypto extension is really just a sitting duck and
none of the data in it is safe.

As far as how they differ among browsers, Chrome (and I suppose Opera, now as
well) does a good job sandboxing one extension from another, and from stopping
websites gaining access to running extensions. Is it perfect? I can't really
answer that.

One problem with Chrome extensions is that unless you want your users to have
to download the .crx file, and drag and drop it into their browser, you _have
to use the Chrome webstore_. This is especially retarded because in order to
upload your extension to the Chrome webstore, they either need your private
key you signed the extension with, or they generate a private key for you.
This means that your private key _is not private_ and extension signing is a
complete joke. So if you're releasing an extension for the security-literate,
it makes sense to create a .crx file, sign it yourself with your own PGP key,
and offer it as a separate download that they _have_ to drag+drop into Chrome.
The chrome webstore is not a secure means of distribution.

Firefox, on the other hand, is more forgiving with installations but has no
real sandboxing. This means it's possible for one extension to read another's
data. Plans to introduce threading (and I think as a consequence of threading,
sandboxing as well) are in the works, but it's still going to be a while until
Firefox gives extensions the same protections Chrome does.

Really, if you can, it's best to do crypto in a native app where the
sandboxing is done for you by the operating system and you don't have to rely
on a browser. Node-webkit is a great way to do this since it merges the two
worlds nicely (at least for desktop).

~~~
sdevlin
Thanks for the great reply!

I didn't realize the Chrome web store requires your private key. That's
insane.

------
noyesno
Why choose such a loaded name? "In Roman mythology, Laverna was a goddess of
thieves, cheats and the underworld."

~~~
nfoz
hah, I _love_ that

------
r721
"Laverna is webapp written on JavaScript which means it requires no
installation and no registration."

"None of us can get access to your personal data because we are using
IndexedDB and localStorage. In fact all your information will be stored only
on client side."

So does this mean that clearing cookies in Chrome will delete all your
information?

~~~
srd
If the chrome devs in their infinite wisdom lumped cookies and HTML5
localstore together, then yes.

~~~
r721
Yeah, it's one option in Chrome unfortunately:

"Cookies, site, and plug-in data:

Cookies: Files stored on your computer by websites you've visited. These files
contain user information, such as preferences for websites or profile
information.

Site data: HTML5 enabled storage types including application caches, Web
Storage data, Web SQL Database data, and Indexed Database data.

Plug-in data: Any client-side data stored by plug-ins that use the NPAPI
ClearSiteData API"

[https://support.google.com/chrome/answer/95582?p=settings_cl...](https://support.google.com/chrome/answer/95582?p=settings_clear_browsing_data&rd=1&hl=en)

------
adrusi
I've been looking for a self hosted open source version of Evernote. I was
excited when I first saw this but this isn't it. Storing all data locally
defeats half the purpose. You can't even create notes on your phone and view
them on your PC. Add to that, this seems to be only for text notes, which
makes sense, since localStorage has a data limit of about 2MB.

~~~
orthecreedence
Try [https://turtl.it](https://turtl.it)

It offers a hosted option (the default) or an open-source server you can run
internally if you want more control of your data (or don't want to pay).
Disclosure: I'm building it.

Note that Turtl uses IndexedDB to store everything (encrypted) locally, but
also syncs to the server. This means if you wipe your local storage, your
profile will be re-downloaded back to the client (only un-synced changes will
be lost).

Mobile versions are on the way.

~~~
adrusi
Looks interesting, I'll try using it for a week or so and see where it takes
me.

Bit of advise however: The front page of the website doesn't really describe
it very well. There's barely any screenshots (and the ones that exist are
hidden for two thirds of the time), and there's not much of a description of
the actual application. There's descriptions of what features it has over your
competitors, but not really anything about what the core product is. Honestly,
if I saw the website outside of the context of this comment thread, I probably
would have passed it by.

All in all it looks like a good alternative to Google Keep which I can feel
good about using. Best of luck!

~~~
orthecreedence
That's incredibly useful feedback. Thanks for taking the time to mention that.

I think one thing I'm definitely missing are use cases, which would help
people understand that product better. I'll see what I can do about making the
screenshots more obvious as well.

I've been toying with the idea of creating a demo with pre-populated content
and letting people play around with it on the site. Would that be something
you'd try out as a passerby who happened to land on the site?

~~~
adrusi
I tend to treat such demos as nothing more than glorified screenshots. For
example, Mailpile has a demo similar to what you described and I spent maybe
10 seconds in it clicking on a couple buttons. That said, I'm sure it is very
useful to some other people. I'd recommend getting in touch with some of the
Mailpile guys or anyone else who can relay their experiences about how useful
it is.

------
sciencerobot
I've been looking for a replacement for Evernote for a while. So far I've
tried wikis, bluenote, vim + git + markdown.

The most important feature keeping me with Evernote is the ability to drag and
drop images.

~~~
knitatoms
You might like the open source Zim: [http://zim-wiki.org/](http://zim-
wiki.org/)

It's completely replaced Evernote for me. You can drag and drop images from a
browser or the file system.

~~~
darklajid
That looks like a Tomboy clone? Interesting..

------
joelthelion
Very cool. One comment: I wish you could edit notes from the main view
directly, similar to simplenote
([http://simplenote.com/](http://simplenote.com/)).

------
sleepyhead
This is not an alternative to Evernote. It is an alternative to nvALT or
Notes.app.

------
frabbit
As regards replacing Evernote, there is already the very capable and stable
Zotero[1], which provides source to roll your own server[2]. It integrates
well with LibreOffice and LaTeX/BibTeX.

It does nothing to address the anonymous or secure aspects however.

1\. [https://www.zotero.org/](https://www.zotero.org/) 2\.
[https://www.zotero.org/support/dev/dataserver_setup](https://www.zotero.org/support/dev/dataserver_setup)

------
thatusertwo
The more secure place to store notes is in a notebook you carry around with
you all the time.

------
higherpurpose
Keep an eye on DarkMail encryption, too, that maybe you can add later.

------
LaSombra
Very, very cool. Will check it out in detail later.

------
fiatjaf
BTSync is an option.

~~~
trebor
No, the only cloud storage option is Dropbox. BTSync is a viable alternative,
but it is not currently an option.

