Hacker News new | past | comments | ask | show | jobs | submit login
Twinkle Notes: Cross-platform encrypted notes app (github.com)
98 points by twknotes 13 days ago | hide | past | web | favorite | 51 comments

Just wanted to say I love this business model of providing a free open source app, with convenient secure syncing being the paid option.

The trade-offs for a user who's committed to not paying for the premium features are mainly about convenience and security (having to maintain a fork, and missing out on automatic security updates), which ressembles those they would have to make by pirating a closed-source app.

Right now the license is AGPL, is this temporary (since the website calls the app "Source available" vs "Open-Source")?

PS: The submission title should begin with "Show HN:".

We are definitely using AGPL because, for the paranoid, they should be able to build their own binaries and distribute to their friends.

> end-to-end encrypted


For AES in CBC mode, IVs have two requirements:

1. They must never repeat.

2. They must be unpredictable.

Generating them from a SHA256 hash of some low-entropy data is not a good practice.


Furthermore, not authenticating your ciphertext means padding oracle attacks can be launched against the app.


Thank you for digging into the code. This is why we are going open source. The encryption you are referring to is for encrypting a list of keys for your local notes storage, which is not exactly part of the end-to-end encrypted syncing. Since you have got this far, could you please have a look at:


> They must be unpredictable

I am wondering if that is necessary, because the hacker can't perform those attacks without the user's actively using the app at the same time. From what I learned, the attacking process requires the presence of key somewhere. If the attacker can get on user's device while one is using it, then it's almost a hopeless situation. Please educate me if I am wrong.

> > They must be unpredictable

> I am wondering if that is necessary,

Yes, it is necessary. The IND security of Cipher Block Chaining (CBC) depends entirely on the IV being from a cryptographically secure random generator.

CBC mode requires unique and random IVs. CTR mode requires unique IVs (but can be predictable).

That's why we call the CTR input a nonce (number to be used once) and the CBC input an IV (initialization vector). Since they have different security requirements, we refer to them differently. Unfortunately, some cryptography libraries just name the parameter IV.

Is that distinction between nonce and IV held everywhere in the crypto community? For example, rfc8439 which defines the ChaCha-Poly AEAD does not require an unpredictable input nonce, and indeed calls it a "nonce", but many of the common implementations I've seen use "initialization vector" instead.

Loosely. The majority have given up on the public understanding of nuances and just phone it in with "just don't write crypto".

Because AES-CTR and ChaCha both refer to it as a nonce, and CBC calls it an initialization vector, the IV/nonce distinction does matter. But if you misuse the terms folks will know what you meant to say. Just don't mix it up when it comes time to implement.

Please don't ever stop this behavior. I'm just learning much of this in an applicable way and people like you make this not just easier but possible for those of us learning with little outside help.

The father I go down this rabbit hole the more I learn security should be like a religion of security (only one without dogma).


3. They should be authenticated.

To OP, I would suggest using secretstream from libsodium, which abstracts all these problems away for you.

> 3. They should be authenticated.

I covered that:

> Furthermore, not authenticating your ciphertext means padding oracle attacks can be launched against the app.

The list above was just the requirements for the initialization vector, not the list of problems with the code.

Right, but I was specifically talking about authenticating the IV.

Can you cite some source for why the SHA256 of changing data isn't sufficiently random to be used as the IV?


See the section about "CBC with Counters".

The consequence of the security proof by Rogaway, et al. for CBC mode is that IVs must be unique AND unpredictable for CBC mode to be secure*.

SHA256 is a deterministic pseudorandom function if you know all of the inputs. By studying the source code, we can see what gets fed into the SHA256 inputs. The cost to brute force all possible inputs is definitely much lower than 2^128, therefore it weakens the IND security of the AES-CBC scheme.

CBC security only provides indistinguishability. It isn't secure against adaptive chosen-ciphertext attacks.

>"See the section about "CBC with Counters"."

That section is talking about using an incrementing counter as the IV--it doesn't say anything about a PRNG being a bad choice (in this case, the PRNG being a SHA256).

>"By studying the source code, we can see what gets fed into the SHA256 inputs. The cost to brute force all possible inputs is definitely much lower than 2^128, therefore it weakens the IND security of the AES-CBC scheme."

Are you talking about brute forcing the IV? The IV is not a secret to anyone--it's usually appended to the cipher text.

> That section is talking about using an incrementing counter as the IV--it doesn't say anything about a PRNG being a bad choice (in this case, the PRNG being a SHA256).

Let's try this again.

You have two types of inputs that APIs refer to as "IVs".

Nonces: Must never repeat.

Initialization vectors: Must never repeat AND must be unpredictable.

Counters are acceptable for nonces. When an academic cryptographer says in a security proof that a counter doesn't suffice for the security of a scheme, what they're really saying is that you're in the latter category (must be unpredictable too) rather than the former (where predictable is okay as long as it never repeats).

If it can be predictable, it can be a counter. If it can't be a counter, it must be unpredictable.

The correct way to get an unpredictable IV is to use a CSPRNG.

SHA256(some predictable low-entropy inputs) fails to meet the bar for unpredictability.

> Are you talking about brute forcing the IV? The IV is not a secret to anyone--it's usually appended to the cipher text.

IVs aren't secret, but given the security proof I linked, IVs cannot be predictable. They must be unpredictable.

What do you think about NaCl for a project like this?

> Libsodium (a fork of NaCl) is preferable to NaCl.

Can you elaborate on this? Quickly looking over your libsodium based sodium-plus it doesn't seem like it has been audited. (I know libsodium itself had an audit)

Where as for example tweetnacl-js [0] has been audited.

That's not meant to take a dump on your project, but I just don't understand why it is better, or preferable.

[0]: https://github.com/dchest/tweetnacl-js#audits

NaCl is djb abandonware. Libsodium is actively maintained.

Libsodium offers Argon2 password hashing and key stretching, XChaCha20-Poly1305 AEAD constructions, BLAKE2b generic hashing, SipHash-2-4 for collision-resistant hash tables, etc.

Most people who say "use NaCl" really mean "use NaCl/libsodium".

Regarding my project: sodium-plus will wrap sodium-native (a thin Node wrapper to libsodium proper, which has been audited) if it is installed. To date, libsodium.js has not. Therefore, if you care about public code audits, you can use audited libsodium with sodium-plus just by installing sodium-native alongside it.

A few questions and observations:

* If I choose to use this notes app on multiple devices, and am careful enough to be the only person using it and complete any note taking on one device at a time (closing the app properly), I should be able to store and sync the sqlite database on any cloud storage service and wouldn't need the paid sync option, correct? In other words, the sync option makes multiple clients opening and making updates in the same time period a non-issue?

* The costing seems a bit weird when one digs in, because it defaults to counting in one GB increments even though the unit is stated as GBm and compared to things like KWh in the explanation. Even if you store only a few bytes of notes (or a few KBs), the documentation says that you'd still pay a minimum of 1GBm. So that works out to a $7.176 a year if you don't cross 1GB in storage used.

* Since this is open source with AGPL, anyone could fork it to support a custom sync mechanism that allows to store the database on cloud storage/sync services, but would have to make the source available if they distribute the app to others.

> store and sync the sqlite database on any cloud storage service

It would be quite slow.

> a minimum of 1GBm

Our servers are quite dumb that if you are hosting your space with us, we need to reserve some storage space for you. That's a fixed cost for us even if you are not effectively using that storage.

Why would a notes database, that’s mostly (or all text) even take up a lot of space and make syncing the entire database slow? If someone is using just a few MBs of data, the speed of syncing that is immaterial.

Your servers not being able to account for smaller storage sizes is a technical limitation that you have built. You can take a look at tarsnap for inspiration on how to account for very small amounts of data. I’m not saying you should account for bytes, but even taking it at a fraction of what you’re currently doing would be better and fairer to paying customers. You would also discourage hoarders who thrive on utilizing a lot more and get subsidized by those who barely store much.

I've seen a lot of these kinds of apps lately that have their own one-off sync mechanism. Can I ask what were the design considerations that led to that choice, rather than letting users sync a store via their own back end (Dropbox, iCloud, rsync...)?

I develop an app like this (https://actualbudget.com/) and I'll give you my reasons.

Those kinds of syncing work will files, and treat each individual file as a blob. Apps don't work this way. Apps need databases and fine-grained change tracking. You absolutely don't want to make a change in two places on two separate devices and then have a sync conflict. If you throw the sqlite db file on dropbox, that's exactly what will happen.

You could try to build your app around files, but now you are rebuilding a database (and not a good one).

There are a few services that offer syncing more appropriate for apps, like Apple's CloudKit (I think that's the one?). These could work, but in Apple's case you can only run your your app on macOS/iOS.

There are a few generic syncing layers like PouchDB, and there are tradeoffs with all of those. Some of these tradeoffs are deal breakers. (there aren't a ton of good options yet)

But there are good reasons why you an app can't just eschew syncing onto the user, and assume they'll find a good syncing service. It needs to be tightly integrated with how the database works.

You keep local copy of database and cloud copy of database. When cloud copy changes, you detect difference and apply it to your local copy, resolving conflicts if necessary, then copy your local copy back to cloud. It might be more difficult to implement, but it allows user to use any sync option.

Those are all good reasons but I’d argue that starting from the desire to be able to use existing sync services and building on that may be more user friendly.

Yes you essentially need to rebuild a database, but this is for example what 1Password did.

I disagree. I mean, it depends on the kind of app. The data requirements of some apps might do well in a simpler model that can work OK with existing syncing services.

But the majority of apps need more complex needs and you definitely should not go and build a new database. The user experience will end up being flaky (syncing problems) and/or slow (the database is not good). Not to mention that now in addition to setting up the app, the user now needs to go sign up for one of those services if they haven't already.

With integrated syncing, the user just fires up the app and syncing works and they never have to care about how it works.

There's a reason a whole field of research exists into things like CRDTs. Distributed apps are not trivial, and only ones with simple data needs could get by without a more rigorous approach.

I generally agree with your reasoning, but recently experienced a counter-example myself. I recently picked up Joplin for note-taking, and the fact that it can sync reliably through my NextCloud instance via WebDAV was the deciding factor in me sticking with it. If I had to rely on a company to stick around to sync my notes, or I had to run a custom backend, I would have simply moved on. As is, Joplin is pretty close to an ideal note-taking system for me.

That's awesome, there's definitely room for apps like that. I have nothing against them, but there are tradeoffs. Seems like that could work well for that kind of app.

If you don't mind, what type of database does 'Actualbudget' use?


Internally it just uses sqlite, and there's a syncing layer on top of it. I gave a talk about it here: https://www.dotconferences.com/2019/12/james-long-crdts-for-...

Okay, thanks! :-)

And an actually free (automatic sync with no limit on data capacity) alternative: https://standardnotes.org/

Tried it on mint (LTS). uname -a (base) Linux q 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

I get: /opt/app.twinkle.notes/twinkle (base) dist:/opt/app.twinkle.notes var:/home/q/.config/twinkle dist=/opt/app.twinkle.notes var=/home/q/.config/twinkle * Twinkle Lisp 2020 *

DevTools listening on ws:// error: file '/opt/app.twinkle.notes/lisp/lib/sqlite3.l': position 13622: line 386: invalid number #1: /opt/app.twinkle.notes/lisp/init.l:42: (load "lib/sqlite3.l") [2020-02-05 23:23:09,394950 init#0] finished due to run time error

This is the deb file on your website.

This seems strange. Can't reproduce the problem here. Can you please help to check what's on line 386?

I'm assuming this is an app with a GUI. I wish there were screenshots showing what it looks like.

I was in search of a good cross-platform notes app. Like Evernote, but preferably free with the open data format. I concluded that for me, personally, emacs org-mode with notes files stored in the Dropbox folder turns out to be an optimal solution. YMMV.

I agree: plain text is after all, easier to manage.

Personally, I've used Joplin [0] some months ago, and Im using QOwnNotes [1] now. Both are open source, cross platform, and can synchronize with Nextcloud. QOwnNotes may feel a bit faster since its written in Qt/C++ (Joplin is an Electron app).

However, I still find hard to write tables in Markdown manually.

[0]: https://joplinapp.org

[1]: https://www.qownnotes.org

I've been using https://notable.md/ for a while, works well for simple workflows.

I think that my Sciter.Notes (https://notes.sciter.com) will qualify that.

Notes are stored in local db yet notebooks in the db can be mapped on file folders (e.g. folder on DropBox containing html files - each note is a single HTML file).

The note db file can be protected/encrypted by OS means.


Agreed. Sciter notes is a gem. It's fantastically fast. C-smile, congrats on writing this masterpiece. I wish you best of luck. If you found a biz model to support it and add features, it'd be great. So much low hunging fruit in a world of electron apps and a crowd (HN) that mostly hates them.

Same problem here. Resorted to keeping everything plain text after trying so many half-baked and sticky note taking apps that prevent your notes from being ported.

Currently using this Chrome extension: https://chrome.google.com/webstore/detail/marcador/nneoamjib...

Started as just adding bookmarks to your Dropbox, but now it lets you add plain text notes.

And it only has access to its own app directory--not your whole Dropbox!

After spending a lot of time testing out different apps, I ended up doing the same. Also orgzly for android works pretty well with org files stored on dropbox!

Joplin's (https://joplinapp.org/) whole shtick is basically being "open source evernote" in case anyone's wondering (can import from them and all).

Personally I'm having a good time with Tiddlywiki with a markdown plugin and nice context-of-backlinks setup (inspired by roamresearch.com )

I prefer to write notes directly in VSCodium ans sync them to private git repository. Very useful. https://github.com/patleeman/VSNotes.git

I can recommend https://notable.md which I sync to a private git repo.

thanks for sharing this, trying it now :)

Kudos on the courage to go with the AGPL. It immediately raises my interest quite a bit.

On windows/linux, we have no choice but to use chromium embedded framework.

But, there are so many choices. Does it really have to be html-based?

Sometimes you just want to make something work, as soon as possible.

really like the cross-platform nature and the E2E encryption. a powerful application masked by a humble appearance. ideal for creative workers. Would be good see this extended to include password protections, audio conferencing, etc.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact