Notion for everyone

[scblzn]

I tried it around November 2019, really liked Notion and the UI/UX of the product for some note taking/personal knowledge base, however I had to contact their security team through their support because TLS 1.0 was still enabled at this time.

They say they are audited by NCC ( https://www.notion.so/Security-6c56b4854b624b0d8f36711018647... ) but I don't know how NCC missed this. They disabled TLS 1.0 few days after my message.

My second concern is that their .so domain is the TLD of Somalia (with all the risks it brings in case of malicious takeover), and .so zone doesn't even support DNSSEC, once again this is a big issue for me, especially for an app that hosts "personal data" (I see they also make calls on a .com domain, but the .so main domain issue still stands). Support told me they would change the domain in the future but still didn't happened.

It's only my personal security stance/paranoia, but my 2 cents of what happened with them.

[tptacek]

Virtually no mainstream platforms enable DNSSEC (what's the largest one you can find? It won't be in the Moz 500); it's not as if there's a major competitor to Notion you'll find that is DNSSEC-signed. DNSSEC is moribund.

What's ironic about this comment is that in our present WebPKI, Somalia's ownership of .so only tangentially impacts their security (Somalia could in theory seize the domain and DV-verify a new cert). But in a DNSSEC world, Somalia would have de jure control over both the domain and Notion's TLS certificates, which would chain through DANE from the same root.

[yesion]

Valid points, as a customer I find that very concerning and I would like to hear their thoughts.

[Cthulhu_]

Personally I don't mind a vanity domain, but what they could do is create a boring non-vanity domain for API calls and customer signup that isn't the .so domain.

[fomine3]

I don't care about DNSSEC but it seems that .so TLD looks like potential risk for stability. (like .io case)