Hacker News new | comments | show | ask | jobs | submit login
Evernote doesn't really care about security (markpercival.us)
115 points by mdp 1723 days ago | hide | past | web | 61 comments | favorite

The RC2 thing from the disclosure is really, really weird. It makes Evernote the only app built in the last 10 years that I am aware of to build on RC2. I wonder whether it's a mistake, and they're actually using RC4 with truncated keys or something.

"For Evernote's consumer product, the current encryption algorithms are chosen more for exportability under the Commerce Department rather than strength, since our software permits the encryption of arbitrary user data with no escrow."

I guess Evernote's been around for a while, but wasn't it way back in 2010 that the BIS allowed simple self service registration and annual self classification of almost all "mass market" use of crypto?


Addressing US regs doesn't necessarily mean you are compliant with assorted international regs.

Crypto, export, and service availability can be tricky things.

International regulations are pretty insane. For example, France requires you to submit your software to them for review that's supposed to take up to 2 weeks. This isn't just for product releases, it includes everything, including patches.

Apple, MS and Google can get away with it because they have large legal teams that help them with all the various rules and regulations. For smaller companies, it's simply too massive to bother taking more than an off-the-shelf solution.

So, how come all sorts of small companies, from 1Password to Dropbox use stronger encryption?

I don't buy this. They could easily have high security versions in countries that allow it. Lowest common denominator in this case is not a good idea.

I know the CEO is a security guy and worked with Defense Department stuff. I think it's one of those things where you feel so comfortable with something that you make choices others don't because, come on, you're a startup.

Co-founder of Catch here, we are sometimes compared to Evernote but Catch is a note-sharing and collaboration app.

1. Two-factor

We don't offer two factor but is something we are investigating. This is mitigated somewhat by the fact that a lot of our users use Google login.

2. SSL / TLS

SSL shouldn't be a paid feature. It's been included in our product for free since we launched.

We try and use SSL everywhere. All page from catch.com are only available via SSL. e.g. login, landing page, marketing, blog, etc.

There are a few exceptions like our Knowledge Base which is powered by Assitly / Desk:


3. Encryption

We don't offer note level encryption. We'd love to get some feedback on a straightforward way to do key management.


We've been using HSTS for at least a year now. It was an easy decision for us since all content from catch.com is only available via SSL.

Security is hard and hopefully these breaches will raise the bar for everybody.

> Co-founder of Catch here, we are sometimes compared to Evernote but Catch is a note-sharing and collaboration app.

Would you say Catch has something to offer over Evernote for someone who uses the latter for private & personal notes?

Evaluated them both for quite a while: No desktop client, no note formatting, no embedded images. So no.

> Give it a shot. Send someone a link to the non-SSL sign in and it won’t flip them over to SSL. It will also accept your credentials via non-SSL POST. So fire up SSLStrip and head down to your local coffee shop.

If you are in a position to execute a MITM, it doesn't matter whether they flip people to HTTPS or not. If the site forced HTTPS you could still rewrite the redirect and proxy the HTTPS to HTTP (the secure connection being between your proxy server and Evernote's). Only strict transport security would solve this, if the browser supports it and the user has accessed evernote before.

Yeah, this is an entirely valid criticism. It was more of a nitpicky point that they weren't flipping to HTTPS automatically, but from a practical standpoint it's no more secure if they did since they lack HSTS.

Struck it from the post.

but when you struck it out, the first impression is that it's actually not a problem, but in fact it's even a bigger problem. right?

While I love Evernote as much as anyone on hacker news, Mark does make very good points about the state of security within the application. It seems that with respect to today's security breach that the company has done quite well with their response. One can only hope that this focuses their development on addressing these topics (i.e. encryption of notes is a joke) as much as it has raised concerns about the security features they offer.

The point that the folks over at Evernote are really missing is that Joe Average is using the very same credentials everywhere else, from their Gmail to the Amazon accounts. If Evernote where sensible about security of their users, they would have explained why it is indeed a bad and common practice to use the same password everywhere, as it is a certain way to get your online identity hijacked sooner rathre than later by means of a breakin like this one. It is good to know that passwords have been stored salted, but nevertheless, eventually these credentials are now compromised and if Evernote where sensible about this they would have told their users to reset their password whereever they use the same one, which is probably lousy marketing compared to "hey, we got your password stolen, but don't worry, it was encrypted".

Most consumers want convenience first, security second. Evernote just targets the mass market.

For the data I store in Evernote I'm fine with this.

One would think there'd be proper competition because one of the major motivators is going paperless... it's kind of odd that in 2013 there still aren't a lot of easy to use solutions that can store sensitive documents (bills, tax documents etc) that require a great level of privacy and security.

I use 1Password with dropbox sync for secure notes.

I do too, but it doesn't fit the use case of going paperless. Ability to drop in PDFs and OCR images in Evernote as well as handling large data sets are essential features.

Only half the points are valid. SSL is a selling point, because it takes a lot of work to setup completely. Lots of websites (including high-profile ones like Outlook.com) have mixed content errors at one place or another, or appear to but don't fully support SSL. The fact that they "used to" use it as a selling point says enough too.

SSL signin should not be enforced. HTTP should give a big warning, but SSL is not fully supported in all clients.

Are there clients which support evernote but would not support SSL?

If not fully supporting https counts, then Windows XP is one. That still has a rather big market share.

No. I consider properly setting up SSL to be a duty of care for the website owner. Your argument could apply to storing passwords in plaintext because "hashing is hard," or doctors refusing to wash their hands between patients because "it takes too much time" -- it's just not a corner that professionals should cut anymore.

Uh, if a selling point of theirs was "we hash your password", I would find that a good thing. I'm not saying it's not a duty for the website owner.

Ah, thanks for clarifying. I interpreted "selling point" as "you pay extra for this."

SSL is easy to do if you

1. force it on your servers

2. only include content from your servers

It becomes almost impossible to mix insecure content at this point.

Is it also easy with hundreds or thousands of servers around the world? Perhaps it's not particularly hard, but it's also not something that's thought through and implemented overnight.

If you trust your data center security it should be easy to deploy a single certificate to all production webservers. Much easier than doing the actual site configuration.

There are a lot of hard things to do when scaling, SSL isn't in the hard class.

What wouldn't support SSL? I can't think of a single product.

Windows XP with any Internet Explorer (even 8) and Safari don't support SNI. You need to use more expensive certificates or get an unique IPv4 address in order to support https there.

Is there a way to download your Evernote data? Not to say that I find this an opportunity to bash Evernote, but I am terribly disappointed that a service that advertised you to keep really personal stuff, even your tax info on their servers just got hacked.

I think I'm going back to creating .txt files on my desktop which no one else has access to (physcially and programatically), which despite having no encryption or whatsoever is still secure than having them on a third party server that could get hacked like this, because they advertise one thing and do exactly the opposite.

The desktop client has a "Export Notes" function that will export to HTML or their custom format. I use this to make a local backup occasionally.

Note that for some reason this option is only available in the Windows client. I had to boot into Windows on my macbook to do the export a few weeks ago.

For regular backups I use time machine which includes the user data folder: https://support.evernote.com/link/portal/16051/16058/Article...

And if you're on Linux, Nevernote can sync and then export in a format.

Thank you! Just took a backup with the desktop tool..

Well, don't do that. At least stick it in truecrypt

Thanks, that's a pretty neat idea :)

"If you encrypt text within a note, we derive a 64-bit RC2 key from your passphrase and use this to encrypt the text. This is the longest symmetric key length permitted by US Export restrictions without going through a complex process to gain export approval."

Is this still true? Weren't US cryptography export restrictions relaxed in 2000? (See e.g. http://www.rsa.com/rsalabs/node.asp?id=2327)

No, this is not true. I think Evernote has been misinformed.

If all you are doing is encrypting data with a standard algorithm, it takes less than 30 minutes to fill out the paperwork to get an encryption registration number (ERN). Total turnaround time when I've done it has been about two weeks.

There are some exceptions. If you are trying to export cryptanalytic software or doing something non-standard, you may have delays.


Mark, it would be helpful if you would disclose if you are a paying customer or not, and if not if having additional security options would convert you into a paying customer.

The reasoning is pretty simple, people want security but they don't want to pay for it. And while we can debate the argument as to whether or not security is part of a MVP or not, I would not be offended if there were additional security capabilities to paid users but not free users.

I think this could work for some things but definitely not others. You're riding a razor-thin line between security (essential) and convenience/peace-of-mind (not terribly essential), with potential ethical implications.

"Authenticate with your voice using our voice recognizer app," for example, could be pretty superfluous, since it's about convenience.

"Keep your password safe by not storing it in plaintext" should definitely be part of the core offering, no matter the price point.

"Use our app through a custom VPN" could be offered for pay, since offering that service costs the provider something.

"Use our app through SSL -- paying customers only!" should again be a core product, especially since it does not cost anything extra.

"Pay us 5¢ and we won't share your internal data with advertisors" etc etc -- you can certainly see where this is going

I think you're, rather cynical, reasoning falls flat. This would not be a good policy for a company to adopt. If I was evaluating software and saw such a policy, it would bring a lot of uneasy feelings, even regarding the supposed security of the paid version. This side steps the bad publicity and general ill-feelings the community at large would have about your service. I don't think it is strategically a good choice to make such a compromise on security. At best, I could see giving separate authentication mechanisms such as two-factor for paid users, but that's as far as I'd go.

So can you say more about that? Specifically

"If I was evaluating software and saw such a policy, it would bring a lot of uneasy feelings, even regarding the supposed security of the paid version."

What if it was explicit? What if Evernote said, "Since it would cause us to lose money if we spent time on both more sophisticated security in the free product. Its basically secure against random threats but dedicated people will be able to break into it. If you want a truly secure product you should sign up for the paid product, part of that fee goes to paying the salaries of the security team we have on staff who are keeping it that way."

We also need to be clear what we mean by "security" here, there is "security" as in we make sure if someone breaks in they cannot easily get your password (they seem to have done that with salted passwords), and their is security as in "Even our operations staff can't get you access to your files if you lose your access token." level of security which takes a lot more work.

I'll admit I was pretty put off by Mark's assertion that Evernote doesn't care about security, his basis for that are three claims, that 2 factor authentication is late, that SSL isn't forced on, and that 64 bit RC2 is used in the free product. What is the purpose of the free product anyway? Is it to prove their security? I don't think it is, I think it is to give you a way to test drive what their product does without risking any money.

Anyway, someone broke in and got access to hashed and salted passwords and Evernote reset those. LinkedIn had the same issue, some Facebook apps grabbed similar data, Google has hosted malware in their App Store which tried to install banking trojans on your phone.

I am not persuaded by the assertion that "Evernote doesn't care about security" any more than "Google doesn't care about security" (and I happen to know they care very deeply and still get compromised now and then).

I defended Evernote because I felt Mark was unfairly maligning them and their CEO. I would be more sympathetic if he was a paying customer, and less sympathetic if he only has a free account.

Where does it say that RC2 is only used for the free product?

AFAIK it's all the time which is ABadThing (tm)

FWIW, if one has to rely on security being a differentiator in 2013, that's IMO a bad sign. Compete on other features but not security.

Fuck your logic; Facebook is free, then why the hell do you expect it to be secure? Because any service whether free or not, that has YOUR personal information is supposed to keep it secure. And your (possibly dumbfuck) argument that paying customers should get more security than free users is like saying it's ok to kill people who have no insurance for themselves, but not ok to kill the ones who have taken insurance.

Are you angry about this?

Basic security is dirt cheap, and it is not at all appropriate to risk user data because you want them to pay.

Security should not be a feature.

I thought SSL was enabled on Evernote for all customers now? Maybe its time to consider not using Evernote.

As stated in the post, "they fixed this some time ago, but..." -- As in, it used to be a premium feature, and while that has changed, it may still say a lot about their priorities.

I agree with the article, but holding up two companies (Dropbox/Twitter) who've had their own security problems was some what odd.

I wonder how feasible it would be to add a plugin to the Evernote application to tie in with GnuPG through gpgme.

What're the alternatives to Evernote? e.g. decent document tagging, excellent search and preferably OCR.

I'm pretty happy with org-mode, albeit minus the "OCR" bit. (Most of my org-mode docs tend to be written in org and stay there, there's less of this "pulling documents from outside into it" business than evernote)

That doesn't work for the large amounts of paperwork I scan in and need to catalog.

Google drive

Google Drive mobile applications leave a lot to be desired. The main problem is you can't store all your notes offline -- you have to select each file individually, set "make offline", and even then they don't auto-update.

yes, you are right but that is also an issue with the nonpremium version of evernote.

Google Drive/Docs has surprisingly poor search capabilities compared to the native Evernote client. Almost everything about Docs is sluggish and clunky compared to Evernote's lightweight simplicity.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact