I guess Evernote's been around for a while, but wasn't it way back in 2010 that the BIS allowed simple self service registration and annual self classification of almost all "mass market" use of crypto?
Crypto, export, and service availability can be tricky things.
Apple, MS and Google can get away with it because they have large legal teams that help them with all the various rules and regulations. For smaller companies, it's simply too massive to bother taking more than an off-the-shelf solution.
We don't offer two factor but is something we are investigating. This is mitigated somewhat by the fact that a lot of our users use Google login.
2. SSL / TLS
SSL shouldn't be a paid feature. It's been included in our product for free since we launched.
We try and use SSL everywhere. All page from catch.com are only available via SSL. e.g. login, landing page, marketing, blog, etc.
There are a few exceptions like our Knowledge Base which is powered by Assitly / Desk:
We don't offer note level encryption. We'd love to get some feedback on a straightforward way to do key management.
We've been using HSTS for at least a year now. It was an easy decision for us since all content from catch.com is only available via SSL.
Security is hard and hopefully these breaches will raise the bar for everybody.
Would you say Catch has something to offer over Evernote for someone who uses the latter for private & personal notes?
If you are in a position to execute a MITM, it doesn't matter whether they flip people to HTTPS or not. If the site forced HTTPS you could still rewrite the redirect and proxy the HTTPS to HTTP (the secure connection being between your proxy server and Evernote's). Only strict transport security would solve this, if the browser supports it and the user has accessed evernote before.
Struck it from the post.
SSL signin should not be enforced. HTTP should give a big warning, but SSL is not fully supported in all clients.
1. force it on your servers
2. only include content from your servers
It becomes almost impossible to mix insecure content at this point.
There are a lot of hard things to do when scaling, SSL isn't in the hard class.
I think I'm going back to creating .txt files on my desktop which no one else has access to (physcially and programatically), which despite having no encryption or whatsoever is still secure than having them on a third party server that could get hacked like this, because they advertise one thing and do exactly the opposite.
For regular backups I use time machine which includes the user data folder: https://support.evernote.com/link/portal/16051/16058/Article...
Is this still true? Weren't US cryptography export restrictions relaxed in 2000? (See e.g. http://www.rsa.com/rsalabs/node.asp?id=2327)
If all you are doing is encrypting data with a standard algorithm, it takes less than 30 minutes to fill out the paperwork to get an encryption registration number (ERN). Total turnaround time when I've done it has been about two weeks.
There are some exceptions. If you are trying to export cryptanalytic software or doing something non-standard, you may have delays.
The reasoning is pretty simple, people want security but they don't want to pay for it. And while we can debate the argument as to whether or not security is part of a MVP or not, I would not be offended if there were additional security capabilities to paid users but not free users.
"Authenticate with your voice using our voice recognizer app," for example, could be pretty superfluous, since it's about convenience.
"Keep your password safe by not storing it in plaintext" should definitely be part of the core offering, no matter the price point.
"Use our app through a custom VPN" could be offered for pay, since offering that service costs the provider something.
"Use our app through SSL -- paying customers only!" should again be a core product, especially since it does not cost anything extra.
"Pay us 5¢ and we won't share your internal data with advertisors" etc etc -- you can certainly see where this is going
"If I was evaluating software and saw such a policy, it would bring a lot of uneasy feelings, even regarding the supposed security of the paid version."
What if it was explicit? What if Evernote said, "Since it would cause us to lose money if we spent time on both more sophisticated security in the free product. Its basically secure against random threats but dedicated people will be able to break into it. If you want a truly secure product you should sign up for the paid product, part of that fee goes to paying the salaries of the security team we have on staff who are keeping it that way."
We also need to be clear what we mean by "security" here, there is "security" as in we make sure if someone breaks in they cannot easily get your password (they seem to have done that with salted passwords), and their is security as in "Even our operations staff can't get you access to your files if you lose your access token." level of security which takes a lot more work.
I'll admit I was pretty put off by Mark's assertion that Evernote doesn't care about security, his basis for that are three claims, that 2 factor authentication is late, that SSL isn't forced on, and that 64 bit RC2 is used in the free product. What is the purpose of the free product anyway? Is it to prove their security? I don't think it is, I think it is to give you a way to test drive what their product does without risking any money.
Anyway, someone broke in and got access to hashed and salted passwords and Evernote reset those. LinkedIn had the same issue, some Facebook apps grabbed similar data, Google has hosted malware in their App Store which tried to install banking trojans on your phone.
I am not persuaded by the assertion that "Evernote doesn't care about security" any more than "Google doesn't care about security" (and I happen to know they care very deeply and still get compromised now and then).
I defended Evernote because I felt Mark was unfairly maligning them and their CEO. I would be more sympathetic if he was a paying customer, and less sympathetic if he only has a free account.
AFAIK it's all the time which is ABadThing (tm)
FWIW, if one has to rely on security being a differentiator in 2013, that's IMO a bad sign. Compete on other features but not security.