Hacker News new | comments | show | ask | jobs | submit login

The RC2 thing from the disclosure is really, really weird. It makes Evernote the only app built in the last 10 years that I am aware of to build on RC2. I wonder whether it's a mistake, and they're actually using RC4 with truncated keys or something.

"For Evernote's consumer product, the current encryption algorithms are chosen more for exportability under the Commerce Department rather than strength, since our software permits the encryption of arbitrary user data with no escrow."

I guess Evernote's been around for a while, but wasn't it way back in 2010 that the BIS allowed simple self service registration and annual self classification of almost all "mass market" use of crypto?


Addressing US regs doesn't necessarily mean you are compliant with assorted international regs.

Crypto, export, and service availability can be tricky things.

International regulations are pretty insane. For example, France requires you to submit your software to them for review that's supposed to take up to 2 weeks. This isn't just for product releases, it includes everything, including patches.

Apple, MS and Google can get away with it because they have large legal teams that help them with all the various rules and regulations. For smaller companies, it's simply too massive to bother taking more than an off-the-shelf solution.

So, how come all sorts of small companies, from 1Password to Dropbox use stronger encryption?

I don't buy this. They could easily have high security versions in countries that allow it. Lowest common denominator in this case is not a good idea.

I know the CEO is a security guy and worked with Defense Department stuff. I think it's one of those things where you feel so comfortable with something that you make choices others don't because, come on, you're a startup.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact