Evernote doesn't really care about security

The RC2 thing from the disclosure is really, really weird. It makes Evernote the only app built in the last 10 years that I am aware of to build on RC2. I wonder whether it's a mistake, and they're actually using RC4 with truncated keys or something.

Co-founder of Catch here, we are sometimes compared to Evernote but Catch is a note-sharing and collaboration app.<p>1. Two-factor<p>We don't offer two factor but is something we are investigating. This is mitigated somewhat by the fact that a lot of our users use Google login.<p>2. SSL / TLS<p>SSL shouldn't be a paid feature. It's been included in our product for free since we launched.<p>We try and use SSL everywhere. All page from catch.com are only available via SSL. e.g. login, landing page, marketing, blog, etc.<p>There are a few exceptions like our Knowledge Base which is powered by Assitly / Desk:<p><a href="http://support.catch.com/" rel="nofollow">http://support.catch.com/</a><p>3. Encryption<p>We don't offer note level encryption. We'd love to get some feedback on a straightforward way to do key management.<p>4. HSTS<p>We've been using HSTS for at least a year now. It was an easy decision for us since all content from catch.com is only available via SSL.<p>Security is hard and hopefully these breaches will raise the bar for everybody.

&#62; Give it a shot. Send someone a link to the non-SSL sign in and it won’t flip them over to SSL. It will also accept your credentials via non-SSL POST. So fire up SSLStrip and head down to your local coffee shop.<p>If you are in a position to execute a MITM, it doesn't matter whether they flip people to HTTPS or not. If the site forced HTTPS you could still rewrite the redirect and proxy the HTTPS to HTTP (the secure connection being between your proxy server and Evernote's). Only strict transport security would solve this, if the browser supports it and the user has accessed evernote before.

While I love Evernote as much as anyone on hacker news, Mark does make very good points about the state of security within the application. It seems that with respect to today's security breach that the company has done quite well with their response. One can only hope that this focuses their development on addressing these topics (i.e. encryption of notes is a joke) as much as it has raised concerns about the security features they offer.

The point that the folks over at Evernote are really missing is that Joe Average is using the very same credentials everywhere else, from their Gmail to the Amazon accounts. If Evernote where sensible about security of their users, they would have explained why it is indeed a bad and common practice to use the same password everywhere, as it is a certain way to get your online identity hijacked sooner rathre than later by means of a breakin like this one. It is good to know that passwords have been stored salted, but nevertheless, eventually these credentials are now compromised and if Evernote where sensible about this they would have told their users to reset their password whereever they use the same one, which is probably lousy marketing compared to "hey, we got your password stolen, but don't worry, it was encrypted".

Most consumers want convenience first, security second. Evernote just targets the mass market.

Only half the points are valid. SSL is a selling point, because it takes a lot of work to setup completely. Lots of websites (including high-profile ones like Outlook.com) have mixed content errors at one place or another, or appear to but don't fully support SSL. The fact that they "used to" use it as a selling point says enough too.<p>SSL signin should not be enforced. HTTP should give a big warning, but SSL is not fully supported in all clients.

Is there a way to download your Evernote data? Not to say that I find this an opportunity to bash Evernote, but I am terribly disappointed that a service that advertised you to keep really personal stuff, even your tax info on their servers just got hacked.<p>I think I'm going back to creating .txt files on my desktop which no one else has access to (physcially and programatically), which despite having no encryption or whatsoever is still secure than having them on a third party server that could get hacked like this, because they advertise one thing and do exactly the opposite.

"If you encrypt text within a note, we derive a 64-bit RC2 key from your passphrase and use this to encrypt the text. This is the longest symmetric key length permitted by US Export restrictions without going through a complex process to gain export approval."<p>Is this still true? Weren't US cryptography export restrictions relaxed in 2000? (See e.g. <a href="http://www.rsa.com/rsalabs/node.asp?id=2327" rel="nofollow">http://www.rsa.com/rsalabs/node.asp?id=2327</a>)

Mark, it would be helpful if you would disclose if you are a paying customer or not, and if not if having additional security options would convert you into a paying customer.<p>The reasoning is pretty simple, people want security but they don't want to pay for it. And while we can debate the argument as to whether or not security is part of a MVP or not, I would not be offended if there were additional security capabilities to paid users but not free users.

I thought SSL was enabled on Evernote for all customers now? Maybe its time to consider not using Evernote.

I agree with the article, but holding up two companies (Dropbox/Twitter) who've had their own security problems was some what odd.

I wonder how feasible it would be to add a plugin to the Evernote application to tie in with GnuPG through gpgme.

What're the alternatives to Evernote? e.g. decent document tagging, excellent search and preferably OCR.