WingNews logo WingNews GitHub [2]
top | item 14548124

Tell HN: All Quip and Evernote documents are stored unencrypted on their servers

8 points| arikr | 8 years ago | reply

I was surprised when a friend told me this recently, so I figured there may be a few other people on HN who'd like to know.

To HN: What motivation would they have for doing this? Particularly given Evernote's imperfect security record, seems to be an especially bad idea to store all notes in plain text. Can't imagine the chaos that would be caused by an Evernote or Quip hack.

9 comments

order
[+] tedmiston|8 years ago|reply
Similarly uncommonly known: All Dropbox Paper documents are publicly accessible by anyone with the URL by default. There's no way to change the default either. I get the improbability of someone guessing a URL with a long hash but if they obtain it any other way, such as from the HTTP request or browser history, other people still have full access to your docs.
[+] arikr|8 years ago|reply
I was incorrect: Evernote is encrypted, Quip is not

> Encryption at Rest

> In late 2016, we began migrating the Evernote service to the Google Cloud Platform (“GCP”). Customer data that we store in GCP will be protected using Google’s built-in encryption-at-rest features. More technically, we use Google's server-side encryption feature with Google-managed encryption keys to encrypt all data at rest using AES-256, transparently and automatically. You can find additional information on how encryption at rest protects your data here.

Good job Evernote! Bad job Quip.

[+] wmf|8 years ago|reply
I would bet that 90% of SaaS is storing everything except passwords unencrypted.
[+] amk_|8 years ago|reply
"Search everything" is a big value prop for Evernote. You can't search E2E encrypted database records without transporting them to the client and decrypting them there.
[+] seveneightn9ne|8 years ago|reply
The OP isn't surprised they don't use E2E encryption - that's mostly reserved for the most security-conscious use cases, because as you say, there's a lot of usability to gain from having read access from the server. However, at-rest encryption is a total no-brainer.
[+] arikr|8 years ago|reply
Also why wouldn't they be locally loaded on the client?

As other commenter noted my point of confusion is why they don't have at-rest encryption

[+] nxsynonym|8 years ago|reply
I switched to Bear Note for this reason, among others.

Bear is built on CloudKit. I'm not versed enough to know if it's the best out there, but it's better than plain text for sure.

[+] zack12|8 years ago|reply
Bear is amazing! The only issue i have is how do they make money. Math doesn't favor them. I hope they acquire enough users to justify that price point