So Evernote got hacked. Suprised? I’m not.
First off, let me quickly note that I actually use Evernote on a daily basis and like the product very much. It’s great for taking notes and stashing the digital cruft I inevitably accumulate; email receipts, travel confirmations, snippets of articles, all go into my Evernote account. I even hacked up a script to send my Github Gists into Evernote so I can search them more easily.
That being said, let me show you how little Evernote cares about security. None of this stuff is groundbreaking or new, but taken together, I think it shows a clear disregard for their customers privacy and data security.
We’re still waiting, and it’s been a frequently requested feature. Maybe this public breach will fix it, but should a company like Evernote be so reactive? This is a company that tells you ”How to Do Your Taxes With Evernote.” They clearly want you to feel comfortable storing sensitive documents with them, but they don’t want to spend any effort on security.
2. They actually used SSL as a selling point in the past
They fixed this some time ago, but I think it shows their mindset quite clearly. Let me remind you again, this is a company that recommended storing your tax documents on their service… And would then sync them unencrypted unless you paid. That’s downright irresponsible.
Their current CEO, Phil Libin, was in charge when this was used as a selling tactic in the past.
3. Evernote still uses 64bit RC2 for encrypting notes
“This is the longest symmetric key length permitted by US Export restrictions without going through a complex process to gain export approval”
Ugh, totally, so many forms! Look, I’m no encryption export expert, but Dropbox seems to have figured out the “complex process”. And last time I checked, Apple was shipping laptops globally with the option to encrypt your home directory, and it’s not with a block cipher that was successfully attacked in 1997. Figure it out guys.
4. SSL Sign in isn’t enforced Give it a shot. Send someone a link to the non-SSL sign in and it won’t flip them over to SSL. It will also accept your credentials via non-SSL POST. So fire up SSLStrip and head down to your local coffee shop. Update: As Paul Butler pointed out on HN, even if they did redirect you to HTTPS, there’s no real way to stop someone in the middle from keeping you on HTTP. I’ll strike this one, as it’s pretty nit picky. But I’ll add one in it’s place :)
4. They don’t use HSTS to enforce SSL
Dropbox does it. Twitter does it. Evernote should too.
Correction March 5th, 2013: Someone pointed out I got the date wrong. LeWeb was in December of 2012, not April.