Tell HN: All Quip and Evernote documents are stored unencrypted on their servers

8 points by arikr ↗ HN
I was surprised when a friend told me this recently, so I figured there may be a few other people on HN who'd like to know.

To HN: What motivation would they have for doing this? Particularly given Evernote's imperfect security record, seems to be an especially bad idea to store all notes in plain text. Can't imagine the chaos that would be caused by an Evernote or Quip hack.

9 comments

[ 2.2 ms ] story [ 51.8 ms ] thread
I switched to Bear Note for this reason, among others.

Bear is built on CloudKit. I'm not versed enough to know if it's the best out there, but it's better than plain text for sure.

Bear is amazing! The only issue i have is how do they make money. Math doesn't favor them. I hope they acquire enough users to justify that price point
I would bet that 90% of SaaS is storing everything except passwords unencrypted.
"Search everything" is a big value prop for Evernote. You can't search E2E encrypted database records without transporting them to the client and decrypting them there.
The OP isn't surprised they don't use E2E encryption - that's mostly reserved for the most security-conscious use cases, because as you say, there's a lot of usability to gain from having read access from the server. However, at-rest encryption is a total no-brainer.
Also why wouldn't they be locally loaded on the client?

As other commenter noted my point of confusion is why they don't have at-rest encryption

Similarly uncommonly known: All Dropbox Paper documents are publicly accessible by anyone with the URL by default. There's no way to change the default either. I get the improbability of someone guessing a URL with a long hash but if they obtain it any other way, such as from the HTTP request or browser history, other people still have full access to your docs.
I was incorrect: Evernote is encrypted, Quip is not

> Encryption at Rest

> In late 2016, we began migrating the Evernote service to the Google Cloud Platform (“GCP”). Customer data that we store in GCP will be protected using Google’s built-in encryption-at-rest features. More technically, we use Google's server-side encryption feature with Google-managed encryption keys to encrypt all data at rest using AES-256, transparently and automatically. You can find additional information on how encryption at rest protects your data here.

Good job Evernote! Bad job Quip.