Truly secure online outliners
< Next Topic | Back to topic list | Previous Topic >
Posted by dan7000
Dec 10, 2014 at 10:23 PM
Today I experienced one of my occasional bouts of concern about storing my notes in insecure cloud solutions (evernote and workflowy). So I spent some fun crimping time researching whether any solutions out there are truly secure.
As I discussed in a recent post, I think solutions that encrypt data in the browser, before it is ever uploaded, and never store the decryption key anywhere, can be characterized as highly secure. http://www.outlinersoftware.com/messages/viewm/21559 . Two such solutions that I use include boxcryptor and lastpass. So it seemed like maybe a workflowy competitor would also adopt this model.
I found three options. The first two are plaintext only but, if they work as described, are highly secure. They encrypt data on the browser and do not store keys. Both stress that if you forget your password they cannot help you recover your data—a very good sign of a secure system. The third has the same proviso, but has a slightly more complex system that I still think is highly secure if I understand it correctly:
1. protectedtext.com—a plaint-text notetaker that doesn’t appear to have even search and has some note size limits. But nice interface and some keyboard shortcut support.
2. walnote.com - very similar to plaintext.com but adds search and subtracts keyboard shortcuts. Also plain text only. Built on Amazon cloud servers which gives my some comfort about scalability, availability and reliability.
3. Stackfield.com - this is more of a cloud-based collaboaration / knowledge base solution like basecamp.com. It has tons of features. I haven’t looked into the price although it’s free to try. However, unlike all of its competors, it appears to be highly secure. The explanation of the security features is at https://www.stackfield.com/security and explains:
On Stackfield, all relevant data and information are protected, in addition to the secury transmission by SSL protocol, by a unique and proprietary combination of symmetric (AES) and asymmetric (RSA) encryption methods on the client side (end-to-end). This process takes place in the user’s browser in real time. In this way it is ensured that no unauthorized persons – even us as platform provider - have insight to the data or can decrypt them. This particular method of encryption makes Stackfield to the currently safest provider of a public cloud solution.
Each stack, i.e. each self-contained work area on Stackfield, is separately, including all of its attachments (eg uploaded files), encrypted with a random password. However, there is no need for the user to learn all the passwords by heart - you can access all Stacks after your usual login.
Indeed some public cloud and social media services use a SSL encrypted data transmission for the protection of user data on the way from the device of the user to the cloud server, but these data are then unencrypted and thus stored unprotected on the servers. This allows a simple unauthorized access to the data.
They go on to explain that the title and header information of a “stack” is not encrypted, to allow for searching online, which I think is an excellent tradeoff: you get fast searching of your titles and secure encryption of your contents. I will try it out and hopefully find time to report back.
Posted by dan7000
Dec 10, 2014 at 10:24 PM
In my post above, the three paragraphs after “explains:” are a quote from their web page that I tried to put in a block quote. the final paragraph is mine. Sorry for any confusion.
dan7000 wrote:
Today I experienced one of my occasional bouts of concern about storing
>my notes in insecure cloud solutions (evernote and workflowy). So I
>spent some fun crimping time researching whether any solutions out there
>are truly secure.
>
>As I discussed in a recent post, I think solutions that encrypt data in
>the browser, before it is ever uploaded, and never store the decryption
>key anywhere, can be characterized as highly secure.
>http://www.outlinersoftware.com/messages/viewm/21559 . Two such
>solutions that I use include boxcryptor and lastpass. So it seemed like
>maybe a workflowy competitor would also adopt this model.
>
>I found three options. The first two are plaintext only but, if they
>work as described, are highly secure. They encrypt data on the browser
>and do not store keys. Both stress that if you forget your password
>they cannot help you recover your data—a very good sign of a secure
>system. The third has the same proviso, but has a slightly more complex
>system that I still think is highly secure if I understand it correctly:
>
>1. protectedtext.com—a plaint-text notetaker that doesn’t appear to
>have even search and has some note size limits. But nice interface and
>some keyboard shortcut support.
>2. walnote.com - very similar to plaintext.com but adds search and
>subtracts keyboard shortcuts. Also plain text only. Built on Amazon
>cloud servers which gives my some comfort about scalability,
>availability and reliability.
>3. Stackfield.com - this is more of a cloud-based collaboaration /
>knowledge base solution like basecamp.com. It has tons of features. I
>haven’t looked into the price although it’s free to try. However,
>unlike all of its competors, it appears to be highly secure. The
>explanation of the security features is at
>https://www.stackfield.com/security and explains:
>
>
>On Stackfield, all relevant data and information are protected, in
>addition to the secury transmission by SSL protocol, by a unique and
>proprietary combination of symmetric (AES) and asymmetric (RSA)
>encryption methods on the client side (end-to-end). This process takes
>place in the user’s browser in real time. In this way it is
>ensured that no unauthorized persons – even us as platform
>provider - have insight to the data or can decrypt them. This particular
>method of encryption makes Stackfield to the currently safest provider
>of a public cloud solution.
>
>Each stack, i.e. each self-contained work area on Stackfield, is
>separately, including all of its attachments (eg uploaded files),
>encrypted with a random password. However, there is no need for the user
>to learn all the passwords by heart - you can access all Stacks after
>your usual login.
>
>Indeed some public cloud and social media services use a SSL encrypted
>data transmission for the protection of user data on the way from the
>device of the user to the cloud server, but these data are then
>unencrypted and thus stored unprotected on the servers. This allows a
>simple unauthorized access to the data.
>
>
>They go on to explain that the title and header information of a “stack”
>is not encrypted, to allow for searching online, which I think is an
>excellent tradeoff: you get fast searching of your titles and secure
>encryption of your contents. I will try it out and hopefully find time
>to report back.
Posted by Daly de Gagne
Dec 11, 2014 at 01:34 AM
Just for fun I signed up for Stackfield.
I start the tour. The third item on the tour is at the bottom of the screen, but neither Firefox nor Stackfield allow for a scroll bar to access - and I realize I am caught up in the incompetent design world of designers trying to combine desktop and mobile design in a Windows 8 world.
To see the whole screen I have to set it for 80% rather than at the normal 100%. Now I see the whole screen.
Can someone please explain this kind of idiocy to me? It’s not the first time I’ve had to do that (with other programs) on my laptops or desktop library computers.
And the designers of some of these programs seem to think everyone has such poor vision that 100% must be made bigger by using larger type, etc. Even my aging eyes often requires reducing to 95 or 90% to read comfortably.
From a graphic design perspective the web has become worse under the influence of mobile app style and Windows 8 design.
End of rant.
Daly
Posted by Hugh
Dec 11, 2014 at 09:08 AM
There’s a debate currently being contested in the forums of Literature & Latte on more or less the issue that Daly has highlighted: http://www.literatureandlatte.com/forum/viewtopic.php?f=4&t=29762. The divide appears to be largely generational. Call me old-fashioned, but when I visit an application’s website I wish to be informed of its benefits, rather than simply seduced by its “feel”. I find it slightly depressing that even really good and interesting software such as Ulysses III has opted to some extent to major on the “feel” dimension: http://www.ulyssesapp.com.
Posted by Neville Franks
Dec 11, 2014 at 11:55 AM
Not being able to search the full content makes any product unusable IMO. If the information you want stored is for your eyes only then and you want to be able to work with it efficiently and effectively then you most likely need to have either your own private cloud or the data stored securely and encrypted on your local PC.
I personally think most folks data privacy requirements are overstated. If you are running a large business with lots of confidential information that’s another matter. However for individuals, bank, medical and other personal data needs to be private.