Evernote app upgrades are unencrypted over HTTP (opens in new tab)

(httpshaming.tumblr.com)

3 pointsphkn111y ago7 comments

7 comments

4 comments · 2 top-level

FroshKiller11y ago· 2 in thread

I'm actually a little relieved after clicking through. The post is only talking about app updates, not syncing updates to your notebooks.

phkn1OP11y ago

Right you are. Fixed the title. The the app does sync the notes themselves over SSL.

But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability, downgraded to a vulnerable version, or potentially compromised...

hjlklhj11y ago

> But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability

If you can mitm the dns or ip you can still do this even with https.

> downgraded to a vulnerable version

does the app allow "upgrading" to a lower version number automatically?

> or potentially compromised

the app enforces signed updates, no?

That said, they really should get https going for the updates.

1 more reply

schrodingersCat11y ago

Thank you for bringing this to my attention. As an avid Evernote user, I will shoot them a feature request email. MITM attacks are a real problem (how do you think Gamma's Fin–Fisher was deployed?), and there is no excuse for this not to be implemented on such a popular app.

j / k navigate · click thread line to collapse