Standard Notes! (and company)
Mar. 1st, 2020 04:54 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
hungryghostsEnough community grousing, I want to talk about a super neat open-source knick-knack we've been using. :D
Introducing: Standard Notes, a note-taking app for the paranoid!
So, this app is multiplatform. It syncs your data to an external server that you can connect to on other devices to get that same data back.
Normally, server data works on trust. Your data may be encrypted in transit from your device to the server and vice versa (via HTTPS/SSL), but when it's stored on the server itself it's unencrypted, readable by anyone. Or, it's encrypted by the server, but because it's the server doing the encrypting, anyone nearby could hypothetically get the keys and decode your data. Point is, you basically have to trust the people operating the server not to peek at your data or unencrypt it to take a peek, to say nothing of security measures and hackers.
Standard Notes operates on a different model. Data is still sent to the server, but it's encrypted on your computer, before it ever leaves, and it ISN'T unencrypted at any point on the Internet. It's only unencrypted when it comes back to you, by and on your computer. At no point can anyone else see your data - not employees, not hackers, not the goddamn government.
The full details are tricky to explain, but the gist is that they use your password as the encryption key, and they do not store your password except via hashing/salting, which renders it almost impossible to decode. (Almost. I'll talk about hashing/salting another time.) You know your password, and can thus decode your data whenever you want, but they do not.
Of course, there's holes in this system. (There always are.) If someone gets your password, you're hosed. (Unless you have 2FA.) If you forget your password, you're ALSO hosed - since the password is key to reading your data, they have no way to reset it for you. (If they do, either your password is separate from the encryption key, or they have a backdoor and are not that secure.) Overall though, it's a VERY neat system. Overkill? Probably, but there's no kill like overkill. And the whole thing is open source, so hypothetically, anyone with the know-how can take a look and verify that's indeed how the app works. (Of course, they can also bank on no one knowing enough or having the time to bother, but as far as we recall a security company did look it over and confirm that yes, this is secure.)
The free level of the app is super generous, with unlimited notes and folders. We've been using the HECK out of it for everything from system records to random thoughts to personal essays to workstuff that references Company Secrets(tm). There are some weird clunky bits and the interface isn't to everyone's liking, but it gives us everything we've ever wanted from a note-taking app and then some. We liked it so much that we dropped money for the paid version (the early adopter 5-year plan, which is like $150 but comes out to about $2.50 a month) and got a lot more neat features, like built-in todo lists, editor themes, and SPREADSHEETS.
IT'S DELIGHTFUL.
Also, it's definitely not the only app using this data model out there! Bitwarden (password manager) and Crypt.ee (file storage, like Google Drive) are also built on this encryption principle. (Crypt.ee also has a neat plausible deniability feature - you can make hidden folders so that even if someone forces you to unlock your account for them, they won't see the things in those folders.) There are likely many many more apps out there.
We will probably write another post on the specifics of how we organize everything, but these are the tools we use! May they serve you well if you also use them!
Introducing: Standard Notes, a note-taking app for the paranoid!
So, this app is multiplatform. It syncs your data to an external server that you can connect to on other devices to get that same data back.
Normally, server data works on trust. Your data may be encrypted in transit from your device to the server and vice versa (via HTTPS/SSL), but when it's stored on the server itself it's unencrypted, readable by anyone. Or, it's encrypted by the server, but because it's the server doing the encrypting, anyone nearby could hypothetically get the keys and decode your data. Point is, you basically have to trust the people operating the server not to peek at your data or unencrypt it to take a peek, to say nothing of security measures and hackers.
Standard Notes operates on a different model. Data is still sent to the server, but it's encrypted on your computer, before it ever leaves, and it ISN'T unencrypted at any point on the Internet. It's only unencrypted when it comes back to you, by and on your computer. At no point can anyone else see your data - not employees, not hackers, not the goddamn government.
The full details are tricky to explain, but the gist is that they use your password as the encryption key, and they do not store your password except via hashing/salting, which renders it almost impossible to decode. (Almost. I'll talk about hashing/salting another time.) You know your password, and can thus decode your data whenever you want, but they do not.
Of course, there's holes in this system. (There always are.) If someone gets your password, you're hosed. (Unless you have 2FA.) If you forget your password, you're ALSO hosed - since the password is key to reading your data, they have no way to reset it for you. (If they do, either your password is separate from the encryption key, or they have a backdoor and are not that secure.) Overall though, it's a VERY neat system. Overkill? Probably, but there's no kill like overkill. And the whole thing is open source, so hypothetically, anyone with the know-how can take a look and verify that's indeed how the app works. (Of course, they can also bank on no one knowing enough or having the time to bother, but as far as we recall a security company did look it over and confirm that yes, this is secure.)
The free level of the app is super generous, with unlimited notes and folders. We've been using the HECK out of it for everything from system records to random thoughts to personal essays to workstuff that references Company Secrets(tm). There are some weird clunky bits and the interface isn't to everyone's liking, but it gives us everything we've ever wanted from a note-taking app and then some. We liked it so much that we dropped money for the paid version (the early adopter 5-year plan, which is like $150 but comes out to about $2.50 a month) and got a lot more neat features, like built-in todo lists, editor themes, and SPREADSHEETS.
IT'S DELIGHTFUL.
Also, it's definitely not the only app using this data model out there! Bitwarden (password manager) and Crypt.ee (file storage, like Google Drive) are also built on this encryption principle. (Crypt.ee also has a neat plausible deniability feature - you can make hidden folders so that even if someone forces you to unlock your account for them, they won't see the things in those folders.) There are likely many many more apps out there.
We will probably write another post on the specifics of how we organize everything, but these are the tools we use! May they serve you well if you also use them!
