Truly secure online outliners

Posted by dan7000
Dec 26, 2014 at 11:44 PM

An update on my search for secure outlining:

First, I should have known this before - the type of security I have been talking about - where everything is encrypted and cannot be decrypted by the cloud service without the passkey that only you know—has a name and it’s called “zero knowledge” security. Google it and you’ll find all kinds of good stuff.

Second, I’ve llooked at a couple more systems - but as you’ll see below the best one so far is one you already know about and it’s not really in the cloud: Fargo.

Here are some of the other systems I’ve played with:
Turtl.it
purportedly zero-k. trying to be an evernote altenative so could be very good, even has a web clipper. No web app - everything is encrypted on client side and then synched but clients only for windows, mac and linux - so far no ios version! And unfortunately it’s just plaintext or markdown :(

Laverna
Also zero-k. a web app for notes. Has tags, tasks, notebooks and favorites and search. But unfortunately just markdown and no file storage. Still very fast and lots of good features. Just a web app - no clients.
Biggest problem - - it has no login so it seems to be tied to your browser on a particular machine??? - yes looks like that’s true but then also you can install on your own machine. So it’s kind of a local notes app basically. Says you can synch with dropbox (encrypted on client) but I don’t see how. Perhaps it will eventually be like Fargo (local app run through a browser) - but for sync they need some kind of password or ID.

Mammothe
Not launched yet but should keep an eye on it. It is a zero-k front end for Evernote. So everything encrypted client size (windows, ios, etc) before being transmitted to Evernote.

Penzu.com
This one has been around forever but appears to be zero-k but, as explained below, it’s really not. The pro version is stored encrypted on their servers. DOES have an ios app (although apparently not available at the moment due to bugs). It is set up as a journaling app but has seearch and tags and rich text and can actually capture stuff from the internet really well. Search only searches tags right now because of the encryption. But I noted a very bad thing about the encryption. It appears that decryption happens server-side, not client side—so if you unlock a notebook on one machine, and then view it on a different machine, the notebook appears unlocked on the second machine! Even worse, if you unlock a notebook on one machine and then kill that browser without re-locking, the notebook will be unencrypted forever untill you re-open it and lock it. Pretty unacceptable.

Zero-k cloud services plus Notebooks
There are a bunch of zero-knowledge cloud services out there. Boxcryptor is an example. SpiderOak is the most famous. I also signed up for Swissdisk.com, which is a zero-k dropbox alternative that supports WebDAV. WebDAV is a protocol that lets you view a cloud service as a drive in windows but, more importantly, is supported by a growing number of ios apps. So you can save to and open from the webdav drive in the ios app.
I used Swissdisk with “Notebooks” (notebooksapp.com), which has been discussed here recently, because the ios app for Notebooks has WebDAV support. So theoretically you could use the windows and ios versions of Notebooks and synch them over Swissdisk and everything would be secure.
Unfortunately Notebooks on my windows machine was unusably slow and unresponsive. Maybe that was because of running it on a network drive but the drive was super fast otherwise.
I couldn’t find any other outlining apps that used WebDAV on ios and had a windows counterpart. But that’s still an option.

Finally, Fargo.
So Fargo (fargo.io) is a nice workflowy clone but is not a cloud app. Although it runs in a browser all the data is always local and never transmitted. It runs on dropbox but has an encryption option to store an outline AES encrypted in dropbox, using a key stored locally in an HTML5 local store. You set the key in your browser before trying to open an encrypted file and you have to set the same one on all your clients or you just get an error.
I’m sure there are some terrible security flaws with this system - particularly the fact that the password is stored in what is basically a cookie. It would be nice if they would prompt for the password when opening a file so it’s not ever stored. FWIW many purportedly zero-k solutions, including stackfield, also store the password in a cookie.
But it seems logically pretty darn secure. If someone gets my dropbox they can’t open the file without the password. If they get hold of my machine, however, and I haven’t cleared my cookies, then they can get the data - so I should probably clear cookies on exit from the browser, at least, if I start to use this mechanism.