Thanks for the video Chris! You mention that UpNote admins can access user data because they "have your password". But if you authenticate to UpNote with your Google account and data is encrypted in transit, how would the devs access user notes?
They don’t have direct access to your account login password, what he means is they have the decryption keys on their end for the notes data they store (UpNote uses Google Firebase for notes storage). Notes are encrypted in transit to the Firebase database and are stored encrypted at rest in Firebase. This is not E2EE (end-to-end encryption) because UpNote has the decryption keys for the Firebase database, meaning they can technically access any of the data from your notes if they wanted to. This is not so much a concern because they have better things to do than trying to read everyone’s notes, but where this becomes a problem is if they get hacked. All user notes including the Firebase decryption keys needed to access them would be stolen and the world will have your notes once the hacker publishes the stolen info. Where this differs with Notesnook is that the decryption key is stored encrypted on YOUR device, so Notesnook could never access your notes nor if they were hacked would anyone else be able to, as the data is end-to-end encrypted and would just be an unreadable jumble of characters.
Thanks for the video Chris! You mention that UpNote admins can access user data because they "have your password". But if you authenticate to UpNote with your Google account and data is encrypted in transit, how would the devs access user notes?
They don’t have direct access to your account login password, what he means is they have the decryption keys on their end for the notes data they store (UpNote uses Google Firebase for notes storage). Notes are encrypted in transit to the Firebase database and are stored encrypted at rest in Firebase. This is not E2EE (end-to-end encryption) because UpNote has the decryption keys for the Firebase database, meaning they can technically access any of the data from your notes if they wanted to. This is not so much a concern because they have better things to do than trying to read everyone’s notes, but where this becomes a problem is if they get hacked. All user notes including the Firebase decryption keys needed to access them would be stolen and the world will have your notes once the hacker publishes the stolen info. Where this differs with Notesnook is that the decryption key is stored encrypted on YOUR device, so Notesnook could never access your notes nor if they were hacked would anyone else be able to, as the data is end-to-end encrypted and would just be an unreadable jumble of characters.
@@syberpunk That makes a lot of sense syberpunk! Thanks so much for explaining.