[RESOLVED] Joplin leaks private info despite end-to-end-encryption enabled

That would not prevent the mistakes I mentioned, of people uploading unencrypted data believing it's encrypted. Upon installation Joplin's first dialog is to choose a remote storage partner, then it syncs automatically. A warning message is needed at that stage to say something a-la "WARNING: Encryption is disabled by default! All your notes will be sync'ed to this remote storage platform unencrypted"

As long as encryption is disabled by default and Joplin touts "encrypted", then one would expect either a warning as above or encryption enabled by default.

I was referring to the messages until mine, which to me read just like I described they did. What they meant to say != how they came across (e.g. your message was also arguing it would cause "mess of support questions"). Don't worry, I didn't cry in a corner because of it, I was just a little surprised at the attitude displayed in the forum towards what is unarguably a distinguishing and advertised feature. Some of the replies that followed clarified what they meant (and I'm happy encryption isn't in fact undesired).

That's not the absolute truth you deem it to be, I'd say it's debatable at best. I can argue it's no less user friendly with it enabled than with it disabled, but it brings tangible privacy advantages when sync'ing with a 3rd party (one could even argue that without encryption there are better note taking apps out there - though I admit I'm starting to like the Joplin search features). For example, you said:

... hmm, everything is stored locally unencrypted (same size with encryption enabled or disabled), and while encryption does add some data for the remote sync'ed copy, it's additive, not multiplicative, so it can't be 5x slower. I just did a test, with and without encryption, and waited to sync everything. Local storage was the same (276MB), and sync'ing everything via Dropbox took almost the same time (timed at 13 minutes +/- ~20 seconds). You also said

... well, it's a one time action: you only input it when you have to initialize Joplin on a new device, and not every time you use Joplin or power on your device. Also, "password to remember" is debatable, because in the vast majority of cases it's usually either inside a password manager, written down somewhere, or reused -- it's rarely a new one to remember.

But anyways, I'm glad it was eventually confirmed that encryption enabled by default is the endgame. You yourself can disable it, and I can (almost!) guarantee that if you do then Putin won't invade because of it

Sigh, yeah, sure. At least you didn't invoke Godwin

Godwin would have a harder time invading. I meant the Putin sentence as a joke, not as a pun nor snark

I know, thats why I said "also" specifically in conjunction with CalebJohn's comment about the UX not being great, the items being so far apart in the menus doesn't really help reinforce the message that the two settings are related (i.e. that its the sync that is encrypted and not the local data).

The reason I tout the support aspect so much is that you are (or at least appear to be) new to the community, there have been so many issues with users not understanding how the keys work and there has been a lot of work and focus put in to improve this aspect (disabling old keys for example is relatively new functionality). As the incremental improvements are made it creeps closer to a goal to enable it by default without impacting the new user experience of the application - I think it is important that the enabling of encryption should not be a regression in that respect and whilst it still is (or at least could be) then it probably shouldn't be done.

Apologies if it didn't come across that way but the intention that it was in response to "why isn't it enabled by default" as opposed to being against the feature itself which is perfectly fine if you understand 1) what it does and 2) how to properly use it.
If those two points aren't clear then it causes issues because people often do not read the documentation (many assume it is both local and sync, some local only) and they don't understand why the application is now behaving in an odd way. If those usability issues are resolved then, as I mentioned before, I don't see any real issues why it can't be opt-out.

I'm pretty sure it is in fact multiplicative with the factor of around 1.5.

Not sure which data encryption scheme you're referring to (and coupled with which data key encryption scheme and/or which padding scheme), but standard schemes such as aes+cbc+pkcs* are additive, output size is o = n + k - (n mod k), so between n+1 and n+k, where n=input size, k=key block size, fixed (e.g. 16 for aes128)

Are you saying Joplin uses something totally different that results in multiplicative output size, i.e. $o = 1.5 * n$? I'd be surprised, the fields in the md output file suggest standard aes+ccm (which is basically aes+cbc with counter mode). I haven't looked at the Joplin source yet, though I don't expect to be bewildered.

Each block grows by a fixed size, but when you have x blocks, then you get x times that increase in size, so in the end it's multiplicative. And indeed in the few places where the ciphertext size is taken into account, we assume a x1.5 or even x2 increase.

Then I'm missing something, because I don't see how you'd get that, since if you regard the input as x blocks of n, then your output would be max around x*(n+k), and for that to be 2xn then you'd need about k=n which looks impossible to me unless your input blocks are tiny, even with the iv included, since k=16 bytes for aes128. What am I missing?

You mean that the encrypted data is larger than you'd expect? Then it's probably because it's base64-encoded for compatibility with the mobile app.

Here are some of changes I propose to improve the E2EE UI:

If anyone has any additional suggestion let me know.

One of the big things that needs to be demonstrated to users is the correct procedure for setting stuff up (as per the "how to enable e2ee" page). In particular how not to set it up, i.e.

Do not manually enable encryption on multiple devices in parallel, but rather wait for the other ones to sync with the first already encrypted device. Otherwise, you may end up with multiple encryption keys (which is supported by Joplin but most probably not what you want).

Indeed base64 adds a multiplicative 4/3=1.33 factor off the bat. But I'd still struggle to get to 2x factor unless I use very tiny input blocks, on the order of about twice the key size plus the iv, though these are only 16 and 24 bytes in your case, so the input length would need to be ~48*1.33/0.66 = 96 bytes which is still tiny (even if you packaged more stuff, salts, etc, which I'd imagine are tinier still). Obviously, I'm only curious at this point, and offtopic.

Good steps forward. I thought it would be enabled by default, though. If you want to leave it disabled by default then I would definitely add a warning when the user presses "Sync" and it's disabled, to warn them that their data will be sent unencrypted to the 3rd party and allow them to enable encryption at that point: "WARNING: Encryption is disabled. All your notes will be sync'ed to this remote storage platform unencrypted. If you want to change this then click here."

I feel this is fearmongering a tad, less tech savvy users are going to think they have done something wrong. Encryption is a bonus, we shouldn't be scaring people into thinking that all of their data is floating on the net for anyone to read.

I agree. Evernote or OneNote don't have big scary warnings about this, so Joplin shouldn't be put at a disadvantage just because encryption is not on by default.

But with the proposed changes, at least the "Encryption" checkbox will be visible in all the places where sync can be enabled, so it's less likely that someone who really wants encryption misses it.

The block size was chosen based on experimentations on mobile. Too large and it was very slow or could freeze the app, too small and indeed it would result in a too large ciphertext and slow decryption. But that was a while ago, so perhaps these settings could be reviewed.

Not sure what the point of having encryption is if not for protecting the users data against prying eyes. It's also (arguably) the only distinguishing feature of Joplin. Evernote/OneNote don't have warnings because they don't have encryption at all. I thought you were saying it would be enabled by default in Joplin (?). If it's disabled by default then users will fall into the trap of uploading data unencrypted like I did. Make it less scary, but a notice window should exist imo. Anyway, I don't think I have anything else to contribute to this thread. I am a little surprised though, but it's not my product ...

p.s. To be honest, in this day and age I think one would question the "disabled/enabled by default" to argue that anything leaving your local machine should be encrypted ... think SSL for secure sites handling private input data, they don't give you a choice between enabling/disabling encryption, certainly not disabling it by default, and thank goodness they don't.

Not quite what I mean, I just mean that the message almost implies that their data is open for literally anyone to see at any point almost like a web page as opposed to having at least one layer of security in that you need access details to that particular dropbox etc. Something informative is fine but giant WARNING text and flashing lights is a bit overboard, thats all I mean by it.

The main difference is that they don't require any concious effort on the part of the user to maintain keys etc. whereas Joplin does have that overhead. The way that Joplin works is a little counter intuitive to how most people use SaaS and other applications (including Evernote) because of the decentralised nature of the sync system (i.e. you don't need to "log in" to a main Joplin account which your clients then read and cache from).

It also isn't like the information is just being beamed entirely insecurely into the ether, many people already trust these hosting providers (rightly or wrongly) with security of their data - people don't tend to encrypt their documents before uploading to onedrive or dropbox so don't see Joplin as any different.

On a different note, one unintended benefit of enabling encryption by default is that people would be far less inclined to go messing with the files in the sync target or thinking that it is where their main Joplin database is being stored.

Ultimately this is the same conversation we have had before when discussing some of the network calls Joplin makes for accessing github mirrors etc. in that it is hard to please everyone. The application is never going to be hardened enough for the ardent security enthusiasts whilst people who (rightly or wrongly) aren't so concerned about it are negatively impacted by more complex UX or first time experience which will put off new users.

There's little difference, really. The password is setup only once, it's all transparent and effortless afterwards. I don't know why we're pretending it's such a major hassle.

People would absolutely use encryption if onedrive and dropbox offered it, that's the whole point. Joplin is absolutely different, precisely because it has encryption, otherwise OneNote or Evernote are a lot richer feature wise, so there's arguably little reason to not use them over Joplin. Having the feature but disabled by default and not alerting users it's unencrypted when they are about to sync for the first time sounds a bit weird.

https://discourse.joplinapp.org/search?q=decrypt

Now imagine if everyone had it on by default from the start. Until it can be made foolproof and immune from simple errors I just don't think it is a good idea to have it as a default.

Most people don't even know what it is and wouldn't really work if you can just log into the web client and read it all anyway.

• FOSS
• Multiple (including self hosted and free) sync options
• Markdown based

Those three are literally the options as to why I (and many others) picked Joplin, encryption is absolutely not the only redeeming feature it has that attracts people.

Also, just because I was curious, more people searched for "calendar" and "kanban" in the last year than they did "encryption". Make of that what you will.

I know enough friends who would make the mistake of enabling sync on all devices at once...I think it is better to make this feature opt-in to prevent newcomers from making mistakes (as long as the feature is not 99 % fool prove), but allow enthusiasts to take full advantage. And I cannot think of anything more deterrent than a big hint before the first sync that everything is sent to the internet unencrypted, so I find the variant that is planned (a hint in the sync wizard) very good as you don't need encryption before getting there anyways.