Page 1 of 2

Advice needed on the notebook password protection feature

Posted: Thu Mar 19, 2015 5:50 am
by CintaNotes Developer
Hi all,

as you probably know we are currently implementing the long-awaited notebook password protection feature.
Now we are at the point where we have to choose one of the design options, but can't come to an agreement.
Your input in this matter would be very valuable.

So, what would you prefer and why?

1) Very secure, but unrecoverable passwords - if you forget your password, your notes are lost. You can throw away
the .db file.
2) Ability to recover passwords via writing to CN support. The passwords will be encrypted with our private key
and stored in the settings file. This is obviously much less secure than option 1. A determined hacker (and even a layman, since
probably CN password cracking tools might appear) would be able to easily crack the password if he got access to
the .db file, but in case you forget the password, you still can get your notes back.
3) Option to choose from 1 or 2, with 1 being the default
4) Option to choose from 1 or 2, with 2 being the default
5) Your own version - please elaborate.

Thanks in advance!

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 6:49 am
by usbpoweredfridge
Easy - #1. All the other options throw doubt on the security of CN's encryption I'm afraid, and all the work you will have put into implementing it will have been wasted. The whole point of the encryption feature will be so that no one but the user who encrypted the database can read it - and if CN support has a backdoor into the encryption, the question arises as to who else has that same access, and that is where the trust is lost.

Proper backups are a user responsibility, and if a user loses data because they have encrypted their database and have lost their password, then too bad. Yes, that won't stop them contacting support to ask if you can crack their database, but you just have a simple copy/paste template that says "I'm sorry, but there is no backdoor into the CN encryption, and we therefore cannot help you - you will need to remember your password" (or along those lines).

Chris

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 8:56 am
by Thomas Lohrum
#1 - nothing else. Chris already pointed out the relevant facts.

Thomas

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 11:44 am
by CintaNotes Developer
Got it. Thanks. I guess a big warning when setting password should be enough, probably will even cause "wow"-effect ;)

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 11:49 am
by Thomas Lohrum
CintaNotes Developer wrote:Got it. Thanks. I guess a big warning when setting password should be enough, probably will even cause "wow"-effect ;)

Yes, as Chris already pointed out, make a disclaimer, tell people about the risks and their responsibility about managing their password.

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 12:41 pm
by usbpoweredfridge
Indeed, yes - I was going to suggest a warning when you set a password. I know not every user reads warnings - but in this case, even if they don't, you are then covered (ie you have done everything you can to impress on the user the seriousness of needing to remember their password). It is their responsibility from that point onwards.

Chris

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 1:20 pm
by Thomas Lohrum
You can strengthen the question by letting the user type some confirmation word, e.g. "Yes". Also double typing the password (entering it twice) should make the user aware of its importance.

Thomas

Re: Advice needed on the notebook password protection featur

Posted: Thu Mar 19, 2015 4:59 pm
by gunars
I agree with Chris and Thomas - #1. That's the only secure option.

How would it affect the SimpleNote and Dropbox syncing?

Here's what I currently do: I use Dropbox for syncing files between my work laptop and a home computer. Having simultaneous updates is not a problem for me - I use one machine or another at one time, not both. For more sensitive data, I have an encrypted (TrueCrypt) volume in the Dropbox folder. That's where I keep the CN .db file. When I start to use one computer, I mount the encrypted volume and run CN. While the file is mounted (i.e. open), Dropbox doesn't try to sync it. When I finish, I unmount the volume. This makes it available again to Dropbox for syncing. In other words, files in the encrypted volume are not synced on a change by change basis, but only when the 'session' ends and the encrypted volume is released.

This works fine for me, so I'm not that interested in the CN encryption. I just bring it up as something to be considered.

BTW, on my work laptop, I have to turn off Dropbox syncing anyway while I run CN. There is a known problem between McAfee Enterprise and Dropbox. When I update a note in CN, Dropbox tries to sync it but McAfee also tries to grab it for on-access scan. As a result, Dropbox keeps trying unsuccessfully to sync it - cpu usage goes up to 30% and the fan starts spinning faster. When I exit CN, it releases the file completely and everything finishes. Normally, the solution would be to add the CN .db files to the exclusion list for virus checking. However, my work laptop is heavily secured and I don't have control over this. So, I just turn off syncing and try to remember to turn it on later. I have one or two other programs that run into this problem, not just CN.

Alex, I know the notebook.disconnect.timeout.seconds setting normally releases the file after 30 seconds. Can it be set (0 or huge number) to never release? I could then leave Dropbox syncing on and just let the .db files sync when I exit CN.

Re: Advice needed on the notebook password protection featur

Posted: Fri Mar 20, 2015 3:05 am
by gustms
I will go with option #1 as well, please.

Thanks!

Re: Advice needed on the notebook password protection featur

Posted: Fri Mar 20, 2015 8:05 pm
by CintaNotes Developer
Thanks for your input! Now its clear that option 1 is the way to go, with a good warning.

gunars wrote:This works fine for me, so I'm not that interested in the CN encryption. I just bring it up as something to be considered.

Thanks for explaining the details of your setup, Gunars! (Off topic: wasn't TrueCrypt compromised? I thought that it could not be trusted any more. Or are you using an older version?)

gunars wrote:How would it affect the SimpleNote and Dropbox syncing?

With Simplenote, I'm afraid that they store data unencrypted (proof). But still its https, so at least during transfer the data will be encrypted.

With Dropbox it's much better actually - the notebook file on disk is always encrypted (we chose to use SqlCipher), and that's what Dropbox can see and sync.

gunars wrote:Alex, I know the notebook.disconnect.timeout.seconds setting normally releases the file after 30 seconds. Can it be set (0 or huge number) to never release? I could then leave Dropbox syncing on and just let the .db files sync when I exit CN.

No, setting is to 0 won't do you any good, it will just revert to min setting of 10s. Instead, simply set notebook.disconnect.enabled to 0.

Re: Advice needed on the notebook password protection featur

Posted: Sat Mar 21, 2015 12:17 am
by gunars
A few responses:

1) The developers of TrueCrypt one day decided to just quit their project. They took down the web site and essentially said "goodbye and stop using TrueCrypt since we no longer support it". But there is nothing wrong with it. Steve Gibson (of Spinrite fame) has been hosting copies of the last official version and has info here: https://www.grc.com/misc/truecrypt/truecrypt.htm. As far as I know, there is nothing wrong with the last version 7.1a. The developers were warning the community since they no longer work with it and don't trust any branch spinoffs.

2) I tried notebook.disconnect.enabled = 0, but McAfee/Dropbox still grabbed the cintanotes.db-journal file and locked on it the same way.

Re: Advice needed on the notebook password protection featur

Posted: Sat Mar 21, 2015 10:50 am
by Noddy330
yes #1 (very well argued)

Nod

Re: Advice needed on the notebook password protection featur

Posted: Mon Mar 23, 2015 5:45 am
by CintaNotes Developer
gunars wrote:1) The developers of TrueCrypt one day decided to just quit their project. They took down the web site and essentially said "goodbye and stop using TrueCrypt since we no longer support it". But there is nothing wrong with it. Steve Gibson (of Spinrite fame) has been hosting copies of the last official version and has info here: https://www.grc.com/misc/truecrypt/truecrypt.htm. As far as I know, there is nothing wrong with the last version 7.1a. The developers were warning the community since they no longer work with it and don't trust any branch spinoffs.

I see, thanks for the info.

gunars wrote:2) I tried notebook.disconnect.enabled = 0, but McAfee/Dropbox still grabbed the cintanotes.db-journal file and locked on it the same way.

Probably the reason is that CintaNotes doesn't use EXCLUSIVE locking mode of SQLite, this means that outside of any running transaction the file is unlocked for reading (when notebook.disconnect is on, the file is unlocked also for writing).
So in case you can't get your sysadmin to add CN to McAffee's exceptions, we could try to add the locking mode option to the settings file.

Re: Advice needed on the notebook password protection featur

Posted: Mon Apr 13, 2015 10:31 pm
by gunars
CintaNotes Developer wrote:
gunars wrote:2) I tried notebook.disconnect.enabled = 0, but McAfee/Dropbox still grabbed the cintanotes.db-journal file and locked on it the same way.

Probably the reason is that CintaNotes doesn't use EXCLUSIVE locking mode of SQLite, this means that outside of any running transaction the file is unlocked for reading (when notebook.disconnect is on, the file is unlocked also for writing).
So in case you can't get your sysadmin to add CN to McAffee's exceptions, we could try to add the locking mode option to the settings file.


Would setting the locking mode to Exclusive also affect the journal file? If so, it might be worth a try since getting an exception change for McAfee may not be so simple.

Re: Advice needed on the notebook password protection featur

Posted: Tue Apr 14, 2015 7:29 am
by CintaNotes Developer
gunars wrote:Would setting the locking mode to Exclusive also affect the journal file? If so, it might be worth a try since getting an exception change for McAfee may not be so simple.


Yes, I suppose so. I've added the "sqlite.pragma.locking_mode" setting to the setting file in 2.9 Beta 1 which will be released today (would be grateful if you tried it out!)
However I discovered that setting this option to "EXCLUSIVE" (instead of default "NORMAL"), and setting "notebook.disconnect.enabled" to 0, miraculously doesn't prevent Dropbox from syncing the file. I wonder how it is possible.

Also I've discovered a nasty problem: export of all notes currently won't work with this locking mode, because to retain current filters CN opens a second connection to the database (this can be fixed in future however). So please use with caution.

Re: Advice needed on the notebook password protection featur

Posted: Tue Apr 14, 2015 8:59 am
by CintaNotes Developer
Ok, I finally figured out how to overcome the problem mentioned above.
More than that, the EXCLUSIVE locking mode gives such a nice performance boost, that I decided to try making this locking mode the default
in the Beta. Let's see how it goes ;)

Re: Advice needed on the notebook password protection featur

Posted: Tue Apr 14, 2015 10:28 am
by CintaNotes Developer
The 2.9 beta is now available

Re: Advice needed on the notebook password protection featur

Posted: Tue Apr 14, 2015 3:58 pm
by gunars
CintaNotes Developer wrote:Ok, I finally figured out how to overcome the problem mentioned above.
More than that, the EXCLUSIVE locking mode gives such a nice performance boost, that I decided to try making this locking mode the default
in the Beta. Let's see how it goes ;)


Hi Alex,

I did a quick test with sqlite.pragma.locking_mode = EXCLUSIVE. I still get the sync problem with Dropbox whether notebook.disconnect.enabled is 0 or 1. Oh well, at least you found out about the performance boost. Thanks for trying.

Gunars

Re: Advice needed on the notebook password protection featur

Posted: Wed Apr 15, 2015 12:38 pm
by CintaNotes Developer
gunars wrote:I did a quick test with sqlite.pragma.locking_mode = EXCLUSIVE. I still get the sync problem with Dropbox whether notebook.disconnect.enabled is 0 or 1. Oh well, at least you found out about the performance boost. Thanks for trying.


You're welcome, Gunars. BTW it seems that the problem is well-known at McAffee:
https://community.mcafee.com/thread/50400
https://kc.mcafee.com/corporate/index?p ... id=KB81595

Re: Advice needed on the notebook password protection featur

Posted: Tue Oct 06, 2015 4:06 pm
by gunars
gunars wrote:BTW, on my work laptop, I have to turn off Dropbox syncing anyway while I run CN. There is a known problem between McAfee Enterprise and Dropbox. When I update a note in CN, Dropbox tries to sync it but McAfee also tries to grab it for on-access scan. As a result, Dropbox keeps trying unsuccessfully to sync it - cpu usage goes up to 30% and the fan starts spinning faster. When I exit CN, it releases the file completely and everything finishes. Normally, the solution would be to add the CN .db files to the exclusion list for virus checking. However, my work laptop is heavily secured and I don't have control over this. So, I just turn off syncing and try to remember to turn it on later. I have one or two other programs that run into this problem, not just CN.

I noticed yesterday that I'm no longer getting conflicts between the current version of Dropbox (3.10.7) and McAfee Enterprise when using CN or the other programs. I'm not sure if Dropbox or McAfee fixed the problem, but I can finally run CN on my work laptop without having to pause Dropbox!

On the other hand, the Google Project Zero team has found a vulnerability in TrueCrypt that was missed by previous audits. The current version of open source VeraCrypt addresses this alread.

More info: http://www.pcworld.com/article/2987439/ ... omise.html