Evernote Service Not Affected By OpenSSL Bug

Posted by Rich Tener on 10 Apr 2014

Posted by Rich Tener on 10 Apr 2014

On Monday of this week, a group of security researchers discovered and publicly disclosed a vulnerability in OpenSSL, a software package that is widely used to secure online communications. They called the bug Heartbleed.

Evernote does not use, and has not used, OpenSSL, so we were not vulnerable to this bug. As an Evernote user, you don’t need to take any action.

Some of the services that we use, for example, our support ticketing system, do use OpenSSL. These services have all fixed the bug. We do not believe that any sensitive data was accessed. We are actively monitoring the situation and will notify you if we discover anything.

Update, May 29, 2014: When the Heartbleed vulnerability was publicly announced, we confirmed that the Evernote service was not and had never been vulnerable. Evernote’s security team then began reviewing each of our client software applications to determine whether they were impacted. We learned that the Android 4.1.1 operating system itself uses a vulnerable version of OpenSSL, which means that many of the applications, including Evernote, that run on that operating system are vulnerable to an attacker accessing random pieces of information when that device connects to a network.

For Android 4.1.1 Users
Google is working with mobile service providers to push an Android operating system update, but Evernote has no control over this process. If you are running Android 4.1.1 on your device, we recommend you take the following steps to protect yourself:

  1. Avoid using public wifi networks with your Android 4.1.1 device
  2. Contact your mobile service provider and ask them for an update that fixes the Heartbleed vulnerability
  3. Consider switching to a device that runs a newer version of Android and deactivate your Android 4.1.1 device inside your Evernote account

We have also sent this information in an email to affected users.

Skitch for Windows
We have also found and fixed a vulnerability in our Skitch for Windows application. We released version 2.3.1 on May 7th to address this vulnerability. If you use Skitch for Windows, be sure to update to the latest version.


Evernote Premium

Upgrade for features to help you live and work smarter.

Go Premium
View more stories in 'News'

6 Comments RSS

  • silviu

    I’m curious – as far as I can see communication with evernote is made over https – what do you use instead of openssl?

    • Rich Tener

      You are correct. We protect your communications using TLS/SSL (https). We use hardware accelerated load-balancers to establish these connections. These load balancers were not vulnerable to the Heartbleed bug.

  • Scott Smith

    As a proponent of secure and open-source solutions that are well-positioned for growth, this post makes me wonder… what does Evernote use for encryption? Without giving too much away (of course), that might make a good blog post.

    • Rich TEner

      We use a lot of open source in our infrastructure. We opted to use hardware accelerated load balancers for TLS termination for performance reasons. Specifically for transport encryption, we use a 2048-bit RSA key for the SSL certificate. We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers that support it and backward compatibility for legacy clients that need it. We will continue to improve our TLS posture with the goal of exceeding industry standards. Thanks for the blog topic recommendation!

  • AB

    This is assuring, but Evernote’s SSL gets less than A grade by the SSL Labs analyzer. It gets an A-, which is still pretty good but could be better:
    -There is no support for secure renegotiation.
    -The server does not support Forward Secrecy with the reference browsers. To this end, can Evernote provide ECDHE_RSA?

    • Rich Tener

      We do not support PFS, but consider it important, and are working with our vendors to be able to support it.