Operations

Evernote and POODLE

Posted by Dave Engberg on 16 Oct 2014

Posted by Dave Engberg on 16 Oct 2014

Yesterday, Google researchers announced a vulnerability in version 3.0 of the SSL protocol. Google’s advanced acronym-generation algorithm dubbed this issue POODLE (for “Padding Oracle On Downgraded Legacy Encryption”).

Even though the SSL 3.0 protocol has been superseded by secure alternatives for at least a decade, most existing operating systems and Internet applications are willing to speak this old dialect for backward compatibility. Unfortunately, this willingness could be exploited by attackers to force modern web browsers and servers to communicate insecurely.

The researchers found that an attacker with control over your network connections (for example, on a public wifi network) could trick your web browser into leaking your personal “cookies.” These cookies could be used to assume your identity on secure web services like Evernote.

Web browser vendors are working to push updates that would mitigate this risk by removing SSL 3.0 support from their software, but it may take months for these changes to trickle out to the majority of Internet users. Until that time, users of any service that still offers SSL 3.0 communications will be vulnerable to attack.

Evernote has determined that the only way to ensure that our users are protected from this vulnerability is to disable SSL 3.0 support on all of our servers so that they will only communicate with secure TLS. This will prevent attackers from tricking your browser into using the insecure protocol and stealing your identity.

Tomorrow morning (October 16th), we will disable SSL 3.0. The majority of Evernote users should not see anything different after the change. Unfortunately, there are two types of users who may have problems connecting to Evernote after SSL 3.0 is disabled.

First, people who access Evernote through extremely old web browsers like Internet Explorer version 7 or earlier may see security errors on www.evernote.com, as well as other sites like Twitter that have made this change. To fix this problem, install a more recent web browser.

Second, people who have installed Evernote on Windows XP may see networking errors during synchronization if they never installed Service Pack 3 and Internet Explorer 8 on their computers. These people should be able to fix the problem by installing Service Pack 3 and Internet Explorer 8 via Windows Update (or from Microsoft’s web sites).

We apologize in advance for the disruption this will cause to users of those old browsers and operating systems, but we feel that this is the best way to protect all Evernote users from attack.

Update:

Several people have reported that they can’t connect to Evernote servers from IE or Evernote on Windows computers running version 7 or later. Even though Windows 7 ships with “TLS” support enabled by default, it seems that some people have systems which have this disabled.

If you can’t access secure sites like Evernote and Twitter from IE on your Windows computer, then follow the steps in one of these articles to re-enable “TLS” on your system:

http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html
https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

View more stories in 'Operations'

30 Comments RSS

  • Hi, IE8 is apparently not compatible with WinXP 32, so it’s not possible to install IE8 on XP as suggested. Service Pack 3 is installed. Any suggestions?

    • Dave Engberg

      Microsoft’s web site claims that it works with 32-bit XP:
      http://windows.microsoft.com/en-us/internet-explorer/products/ie-8/system-requirements
      But try updating as far as you can and then see if you can view https://evernote.com/ from IE on your computer.
      If you can view our web site from IE, then our client should sync as well.
      If you can’t view our web site (or HTTPS on Twitter, etc.), then you’ll need to find an upgrade path that makes XP work.

  • I normally use the Evernote client on my netbook, which is current running Win 32 XP SP3. I don’t normally use IE but it works with the web version.

  • I still use Windows XP sp2, and I can not upgrade sp2 to sp3 because of accounting software.
    Accounting software is necessary for me, so I can’t uninstall it. I have to stay on Windows XP sp2.

    Is there any solution for XP SP2 user? Don’t tell me to use web edition. that is so slow on my computer ( my PC is 8 years old)

    • KU, have you found a fix to run the EN desktop program in XP SP2 ?
      I have of course tried the [Internet Options/Advanced/tick Use TLS 1.0] solution below, but sadly EN desktop still refuses to start (“Could not connect to server”)
      Thanks.

  • Jonny Hulme

    I have both XP (32 bit) service pack 3, and internet explorer 8 installed, and evernote sync fails every time. Useless, irritating, and just typical flaky IT nonsense that’s not worth wasting a minute of your time listening to.

    Thanks for bundling this one on us evernote at about two days notice.

    Ok, now back to uninstalling evernote..!

  • Bob Brooke

    I use the latest versions of both Chrome and Firefox. I can access the Evernote site, but cannot sync even from my laptop which runs Windows 7. It looks to me that in protecting all your paid users, you’re ignoring those of us who use XP with Service Pack 3. I have lots of notes on Evernote which are now useless. I think the best solution is for those of us in this situation to just find another program like One Note.

  • Bob Brooke

    To add a further comment, I’m running IE8 on XP Service Pack 3 and cannot access Evernote’s Web site, so the problem is with Microsoft as usual.

    • Bob
      try the IE fix on the TomsGuide link given by Dave below it has worked for me, make sure SL2 & SL3 are unticked & TLS1.0 is ticked.

  • Hi, does this issue have anything to do with the fact that I got a fate Exception error while running evernote. Also when a load a new version I get the same error. This is for Windows 8.1 64-bit

    Thanks

  • I am running XP on service pack 3 and have IE8 installed so based on your statements above it should all work however my Evernote is not syncing & I can not view https://evernote.com/ in IE8…
    Any suggestions?

  • Dave Engberg

    If you are getting sync errors on Windows 7 or later, then that’s probably unrelated to the fixes for the POODLE attack.
    If you’re on Windows XP and you can’t use Internet Explorer to browse https://www.evernote.com/ or https://twitter.com/ , then you could confirm your version of IE and try these tweaks to get the browser to work:
    http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html
    https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

    But if you can’t get IE to browse any secure web sites that have been secured against POODLE, Evernote won’t be able to sync either since we rely on the same part of the Windows networking as IE.

    • Dave,
      With all do respect, please see the thread located here : https://discussion.evernote.com/topic/71001-getting-cant-connect-to-server-error-message-on-windows-app/page-2#entry312918

      it is full of nothing but windows 7 (and greater) users (of which I am one (W7 Home Premium)) who are – actually, were – experiencing desktop application syncing issues. All I needed to do was to turn on the TLS options and my issues went away. Such a major and potentially very frustrating change should go out as an email from the programmers or someone from Evernote. I spent almost a week with it and I was ready to trash the whole program and move on to something else.

      I am back on board though, and lovin evernote more each day. So, your safe for now, but, mind your P’s and Q’s.

      See the blog, it can speak for itself.

      Thanks
      Mark

      • Dave Engberg

        Thanks for the details, Mark.
        We did identify the 330,000 accounts that had been accessed from Windows XP in the last two months and sent all of those people an email to give them a warning. We did not include people on Windows 7 or later, because everything we were able to find says that “TLS” was available and enabled on every version of Windows 7 by default. For example:
        http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
        So we didn’t want to risk confusing a few million Windows users for a situation that should have been extremely rare. (I.e. it should only affect a system where the security settings had been intentionally degraded from Microsoft’s shipping defaults).

        But we’ll keep trying to figure out what’s going on … i.e. if there’s any way for us to identify people who have security-disabled Windows 7+ systems.

        Thanks

  • The Windows XP problem apparently applies to the desktop client, regardless of what browser is used. I have Windows XP,SP 3, latest version of Firefox, latest version of Evernote desktop client and I get the message on the desktop “Can’t connect to server. Please try again later.” I can connect to my account fine using the browser, but I’d like to see the desktop client fixed!

    • Dave Engberg

      Firefox isn’t relevant. You need to be able to connect to https://evernote.com/ from Internet Explorer.
      If you can’t connect to our secure web site (or Twitter, etc.) from Internet Explorer, then follow the instructions in
      http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html

    • hello, i have the same situation as you.
      http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html
      can fix the problem.
      Just change the Microsoft Internet Explorer
      tool->internte->advanced
      unmark SSL 2.0 & SSL3.0
      mark TLS 1.0
      And then, apply it.

      you can sync by desktop client .

  • I’m not able to sync, using the windows desktop client. I’m on win 8.1. None of this makes sense to me!

    • Dave Engberg

      If you’re on Windows 8, then any sync problems you are having are unrelated to SSL3 or POODLE.
      Contact Support to help you look at your Activity Log to determine the source of the failures.

  • Michele

    I’ve installed Xp service pack 3, I always use G. Chrome as web browser, but Evernote doesn’t sync from my pc to my mobile device. Please help me, I don’t want to move my sketches to another app.
    Thank you! Michele

  • Alot of people (me included) suddenly couldn’t sync after SSL 3 was disabled.

    To fix:
    Control Panel
    Internet Options
    Advanced
    Scroll down to Security and tick “Use TLS”

  • Michele

    IT WORKS!!
    As Paul has said! A special thank you, Paul! People at Evernote should reward you. I really appreciate your smart and preciuos help!
    Michele

  • Paul’s comment above relating to ticking TLS in IE advanced tab just worked for me also. I’m running WinXP32 SP3.

  • Paul W.

    Me too, Paul’s comment above relating to ticking TLS in IE advanced tab just worked for me also. I’m running WinXP32 SP3.
    Also I have unticked SSL3.0
    Yet I spent two days not understanding why nothing worked properly. Evernote could make this information more visible

  • Gonzalo López de Ayala

    More than a week not synching Evernotes Windows version. I am a very proud user or Win XP SP and Evernote never email me anything to warn me.

    After talking to the support service and filtering the answers miself, this is the solution:

    1) Dont try to upgrade to IE8 or IE9 it wont work.
    2) In

    Panel de Control>Opciones de Internet>Advanced> Tick the TLS 1.0 and….

    Your done.

    Hope it helps.

  • BartekJ

    Paul’s comment helped me a lot as I couldn’t run IE 8 on my laptop.
    Paul – thank you!

  • Hi everyone

    Does anyone have a fix to run the EN desktop program in XP SP2 ?
    I have of course tried the [Internet Options/Advanced/tick Use TLS 1.0] solution, with [Use SSL 2.0 or 3.0] either ticked or unticked, but sadly EN desktop still refuses to start (“Could not connect to server”)
    Or do I HAVE to upgrade to SP3 ?

    Thanks.

  • Hi all,

    I second HN question – did anyone found fix for XP SP2 with IE6? I tried disabling all SSL protocols and enabled TLS 1.0 to no avail. I can’t upgrade IE due to legacy software dependencies. What is Evernote team solution for users like me? Actually it caught me totally by surprise and I had to spend quite a time researching why Evernote client is the only application on PC that’s unable to connect to evernote.com site while Firefox and Chrome do it perfectly. Now I was really surprised IE is the culprit – never had idea Evernote client has such a silly dependency. Why not follow Android client – it doesn’t depend on IE I suppose…