Home / GitHub Page

How can we be sure that you've implemented E2E encryption securely?


#1

Hi,

I’ve recently started using Joplin and I’m a huge fan of the project - keep up the great work!

I’m currently only using Joplin on my desktop but my goal is to start synchronizing my data across multiple devices in a way that doesn’t compromise my security or privacy.

The obvious solution is to self-host my data but I unfortunately don’t have time to set that up at the moment. Therefore, the only alternative that would fulfill my goal would be to: (1) enable E2E encryption and (2) sync to Dropbox or one of Nextcloud’s recommended providers.

Before I start doing this I would like some assurance that Joplin’s E2E encryption is secure enough to prevent eavesdropping from a third-party cloud service provider.

I would like to know:

  1. Has Joplin ever received a comprehensive security audit?
  2. Have you written tests for the encryption process?
  3. Are the encryption algorithms strong enough to protect my data from being read by third-party cloud provider threats?

Many thanks,
aoao


#2

Hi,

  1. There hasn’t been any comprehensive security audit yet.
  2. Yes there are test units for the encryption service and integration tests for E2EE.
  3. The crypto is using SJCL at the moment. I followed industry standards as closely as possible and there’s currently no known issues.

#3

Thanks for being up-front about this @laurent.

I won’t feel comfortable relying on Joplin’s E2E encryption to protect me from eavesdropping by a third-party cloud service providers until the relevant code has been through an independent security audit. Unfortunately, it’s trivially easy to get encryption wrong (and even more likely if, like in this project, you’re not coding in a statically-typed language).

Are there any plans to undergo an independent security audit in the near future? I’d definitely be willing to donate to help cover some the cost (and I’m sure others would too).

Without this assurance, I’m tempted to switch to competing software which has completed an independent security audit.

By the way, if you’re not sure who to hire to do the independent security audit, check out Cure53 - they’ve got an excellent track record.


#4

Thanks for the info. I’m also very keen to get the app audited but not sure how to set this up actually.

I guess the first step would be to get a quote from a firm to know how much it would be cost, but then how do open source projects usually get funding for this? Do they setup a kickstarter or something?


#5

@laurent, I’d recommend you scan tickets for this in other OS projects.

For example, this one in Bitwarden’s repository has some very good information that could help you.

I hope that’s helpful.


#6

Yes, it is hard to get this right and even it is OK today a bug could be introduced tomorrow. Historically, most of the errors turns out to be the ways the keys are managed, not the actual encryption.

The weak link, however, is on your local device. The entire notes database is stored in plain text. You would need to encrypt the local disk to make your PC secure.

Another idea is to find a way to use a service like “sync.com” to sync Joplin notes. Sync.com uses end to end encryption. I think I might try syncing my notes to a local folder that is actually synced using E2E.

The best plan would be to set up your own server and use whole disk encryption on that server as well as on the PC.


#7

gofundme I think is one option?

Would only work if you can get people to know about it and contribute. If you can get promo’d on that site or some others somehow, it would also increase your users.


#8

The above post is so not what I was quoting o.0 Including the correct quote in this post