Hacker News new | ask | show | jobs
by swozey 1835 days ago
I use Obsidian and one thing I'm not getting about peoples concerns with e2e encryption - does nobody realize once it's decrypted on the devices you use (work laptops, etc since it's your ubiquitous note taking app) that anyone with access to your laptop (IT) has full access to every single .md file downloaded to your system?

People talk about encrypting their vaults and everything else all the time. I've never seen anyone mention the fact that your entire life of notes (whatever they may be) are now completely plain-text (well, markdown) files accessible to anyone with access to your machine. And IT will be well aware that you just dumped 10000 files into a directory, although hopefully they think you're just pulling git clones and don't go further.

So, what, do I not use markdown when at work? Do I not care? Do I stifle my posts in case anyone at work reads them? It just seems like a terrible system for very personal note taking.

Does throwing the stuff in icloud mitigate this? Gdrive? Dropbox? Even encrypting a folder gives admins access to all of my files as soon as I decrypt it. If I use an online app that I have to auth to and the connection is encrypted unless they're doing DPI they're not going to see any of my notes...

This seems like a huge problem with markdown notes.
1 comments
sunu 1835 days ago
e2e encryption is not trying to solve the problem you describe. If I'm going to open and view private notes on a non-private machine, no amount of encryption will help me.
link
fauigerzigerk 1835 days ago
The whole point of e2e encryption is to make it impossible for anyone other than the intended recipients to access the information. So conceptually, the ends of e2e are people, not devices.

I think the parent has a valid point in that terminating the encrypted channel at the device level leaves a pretty gaping hole in the not so rare event that people are forced to use employer provided devices at least some of the time.

There's a reverse issue as well though. It may well be the intention of employers (or even a legal requirement) to stop employees from syphoning off company data through some encrypted channel that IT has no control over.

So in some cases the assumption you're making that device = user may be an unavoidable compromise.

link
swozey 1834 days ago
Or you store your notes in another method (online, remote ovier ssh/rdp) so they're not plain text files accessible to anyone.

Some local note apps store them in dbs that would require auth, etc.

I just think this is a huge pitfall of using markdown notes.

link