Q: I have a concern about security and backups..
1. I see that backups are created automatically online in the account which are said to be stored in S3. are we able to download those at any point? And additionally are we able to do our own backups that can be restored? I'm hesitant to putting full faith in any service that claims their syncing in infallible. Far too often have I seen cases of blank files overwriting files containing data due to poor sync. That's why I like to keep my own backups. But even if I'm able to get a backup (via copying the appdata folder) or downloading the ones you create I'm not seeing any way to import that data. Am I wrong?
2. There's a lot of talk on the site about security and encryption on your site but concerned with finding that doesn't seem to apply to when you use the desktop application. The desktop app is just an electron app (a website encased in a Node.JS executable basically). When looking at the stored files in App Data I'm seeing that all my settings are stored in plain text, images are not being encrypted they are just named something else, my username, email and hashed version of my password are plainly visible. Additionally, all my notes are stored in plain text locally, just inside some JSON. Doesn't this kind of fly in the face of the whole security thing when all this data is stored in plain text locally? Are there any plans to secure this?
Alex_FUSEBASE
May 15, 2024A: Hi Sumo-ling,
Thank you for your questions!
The prize for the most complicated question is yours:) I'll do my best to reply with my limited (in comparison with you) technical knowledge. You can find more details contacting us at contact@nimbusweb.co. Our Technical Leads love such topics!
In the meantime, please find my comments below:
(1) You can download notes in HTML or PDF and save locally.
(2) Our encryption is mostly focused to prevent server attacks or at the network level. You're referring to the case of protecting your local files. Usually, users apply their own protection of local files like passwords, firewalls, etc.
WhatsInANameThanks for taking the time to reply. My response follows:
1) My concern was about being able to import this exported data. Having a backup I can't put back into Numbus Note easily isn't really that helpful as a backup. If I've got 700 notes I've got to manually copy back to restore that's not exactly user friendly.
2. On the website it says " This encryption is always active—both when data is transmitted and when it is in storage." and "Any data that you store in Nimbus Note is encrypted with 256-bit AES encryption. " this is quite mis-leading if the Nimbus application is not actually storing encrypted data. How can I be sure you're storing encrypted data on your servers when you're not even encrypting it locally? For transmission, I can see banking on encryption via the SSL, that's a given and basic as long as your website is using SSL. But to say encrypted when stored, that is something completely different. That means the files are being written as encrypted files that can't be read with a simple text editor. When is this encryption happening? On your servers after the upload? When? How long are my files on your server un-encrypted while waiting for that process? What do you do with the unencrypted versions afterward? Are they just casually deleted or are they "shredded"?
Honestly, I think these are important enough concerns that they should be answered here rather than secretly in an email. Perhaps you could ask your team to help you post a detailed response here for all to see. I don't think I'm the only one who has these concerns. Until these security questions are answered I'm out.
Thanks again!
02fb535b00a243a0af1adb2c87af4bb4
Verified purchaser
Therefore, the files are not encrypted locally?
Are the files encrypted on your server? Does anyone except myself have access to it? Could anyone of your team access and read my files?
ch3Verified purchaser
I would like clarification on all of this as well.
BlueSquaresHmm. If you search the comments for "security", you'll notice they've ignored every question related to security. I'm extremely apprehensive about jumping on this deal if they don't respond.
04001ae4812f43dba27157c69eb7120dVerified purchaser
To be most secure, can you design it so we can specify in Settings that designated FOLDERS created in the online app remain online and are not synced to appear in the desktop app?