Show HN: We built an end-to-end encrypted alternative to Notion (opens in new tab)

(snote.app)

7 pointsmonicaincog2y ago11 comments

Hello HN, Over the last year we've been building snote.app, a Privacy focused, End-to-End Encrypted alternative to Notion. You can write, plan, collaborate and get organized - it allows you to take notes, store files, add tasks, manage projects & more. Whether you're working solo or in a team.

We are hoping to use this post as an opportunity to collect feedback from fellow hackers.

If there's anything we can do better, please let us know

11 comments

KomoD2y ago

Yes, there is something you can do better, remove the dumb pixelation effect, you're seriously making us sit and wait for 7 seconds to see the videos

quickthrower22y ago

Oh they are videos? I just see pixels

AHOHA2y ago

For the dramatic effect!

monicaincogOP2y ago

true ;) on it

monicaincogOP2y ago

fixed

FreeCodeFreak2y ago

Stuff like this should of course be open source, with the optional possibility of self-hosting. E.g. Nextcloud style.

But, the bigger question is, for something shared here on hacker news where an abundance of developers dwell: why would we not create our own ~500 lines note taking synchronization function with built-in end-to-end encryption?

I mean use your favorite scripting language, even on your laptop, and you could theoretically make something that is very easy to audit and maintain. There is no need for extreme complexity with thousands of lines of code (or untrusted closed source software for that matter). Just something simple to keep your notes encrypted.

Oh wait, we got KeepassXC already (although that is a very complex program and hard to review for us outsiders that do not know the code. Etc. Etc.) I personally do not have time to review such code, and so, it remains a matter of trust for me. I still prefer it because it is open source.

monicaincogOP2y ago

1. we're in the process of open sourcing, agree 2. if you'll try it you'll see it's little more the 500 lines of code... (real time collaboration, data tables, file storage and more...)

thanks for taking the time to comment, I'll update this thread when we open source it

imuli2y ago

I mean, one of the most important things you can do is write up exactly how you use the various pieces of cryptography - so people who know enough can easily evaluate your theoretical ideal.

Then when someone takes a look and notices that you're storing the users' RSA private keys on the server, they can check whether you actually meant to do that.

Also: Don't store (or ever even have) your users' RSA private keys server side!

monicaincogOP2y ago

noted. in the coming weeks we'll be more transparent about the tech stack.

in the meanwhile, sure, we don't store private keys on the server side :)

imuli2y ago

In the login response I see the private key being sent back from the server, it looks like it is encrypted with a key derived from the user's password. 100100 iterations of PBKDF2-SHA512 is certainly better than it could be, but not it's certainly not as secure against brute force attacks as Argon2 or any other modern KDF.

monicaincogOP2y ago

quick update, we posted the source code of our secure enclave

https://github.com/snoteapp/senclave

j / k navigate · click thread line to collapse

11 comments

KomoD2y ago

Yes, there is something you can do better, remove the dumb pixelation effect, you're seriously making us sit and wait for 7 seconds to see the videos

quickthrower22y ago

Oh they are videos? I just see pixels

AHOHA2y ago

For the dramatic effect!

monicaincogOP2y ago

true ;) on it

monicaincogOP2y ago

fixed

FreeCodeFreak2y ago

Stuff like this should of course be open source, with the optional possibility of self-hosting. E.g. Nextcloud style.

monicaincogOP2y ago

1. we're in the process of open sourcing, agree 2. if you'll try it you'll see it's little more the 500 lines of code... (real time collaboration, data tables, file storage and more...)

thanks for taking the time to comment, I'll update this thread when we open source it

imuli2y ago

I mean, one of the most important things you can do is write up exactly how you use the various pieces of cryptography - so people who know enough can easily evaluate your theoretical ideal.

Then when someone takes a look and notices that you're storing the users' RSA private keys on the server, they can check whether you actually meant to do that.

Also: Don't store (or ever even have) your users' RSA private keys server side!

monicaincogOP2y ago

noted. in the coming weeks we'll be more transparent about the tech stack.

in the meanwhile, sure, we don't store private keys on the server side :)

imuli2y ago

monicaincogOP2y ago

quick update, we posted the source code of our secure enclave

https://github.com/snoteapp/senclave

j / k navigate · click thread line to collapse