Summary
Being able to sync
- between multiple browsers on the same computer,
- or multiple browsers on different computers
I’m really concerned about sync encryption. What’s the point of encryption if you hold the encryption keys?
It appears you are not giving us an option to choose a password/key to encrypt, hold onto the encryption keys instead using keys which you alone have control and could decrypt at any time.
If I’m using a service to sync which encrypts personal data I’d expect to have control of the encryption keys. I assume background sync would require storing encryption key always on the browser which is a sizable security risk you could prompt users to enter the encryption key right before the background sync starts and removing it from the memory as soon as the sync is completed or interrupted. A bit untraditional and merely an inconvenient side effect of reliable high-security . You could also consider adding a “remember key” checkbox so that people would at least know what the potential tradeoff is, and agree to storing their keys on their device knowingly.
If you want to really keep your customers safe and keep things “private.” You would let your customers hold on to their encryption keys.
To ensure security please have the code audited and release audit report before public release.
I think there is a misunderstanding. We will never know those keys. Otherwise, as you pointed out, the end2end encryption would indeed be pointless.
The keys are only stored on your devices.
It would not be suitable to recreate keys on every new sync batch though, because otherwise you would need to do that every few minutes.
Also the purpose of the encryption is not to shield you from every attack vector (like your own computer that is hacked) but that you can safely sync your data with whatever provider you use now and in the future.
If someone would obtain the encryption keys, its 1) already too late because they had access to your computer and would not need the keys anymore and 2) they could not hijack the sync because they would still need to register another device to sync which we/you would notice.
Does that make sense?
We will never know those keys.
Key could be compromised while sending from extension to mobile app.
The keys are only stored on your devices. It would not be suitable to recreate keys on every new sync batch though
As you aren’t using asymmetric encryption and using symmetric encryption it’s just a single key and you’re just randomly generating a string which you’re using as a password to encrypt/decrypt data. What I’m proposing here is to grant us more control over the key.
When doing sync for the first time allow us to manually choose the key/password to encrypt data along with your default option. When a user selects manual option store a hash of key on device instead of storing the plain key.
Like mentioned previously, you prompt users to enter the encryption key(selected in first step) and check if the hash matches the hash stored on device right before the background sync starts and removing it from the memory as soon as the sync is completed or interrupted.
As for mobile app you transfer the hash value of user key instead of sending the actual encryption key and user enters the password selected during initial sync stage om mobile to verify.
You could also consider adding a “remember key” checkbox so that people would at least know what the potential tradeoff is, and agree to storing their keys on their device knowingly.
A bit inconvenient, yes, but secure.
This way even if someone managed to gain access to my device they won’t get access to the encryption key.
Can you also try to answer all the questions so I don’t have to repeat? Missed a couple of questions in my previous posts as well.
Will the code be audited? To ensure security please have the code audited and release audit report before public release.
The connection runs over SSL, so if SSL is not compromised there is not much we can do - except if we would create a backdoor, which we obviously would not because it could destroy trust and the very foundation to run our company.
What I’m proposing here is to grant us more control over the key.
Your ideas are great but they are more for a later stage / optimisation.
For now we don’t have the capacity to develop a 100% secure system or implement the suggestions your propose.
Will the code be audited?
Sorry if I missed that. No the code will initially not be audited, for the same capacity reasons. We are focused to get something usable out of the door asap, that provides enough privacy that we can’t know your data. Our focus initially here is privacy, not 100% security.
Also to note:
Key sending from extension to mobile happens by scanning a QR code and from computer2computer via WebRTC, so they never even land on our servers.
Are there any updates on this? It seems like the recent updates are only for syncing between one desktop browser and one phone.
Adding an additional browser into the syncing is currently not supported, right?
3 Likes
Hi, using between different computers is a critical use case for me. Without it, the hurdle to daily use it is too high.
4 Likes
I also have multiple computers. I guess I can backup and import, but not ideal.
Voted for this one!
Thanks for your work, and I agree with getting something out the door and usable, and that 1 computer + mobile device is a good starting point. I just miss Memex on my other computers 
1 Like
Also Voted for this one!
Great Great Staff!!! Keep up the good work
Your FAQ talks about syncing between multiple browsers by going via local file (and the required extra helper because of extension limitations).
Could you not integrate with the APIs of a few common cloud storage providers - e.g. Dropbox, Google Drive. That would then be a one time setup, and the ongoing experience (including setting up a new PC/Browser) could be very easy.
For me this is an important factor whether I choose to use memex or not. Since I work alternately on several PCs, using memex is only practicable if they sync. As it is now, it is too cumbersome.That’s pity because I like the ease of use very much. I will continue to watch this app. Should this feature come up one day, I’ll think about using it again.
2 Likes
This is the key feature I need in Memex! Happy to pay for it!
1 Like
How many computers, phones & browsers do you have?
Is there a “Portable” mode? or a work around towards it?
Welcome here! Can you elaborate what you mean with “a portable mode”
That the data resides on a portable device instead of the computer drive. So that your work can “travel” with you.
There is a mobile app for Android and iOS. It does not have the full features of the extension but at least you can save stuff on the go, and view your collections and notes.
Mobile annotations and a mobile reader are already in development.
Does that solve it for you?
1 Like
I just found a good use case for this feature.
Chromium based browsers will not allow multi selection of text, while Firefox allow that (⌘+click+drag on macOS, ctrl+click+drag on Linux).
I just moved from Firefox to Brave and this feature is one of the feature I am missing right now.
Syncing between multiple browser can be useful for if I want to create single instance of highlight that span between separated sentences.
Yeah that would be a great feature indeed, although a bit out of scope of the original feature request.
Unlikely that it’ll come soon as we have many other priorities.
Just checked with Firefox and also there it’s only suboptimally working, since our data model does not support many targets for a single annotation/note.