How not to build a secure plugins architecture
I was taking a look at Obsidian the other day, having seen someone mention it on my timeline. I’d taken a look before, but was especially curious about their plugin architecture: it seemed particularly powerful, and I was impressed they had found a way to implement extensions securely without needing to render extensions separately in their own sandbox. I installed a few extensions on my local instance, like a calendar plugin, and was bewildered—how on earth are you rendering external code dire...
Read post
Problem Solving - Episode 1
I want to experiment with sharing bite-sized tidbits and stories of how we solve problems, from the simple to the more complex. A sort of behind-the-scenes or a “day in the life” of our team. In this episode, Karol and I discuss how to best position the new files server in our infrastructure in a way that is scalable and reliable for us, while also maintaining a user-friendly self-hosting experience for users who self-host the backend infrastructure, but not the frontend applications. The goal...
Read post
Why so many editors?
Most people love that we offer them the choice of editor to use to edit or craft their notes. If you want rich text, like highlighting and colors, you’ll need to use a rich text editor, and almost all web-based rich text editors use HTML as the under-the-hood markup language. But forcing all of our users to have their notes converted to HTML is nowhere near our modus operandi. We promised you portability, so we default to plaintext. If you want rich-text, you must opt in. Ok, well, what about M...
Read post
Roadmap Update — March 2022
Late last year, we shared an update on our plans and roadmap for 2022. I wanted to share with you some of the great progress we've made on our goals and highlight some of these achievements, as well as share what’s in store for the months to come. Things we've delivered: ✅ Native, built-in tag folders. This replaces the previous folders extension, which felt disconnected from the core app experience. This refactor is part of our overall direction of moving away from using extensions for core b...
Read post
2FA as a free feature
Yes, two-factor authentication is a paid feature for Standard Notes now. We've gotten a lot of negativity about this, and it is understandable. I think however if one understood—perhaps viscerally—the difficultly of building a profitable company from scratch, with no outside capital injection, you painfully come to realize the default mode of user operation is a very strong reluctance to part with their credit card. In fact, about 92% of our users use Standard Notes without paying a single doll...
Read post
Self-hosting the new extension-less architecture
Some of our users like to self-host their own infrastructure for a fully sovereign, synced, and end-to-end encrypted note-taking architecture, particularly our backend syncing server. This allows you to use our official web, desktop, and mobile applications, but have those applications seamlessly sync with your own server and database. Some users also self-hosted the extensions, particularly the now defunct folders extension. For the reasons mentioned in our blog post on transitioning from an ex...
Read post
Folders: From Extension to Native
If you’ve been present in our community Discord, Slack, or forum, you’ve likely already read about our long-standing goal of moving away from extensions for core functionality to native implementations. We've made near complete progress in this area. In previous major versions of our application, behavior like autocomplete tags, folders, and even duplicating a note were all implemented as external extensions that were loaded into the core application via an iframe mechanism. The philosophy behin...
Read post
Deprecation Notice: FileSafe
Starting February 9, 2022, FileSafe will be deprecated and no longer offered to new users. For existing users who have the FileSafe extension installed, FileSafe will remain accessible indefinitely. FileSafe was launched in 2018 as our concept file storage solution, and uses a bring-your-own-cloud model to store your files. This means that files are encrypted by us but stored in your Dropbox or Google Drive. This architecture allowed us to focus on building a frontend solution without requiring...
Read post
An update on early pricing and roadmap
This is a trimmed down version of an email that was sent out to our users on November 3, 2021. The End of Early Pricing Early Pricing is our 5-year plan, which was marked down at a steep discount as a sort of "capital raise" program---you give us a single relatively large sum in advance, and we give you prolonged service. But because the program was offered at such a discount, it couldn't be sustainable in the long run. We're glad to announce the time has finally come to graduate out of early...
Read post
Why TokenVault is going public source
In investing time and resources into improving TokenVault and other editors, we felt uncertain about the fact that there are already open-source clones offering free (but untrusted) distribution of our paid extensions. This is certainly within their rights, as our custom editors are licensed with AGPLv3.For context, Standard Notes clients and sync server have always been released under an open-source license. Extensions have had a different history, as their primary purpose is precisely a way to...
Read post
Standard Notes 3.6 Update
We’re excited to launch version 3.6 of our applications on every platform. This release focuses on simplifying access control measures, as well as giving you the power to review and revoke other devices signed into your account.Session ManagementYou’ll now have the ability to review which devices are currently signed into your account. You can choose to Revoke an existing session. This will prevent that device from having access to your account. Revoking a session also removes all account data f...
Read post
Standard Notes Completes Penetration Test and Cryptography Audit
We are pleased to announce the latest release of our encryption suite. This release uses the latest state-of-the-art, cryptographer-recommended algorithms for modern day encryption and key generation, designed to withstand the latest advances in cryptographic attacks and brute-forcing. For data encryption, our latest cryptography suite uses the XChaCha20-Poly1305 algorithm. This algorithm is presently the preferred algorithm in many modern-day encryption contexts, and ranks above any of the AES-...
Read post
What is a pull request?
One of the main ways software developers contribute to free and open-source projects is by creating pull requests to fix bugs, add features, clarify documentation, and to address other issues. A pull request is a proposal to make specific changes to the source code of a project. Projects usually have multiple versions of their source code, and one of them is the main version. The maintainers of the main version often encourage other developers to contribute to their projects by creating pull re...
Read post
Encryption is for Everyone
People with wealth and power have many things that normal people do not. When they are sick, they have access to many of the best doctors and the best medical treatments. When they are well, they can afford to attend the most prestigious private universities and pay for their children to do the same. When they are in trouble, they can buy their way out with the help of big law firms. All the while, they leverage their private social networks to influence giant corporations and government officia...
Read post
How to block ads and trackers in Safari for iOS
Ads on the web are annoying and most trackers betray our privacy by giving third-parties information about the sites we visit and the topics we are interested in. These third-parties can then track us around the internet to sell us more ads, distort our search results, and give our browsing history to governments. When we block ads and trackers, websites are easier to read and faster to load, so we save time and bandwidth (data). Blocking ads and trackers is easy on desktop browsers thank...
Read post
What is Free and Open-Source Software?
Software programs, like other creative works, are released to its users under certain terms and conditions called licenses. When a license gives its users the rights/freedoms to use, study, copy, modify, improve, and redistribute it, then the software is considered free, or libre, and open-source software (FOSS).Background: In software development, companies and developers write software as a collection of many files called the source code or the code base. When the software is ready for use, th...
Read post
What are LaTeX, TeX, and KaTeX?
What is LaTeX?LaTeX is the standard document preparation system for producing high-quality publications in academia and technical industries. It is often used for large and important academic works such as theses, dissertations, and peer-reviewed journal articles and books, but it can be used for anything, from resumes to homework and lecture notes.For example, the security white papers for Signal and ProtonMail are written in LaTeX by security professionals.How does LaTeX work?The main idea beh...
Read post
Encrypted, Ephemeral Customer Service
The Silver Lining in Facebook's Privacy NightmarePrivacy advocates and journalists have known for years that the tech behemoth Facebook, Inc. threatens our privacy. The company owns three of the most popular social media platforms – Facebook.com, Instagram, and Whatsapp. Each of them are free to use, but Facebook, Inc. posted $55 billion in advertising revenue in 2018. Their advertising revenue was 98.5% of their total revenue for that year and the percentage is expected to increase to 99% in 20...
Read post
What is DNS-over-HTTPS?
In February 2020, the Mozilla Foundation announced that it would enable DNS-over-HTTPS by default for all Firefox users in the United States. In this post, we'll explain what that is and why it matters.Background: You and your computer need to take many steps in order to connect to a website. At some steps, there's a possibility for your privacy or security to be vulnerable. When you use a web browser such as Firefox to connect to a website, you are viewing files on a remote computer. These comp...
Read post
What is Electron?
Electron is an open source software framework that software developers can use to create desktop apps that work across Windows, macOS, and Linux operating systems.Background: Each operating system can only run apps written in certain programming languages, called native languages. If a  developer wants an app to work on the system’s desktop, then they will  need to write it in those languages. If an app is written in a system’s  native language, then it is called a native app. For example, nativ...
Read post
Being a quiet software company
A user on our Slack, and some on reddit, have asked us why we've been sort of quiet on progress. Why no new blog posts? Why no new major releases? Why the seemingly dismissive attitude towards feature requests? Here was my response, and here's that new blog post you asked for :)I spent the last few years personally responding to every single user inquiry or request. I also handled every single feature, bug fix, release, blog post, etc. At some point recently, this all began to take a toll on me,...
Read post
What is End-to-End Encryption?
End-to-end encryption is a system of encryption that allows parties to communicate in a way that severely limits the  potential for third-parties to eavesdrop on or tamper with the messages. Third-parties may include government agencies and companies that  provide internet, telecommunications, and online services.End-to-end encryption helps people communicate securely by emails, voice calls, instant messages, and video chats. It also secures communication between devices for sharing and syncing ...
Read post
What is Encryption?
Encryption is the process of transforming readable text or data, called plaintext, into unreadable code called ciphertext. After the data is transformed, it is said to be encrypted. The reverse transformation process from ciphertext to plaintext is called decryption.Background: There are many methods of encryption. Each method aims to prevent decryption by anyone who doesn’t have a specific secret key, such as a password, fingerprint, or physical device.The big picture: Different forms of encryp...
Read post
The 120 Day Update
A little bit of sunshine has graced us this week, and after a few months of heavy bunkering in our winter den, we emerge energized and with news. Here are things we've released or have been working on over the last 120 days:The all-new 3.0 mobile app for iOS and AndroidIt's fully redesigned, and really fast. We switched from React Native Navigation to React Navigation, and the app feels much more stable and smooth. We still believe React Native is the way to go, and we now share a single core Ja...
Read post
Why is X feature paid and not free?
To better answer that question, we'll take a small look back at our history, and alternatives we could have entertained.In terms of achieving sustainability by collecting payment from our users directly (instead of say, advertisers), two popular models come to mind:a. The entire product is behind a paywall (the “Netflix” model)b. Some, but not all, features are behind a paywall (the “freemium” model)Ideally for us, the entirety of the product would have been a straight-forward "pay to use" inter...
Read post
The 3.0 Update
Standard Notes 3.0 for desktop and web introduces a more refined experience, combined with quality-of-life improvements that are sure to delight. Here's what's new:Introducing Privileges.Privileges allow you to require your account password or local passcode to perform certain actions in the app. Actions include:Download/Import BackupsView Protected NotesDelete NotesManage ExtensionsManage PasscodeManage ExtensionsThe key privilege is "View Protected Notes". If you protect a note and enable this...
Read post
Encrypt your Dropbox and Google Drive with Standard Notes FileSafe
Users depend on Standard Notes for their most important creations, from notes on projects, to credentials and passwords, to thoughts, ideas, and the entire spectrum of output from their life’s work.We start with a very simple core experience, offering encryption and easy sync out of the box at no charge so that users around the world can gain a safe place to store their life’s work, without worrying about all the peeping that cloud-based services usually succumb to. With encryption, and particul...
Read post
Bye-Bye Mailchimp
Some time ago, a user, in response to an email we sent out to everyone outlining some new app updates, said that he did not feel comfortable with us using Mailchimp to send out newsletters. Privacy is first and foremost on our list of priorities, and this user had a great point. But, if not Mailchimp, how else could we manage to send emails on a large-scale basis? There aren’t really any privacy-focused email services, nor am I even sure what that would look like. The only solution was building ...
Read post
Editors on Mobile and Desktop Highlighting
Some said this day would never come. Others have doubted its overall feasibility. But it's here. And it's great. Editors are now available on mobile. No more unrendered Markdown, HTML, or tasks.Your favorite Extended editors are automatically available in the latest version of the iOS and Android app, including the Plus Editor, the Advanced Markdown Editor, and the user-favorite Simple Task Editor.Here's what's new since last time:1. Editors on mobile.You can now access your favorite editors fro...
Read post
Introducing two-factor authentication and offline extensions
Let's get right to it: we have a new update (v2.1), and it's probably our most important one yet. Here's what's new:1. Two-factor authentication.2FA will have you feeling warm and cozy as you sign in with high levels of additional security. It's now available for Extended members. Be sure to upgrade your apps on every platform to the latest version. Learn more about setting up two-factor authentication.2. A new extensions manager.Now you can browse and install extensions without ever leaving Sta...
Read post
Automatic Backups, Simple Task Editor, and a Solarized Theme.
A quick few announcements:1. We added automatic local backups in Desktop v2.0.3.Backups are an important part of our 100-year plan. They protect you and us from the unexpected and catastrophic. Now in the latest version of the Standard Notes desktop app, encrypted backups are automatically made every day when the app is in the background. You can access these backups via the "Backups" menu item.2. We introduced a new theme: Solarized Dark.A beautiful theme that feels right any time of the day. I...
Read post
Enhanced security with Device Storage Encryption
Note: This article is no longer being maintained. Please read this help post for the latest on how Standard Notes stores data on your device.Last week we introduced a new security feature called Device Storage Encryption (DSE) for iOS, Android, Web, and Desktop. We mentioned briefly how in addition to the already end-to-end encrypted sync Standard Notes provides, DSE can further safeguard your data by making sure unencrypted data never touches a hard drive. This post explains how DSE works, and ...
Read post
Introducing our new Android, iOS, and Desktop apps.
A letter to our users:Dear note lovers and encryption lovers,We know you love notes. And the secure feeling a private online life gives you.So, we made something for you. I think you're going to like it.A powerful new notes app for iOS and Android (and Desktop).It's more secure.Device Storage Encryption now encrypts your data before saving it to your local disk. Lock your app with a passcode to require authentication on launch and, on desktop, to encrypt your local key storage. And now for Andro...
Read post
The Unexpected Benefits of Encrypted Writing
Let's admit, shall we, that freedom has to have its own space.I've spent about the last decade of my life developing tools for note taking and file management, the most important of which is an encrypted note-taking app. And when I talk to others about how their lives changed once they knew their thoughts and words were private, the response is always the same: "I feel free," is what I hear. They talk about the subtle, but powerful, difference privacy brings you. You become accustomed to the lux...
Read post
Announcing Our Security Audit Results
A few months ago, we hired an independent security research firm to conduct an audit on the encryption specification used by Standard Notes. In building out our product, we spent a lot of time making sure our encryption is as strong and fool-proof as possible. While it's easy for one to feel confident of their own work, a security audit is a must for any privacy-focused project to assure the developers and customers alike that data being encrypted and transferred is done safely and securely.We'r...
Read post
Introducing Components for Standard Notes
We're excited to announce the launch of four new powerful extensions that take your simple Standard Notes experience to a new level.We decided early on that simplicity is the only way to achieve quality, stability, and longevity in software. Too often we see apps we depend on implode from their own complexity or become completely unusable from endless bloat. We knew that if we wanted to avoid this death trap, we had to design our system differently.Extensions have been the perfect solution for u...
Read post
Don't be fooled: Metadata is the real data
In a crime case, investigators don't have access to "the truth"—the data, if you will. All they have are clues which can be put together to make as perfect a guess as possible as to what the nature of the truth is. Metadata.In the U.S, governments have played coy and attempted to talk down efforts of mass surveillance, particularly phone surveillance, by asserting that the actual contents of the call are not collected—only the metadata is:Where you wereWho you were callingHow long you talked for...
Read post
Building Standard Notes to be long-lasting
It's the greatest love story of all: you find an app that you absolutely love. It solves all your problems. And it makes your life better. It's a fairytale and the both of you live happily ever-after.Except, it never quite happens like that does it? The app you depend on to solve your life's problems begins wanting to "scale." The company who makes the app took out an investment to build it, and now those investors want to see bigger returns. How? By attracting more customers.Attracting more cus...
Read post
In Silicon Valley, Software Uses You
Microsoft announced recently that it would be shutting down Wunderlist, a popular todo app it acquired just two years ago. Millions of users who have depended on the intricacies of Wunderlist to go about their daily lives will now have to import all their trimmed-down data to the new Microsoft-centric experience. Is this ok?It depends on how you define software.When using software, who’s using who? I am using it of course, you might be inclined to believe. But in Soviet Valley, software uses you...
Read post
VPNs Are Absolutely a Solution to a Policy Problem
The internet is simply a series of computers connected through wires. The computers are owned by everyone—you, me, companies, and governments. When I access a website, my computer routes a signal through my Internet Service Provider’s (ISP) tubes to the website’s computer. Naturally, the middleman keeps a log of all the traffic that goes through their property. And naturally, the middleman is always looking for new opportunities to grow richer. In a capitalistic economy, can you fault the middle...
Read post
Why simplicity is the only way forward
Engineering Standard Notes to be "un-elaborate" was anything but easy for us. In an era where software degrades by the day and the life expectancy of the apps we use is anything but ideal, getting our software simple took time. We were slow pokes on this idea. It took 3 years to realize simplicity was our only solution.Why? It takes time to realize that less lines of code directly translate to a better experience. Simple means less bugs. It means less moving parts. Fewer things break. Simpler ex...
Read post
Encryption Makes a Better World
Changing the nature of governance through encryption.The newest revelations about the extent of CIA hacking tell us one thing: encryption works. The spy agency has had to resort to coming up with creative and complex mechanisms to get around the encryption systems of mainstream applications, including attempting to gain control of the operating system itself. At this point, it’s the likes of Apple engineers operating on their home turf vs. CIA engineers chasing exploits — an easy bet.Through our...
Read post
The Privacy Revolution That Never Came
There is a war waging today, and shots are being fired through the wire. You make your move. They make theirs. Who’s winning? The ones trying harder of course. In this game of oversized entities vs. techies, we are significantly out-powered.Information. That’s all anyone ever wanted. For a government, it is its lifeblood. In the past, information was relatively easy to control and stiffen. Today, information is out of control.Information travels at the speed of light, the fastest possible speed ...
Read post
Privacy is Power
Why the fight for privacy matters.The desk I’m typing this on is a little wobbly. I adjusted the legs yesterday to be a little shorter after noticing the reason my wrists were hurting was because they were bent upward at an uncomfortable angle. My office at home is now clean and empty, after spending several hours the day before throwing away empty boxes of electronics that I for some reason found value in keeping.I also finally fixed our “broken” bathroom door, which for the last three months w...
Read post
Moving beyond localStorage
It’s hard to believe that as of 2016, the best method for offline storage in a web app was localStorage, a simple string-only key value store with a 5mb data limit. These kinds of stores are typically meant to store user preferences and basic user information. So if you wanted to build an application that offered end-to-end encryption AND search capability, you couldn’t. For this reason, we have had to make compromises in our privacy, at a cost that is everyday becoming more expensive.But while ...
Read post