I have been hacking this weekend and got a prototype for end-to-end encryption via a chrome plugin ready. Disclaimer:
I do not take any responsibility for the security of this extension or any data loss due to bugs or mishandling of passwords.
The extension is NOT production ready and has still to be through-roughly tested.
How it works:
It hijacks the XHR communication between the dynalist client and the dynalist server. All outgoing items are encrypted, all incoming items are decrypted.
What is still missing
Quick Dynalist support
Support for bookmarks / document names
Support for shared documents
Support for dates in google calendar
… something else?
The code is open-source and I would appreciate if a security expert could have a look
Also to be clear: The password is never saved in plain text.
Though it could decrypt the documents on the page using the key of course.
I guess with password change you refer to re-encryption of all data with the new password? This will be tricky to do with the current system – I have to think about how to do this.
What do you mean by password reset?
Same here, sounds great but will need a lot more meddling with the Dynalist code which could turn out to be tricky. Maybe @Shida has ideas how to do this easily.
Yes that’s right and I don’t think I can do anything about this because as you said – the plugin is off. What you can do though if you encounter ‘could not decrypt’ is go into your version history and undo the accidental change.
It’s tricky because in order to make it secure I would have to copy all your documents in order to discard the version history. In principle I could do that using the API - but it will be a bit of work.
The little lock icons are a bit hacky right now though (basically using css rules) and I think it might slow down the client too much.
Maybe I can try to dig into the core Dynalist code to make it more efficient, otherwise I might have to remove them again. EDIT: I think I found a more performant way of doing it.