This is a brief description of the data security architecture at ThreeTags. If you have questions or concerns, please feel free to post them below.
![[tags]](http://www.threetags.com/res-11/tag_blue_3.png)
User authentication
When a user registers with ThreeTags, he/she creates a username and a password. The password is never transmitted to the server; instead, it is combined with a unique ‘salt’ string and then encrypted in the browser using SHA-1 hashing algorithm. It is this ‘password hash’ that, with the username, is used to identify the user.
User data encryption
Encryption key
Upon successful user authentication, a 256-bit encryption key is created on the client using PBKDF2 key derivation technique. Because ThreeTags server has access only to hashed passwords, and encryption keys are generated using passwords themselves (with unique salts), it is impossible for us to guess user encryption keys.
Encryption
All user data is then encrypted/decrypted in the browser using AES-256 encryption algorithm, and is transmitted over the Internet and stored on ThreeTags servers in this encrypted state.
This is how a typical request looks like:
![[firebug]](http://www.threetags.com/res-11/screenshot_firebug_post.png)
Why not just use SSL?
Many web sites use SSL as a mechanism to protect user data. However, this method is supposed to protect only the communication step of the puzzle (and often it is not doing the job well with man-in-the-middle TLS/SSL vulnerabilities); user data is still accessible on the server side to read and interpret. ThreeTags is unique in that even with full access to user data on the server no one can see it unencrypted.
If you really want to use SSL, you can use this URL: https://threetags.appspot.com.
Performance issues
Data encryption is a CPU-heavy operation, and JavaScript, the language used by web browsers, was not designed with performance in mind. In our tests, all major browsers were able to encrypt/decrypt small notes quite promptly, with Mozilla Firefox and Google Chrome being the fastest.
Unfortunately, the most popular web browser, Microsoft Internet Explorer, is also the slowest in aspects that matter most to us. While Firefox and Chrome encrypt/decrypt a 100KB note in 3-10 seconds, depending on your computer configuration and load, Microsoft Internet Explorer can spend several minutes doing the same operation. Thus we recommend Mozilla Firefox or Google Chrome for better user experience.
Potential vulnerabilities
No information storage/management system is 100% secure. In any online communication, there are four general points of vulnerability: the client computer can be compromised, the server side (web site) can be breached or untrustworthy, and the medium used to transfer data (the Internet) is relatively easy for eavesdroppers to exploit. The fourth vulnerability point in the user him/herself: using pet names as passwords, and writing passwords on post-it notes for everyone to see, are venerable and sad traditions, for example.
ThreeTags is designed to make the communication step and the server side more secure. We also chose to use Google AppEngine as our infrastructure provider, as no other company has more to lose in case of an online security breach.
Security of the client computer is the responsibility of the user.
If I understand this correctly, data are not encrypted on the iPhone, but are at least somewhat restricted by a passcode. When information is synchronized with the server it is first encrypted on the iPhone and that encrypted file is sent to your servers.
When viewing the server information through the Notebook interface, the file is sent encrypted then decrypted via Javascript on the browser used, so that it is never transmitted in the clear.
Or have I misunderstood? I hope to use your product for server passwords at a fairly large institution. I’ll use a very secure password. Should I worry about any other part of the encryption infrastructure?
David
Hi David,
Your understanding is correct. Neither user data, nor the password, are transmitted unencrypted. The weakest link here is the iPhone and the browser.
Best regards,
ThreeTags support
Thank you for an excellent application. The ability to access threetags from a mobile browser would be a plus for me. I certainly would be willing to pay for this service.
Thank you, Dan!
We are actively working on the next version of our service that will have a mobile component, though not all platforms will be supported initially. It takes a bit longer than what we planned, but we will definitely have a major feature release this year.
Exciting product you guys have worked on here.
Three tags iphone app is not currently available correct?
Thanks
Nate
Hi Nate,
the iPhone app is not available in the appstore.
Is there a way to backup your data locally? Like a full dump encrypted or otherwise to a local server or machine?
Hi Tim, yes, to back up your notes, click “Tools”->”Export (backup)” in the top right corner.
Hi, is threetags still up to date? This is because, I will create account, store my notes and one day this website will get decommissioned or not allow me to edit my notes, or cause any other problem. Can this happen?
Hi, is threetags still up to date? This is because, I will create account, store my notes and one day this website will get decommissioned or not allow me to edit my notes, or cause any other problem. Can this happen?
Please use our new service: https://aes.io
where encryption key is stored?
where encryption key is stored?
In browser memory during session; nowhere when the window is closed.