The USP of Evernote isn't that you can take notes from anywhere as much as anything can be a note (An audio clip, your current location, a picture etc) and that can be very well organised, grouped and saved in the cloud and offline on demand.
It's basically a "database" for the non techies: Save everything in there and query by tags, organise by books or search in the content and meta data.
And that there is an app for most platforms. I'd actually love to see an open source version of OneNote (pen based abilities, search performance and OCR capabilities) more than Evernote.
The web is not a secure medium for this kind of application.*
This is because all the encryption features they tout depend implicitly on content (HTML and JavaScript) the server sends you every time you use the application. Because you receive this content anew on every usage, there's no way to verify what you're getting. Today it might be fine, but tomorrow it might contain a key logger or subtle cryptographic flaws.
You also can't depend on the community for help verifying this content, because it can be distributed selectively. The mass of users might get benign content while interesting targets get backdoored software.
* It might be safe to distribute something like this as an installable sandboxed web application. I'm actually not 100% certain. But the no-install-just-browse-to-this-url model is definitely insecure.
I think the general pitfalls of a browser extension is that you're essentially trusting that the browser, which is acting almost as an OS in terms of separating the memory contents of different extensions, to work correctly. The idea is if you have an extension doing crypto, an extension that is syncing data with google has no way of reading the data from the crypto extension. You also have to make sure the same applies for websites as well...extensions should be able to grab data from sites, but not vice versa. Without this kind of perfect separation, your crypto extension is really just a sitting duck and none of the data in it is safe.
As far as how they differ among browsers, Chrome (and I suppose Opera, now as well) does a good job sandboxing one extension from another, and from stopping websites gaining access to running extensions. Is it perfect? I can't really answer that.
One problem with Chrome extensions is that unless you want your users to have to download the .crx file, and drag and drop it into their browser, you have to use the Chrome webstore. This is especially retarded because in order to upload your extension to the Chrome webstore, they either need your private key you signed the extension with, or they generate a private key for you. This means that your private key is not private and extension signing is a complete joke. So if you're releasing an extension for the security-literate, it makes sense to create a .crx file, sign it yourself with your own PGP key, and offer it as a separate download that they have to drag+drop into Chrome. The chrome webstore is not a secure means of distribution.
Firefox, on the other hand, is more forgiving with installations but has no real sandboxing. This means it's possible for one extension to read another's data. Plans to introduce threading (and I think as a consequence of threading, sandboxing as well) are in the works, but it's still going to be a while until Firefox gives extensions the same protections Chrome does.
Really, if you can, it's best to do crypto in a native app where the sandboxing is done for you by the operating system and you don't have to rely on a browser. Node-webkit is a great way to do this since it merges the two worlds nicely (at least for desktop).
Yes, I think those risks can be eliminated with some elbow grease since there's no need to load this app off a live server.
Instead, one would download a specific version as a tarball with a verifiable checksum that indicates the source is equivalent to the version audited by the community on GitHub. The app is then loaded & run locally.
In addition, you could control network access if you wrap it in its own OS-native custom browser app and use a firewall that controls outgoing connections. (Like LittleSnitch on OS X.) That is, create a thin shell around WebKit uniquely for use with this web app, and control its network access.
(I think the two measures are redundant, but hey, if you're going to be paranoid...)
"Laverna is webapp written on JavaScript which means it requires no installation and no registration."
"None of us can get access to your personal data because we are using IndexedDB and localStorage. In fact all your information will be stored only on client side."
So does this mean that clearing cookies in Chrome will delete all your information?
Cookies: Files stored on your computer by websites you've visited. These files contain user information, such as preferences for websites or profile information.
Site data: HTML5 enabled storage types including application caches, Web Storage data, Web SQL Database data, and Indexed Database data.
Plug-in data: Any client-side data stored by plug-ins that use the NPAPI ClearSiteData API"
I believe so although I do see Dropbox support in their settings so I'm guessing you can have your data sent to your own Dropbox for more long-term storage.
I've been looking for a self hosted open source version of Evernote. I was excited when I first saw this but this isn't it. Storing all data locally defeats half the purpose. You can't even create notes on your phone and view them on your PC. Add to that, this seems to be only for text notes, which makes sense, since localStorage has a data limit of about 2MB.
It offers a hosted option (the default) or an open-source server you can run internally if you want more control of your data (or don't want to pay). Disclosure: I'm building it.
Note that Turtl uses IndexedDB to store everything (encrypted) locally, but also syncs to the server. This means if you wipe your local storage, your profile will be re-downloaded back to the client (only un-synced changes will be lost).
Looks interesting, I'll try using it for a week or so and see where it takes me.
Bit of advise however: The front page of the website doesn't really describe it very well. There's barely any screenshots (and the ones that exist are hidden for two thirds of the time), and there's not much of a description of the actual application. There's descriptions of what features it has over your competitors, but not really anything about what the core product is. Honestly, if I saw the website outside of the context of this comment thread, I probably would have passed it by.
All in all it looks like a good alternative to Google Keep which I can feel good about using. Best of luck!
That's incredibly useful feedback. Thanks for taking the time to mention that.
I think one thing I'm definitely missing are use cases, which would help people understand that product better. I'll see what I can do about making the screenshots more obvious as well.
I've been toying with the idea of creating a demo with pre-populated content and letting people play around with it on the site. Would that be something you'd try out as a passerby who happened to land on the site?
I tend to treat such demos as nothing more than glorified screenshots. For example, Mailpile has a demo similar to what you described and I spent maybe 10 seconds in it clicking on a couple buttons. That said, I'm sure it is very useful to some other people. I'd recommend getting in touch with some of the Mailpile guys or anyone else who can relay their experiences about how useful it is.
This, actually using vimwiki, is my setup for both my private knowledge management/kind of diary system and my lab notebook at work for quite some time now. Works flawlessly. See [0] for a pretty nice setup.
Doesn't solve your image issue, but for text-only it's a pretty nice solution if you're comfortably living in vim anyway.
As regards replacing Evernote, there is already the very capable and stable Zotero[1], which provides source to roll your own server[2]. It integrates well with LibreOffice and LaTeX/BibTeX.
It does nothing to address the anonymous or secure aspects however.
The USP of Evernote isn't that you can take notes from anywhere as much as anything can be a note (An audio clip, your current location, a picture etc) and that can be very well organised, grouped and saved in the cloud and offline on demand.
It's basically a "database" for the non techies: Save everything in there and query by tags, organise by books or search in the content and meta data.