https for web server?

I am trying to set up Devonthink as an alternative to Evernote using ownCloud for syncing. So far it’s been working ok, but I ran into a big gotcha. Maybe I am missing something?

I need to make one of the databases accessible to people from my team who are on a PC or don’t own Devonthink. So I thought to set up the web server on one of my always-on, static addressed machines.

However, once I set up the server, to my shock, the resulting URL is insecure:

I searched the forums, someone asked about this back in 2009, and someone else said “this has already been discussed” - but I couldn’t find any relevant discussion except for a few people mentioning using a VPN.

Doing VPN on top of it is getting far too complex for providing simple security of passwords for a database that doesn’t have any mission critical data. However, sending it in the clear is way too lax.

Is there a solution to this?


There are database-level passwords or a master web server password (which overrides the database-level ones). SSL in not implemented yet.

If a password is sent in the clear (no HTTPS) that means that anyone who has a modicum of hacking skills can intercept it and gain full access to the database.

While such lax security could be overlooked back in 2009 when this was last discussed here, in 2016 it is like living in the stone ages.

It is made worse by the fact that there is not a per-user password, but only one master password for the entire database. That means that a single packet interception from anyone using it may yield the password and compromise the database for everyone.

I saw another thread where you were interacting with someone over security issues, and in that thread you seemed to have the same kind of stance… that it’s not a “big deal.”

It IS a big deal, however, to many of your users.

The whole reason I came back to Devonthink from several years of using Evernote is so that I can control my data.

I even purchased two additional DT Pro Office licenses for my team for this purpose.

So it is very disappointing to then discover that, in fact, Devonthink is no more secure - and less so - than Evernote. (While Evernote doesn’t encrypt data on its servers, at least it encrypts data in transit).

But it is more disappointing to see that this was discussed in 2009, and nothing has been done about it.

I understand that as developers you have to prioritize new features, and there’s always an “endless” list of things you could do. (The curse of being a small business owner, which I get).

However, have you ever asked yourselves: “WHO is our primary user and WHY do they choose Devonthink over the alternatives?”

I think if you seriously asked yourselves this question, you’d find it a very clarifying exercise about which of the enhancements or features you might chose to prioritize.

I can’t speak for all of your users, but speaking for myself, my PRIMARY reason for choosing Devonthink is so that I have control over my data, not some cloud-based service with who knows what kind of back-channel agreements with others (such as governments) to share my data.

That means SECURITY is a major priority for me. (I believe it should be a priority for everyone, but I don’t get to dictate what others priorities are). DT is really behind the curve on this.

Second is reliability. I abhor buggy programs, especially when it comes to storing my data. DT does pretty well on this front these days - much better than years ago.

Third is Ease of Use - simplicity and clarity of interface. DT is only so-so on this.

I have several popular blogs and a big newsletter mailing list - and I’d love nothing more than to be able to recommend DT to my clients.

However, I find myself reluctant, because it seems that DT keeps just growing in features endlessly, without a focus on what it’s users want, or how you can create the very best user experience.

BTW - I’d be happy to pay for an update once in a while, as long as it enhances my user experience, rather than just adding more bloat

Thanks for your consideration of my ideas

An alternative might be to set up a VPN server on the database server (such as iVPN), and have the other people access the server using a VPN client such as Viscosity.

Its also quite possible that your router offers a built in VPN server.


I set up a reverse proxy for HTTPS in front of DTPO, and then blocked the insecure port from being accessed outside of my machine. Since macOS includes a built-in Apache server, this is not too hard. Maybe we could document setup for people who want to do this?

(I don’t have it offhand, since I haven’t done it in a few years.)

I would love documentation on this. While I am considering the VPN solution mentioned by others, my main concern is making sure my team can access that reliably. I would rather have a simpler solution if possible.

This sounds perfect, but I have not setup a reverse proxy before. I do have a few websites running on the machine, but as long as this can be done on a different port without clobbering the usual http/https ports, it would be great.