How does the OmniSync server handle sending passwords?

Most authentication systems use TLS to wrap a connection, while passing passwords themselves in cleartext inside of the connection. In other words, the server operator could sniff traffic and extract the plain-text password.

Does the OmniSync server work this way, or does it send a token in lieu of the plaintext password? I’m curious if specifying an alternate encryption passphrase offers any real security improvements over the default settings.

Hey @deviantintegral! Good question. When syncing with the Omni Sync Server, and decrypting your OmniFocus database, there are two steps that use a password.

First, your device authenticates to the sync server. This is a standard negotiation using Digest authentication and TLS, just like you might expect. Your hashed Omni Sync Server account password is transmitted to Omni during this phase.

Second, your device needs to decrypt the data in your OmniFocus database. Unlike the first phase, when you’re authenticating to the Omni servers, your passphrase never leaves your device during decryption. Instead, OmniFocus downloads encrypted data from the server along with a special passphrase-protected encryption file. Once all that data is local, it uses your encryption passphrase to unlock the special file, which contains keys allowing OmniFocus to decrypt the rest of your data. Likewise, when uploading new data, OmniFocus encrypts everything on-device before transmitting it to the server.

Here’s where using a separate passphrase for encryption really shines: since all the encryption and decryption work is done locally on your device, even if someone were to sniff passwords in transit to or from Omni’s servers, they would never see your encryption passphrase. This means that any data encrypted with that separate passphrase is likewise unreadable to an observer — including everyone at Omni. Your data is truly your own.

For a more technical explanation of how the encryption process works, take a look at this Discourse thread, posted at the time we implemented the encryption feature. It dives into the algorithm choices we made and our threat model for this feature. You can also check out our support FAQ about the encryption feature, which details the process of using a separate encryption passphrase.

Hope that helps, and thanks for using OmniFocus!