Closed stypr closed 1 year ago
Leaving notes on this repository as well (Originated from https://github.com/mcndt/obsidian-quickshare/issues/21)
Came from https://mcndt.dev/posts/how-to-e2e-encryption/ 👋🏻
Describe the bug
Currently the code sets the IV to static value of 0s, and this is considered to be insecure.. Consider randomizing your IVs.
https://github.com/mcndt/obsidian-quickshare/blob/73733c0292cb3f0d6775c69c734e80c690932777/src/crypto/crypto.ts#L45-L49
https://github.com/mcndt/noteshare.space/blob/f84ddba528b73c160a16b707ede064b752d3528a/webapp/src/lib/crypto/decrypt.ts#L54-L59
Also, please consider reading https://security.stackexchange.com/a/17046 with regards to secure usage of AES-CBC on your service. I honestly think it's better off to do something with GCM than with CBC mode.
Closing as duplicate of https://github.com/mcndt/obsidian-quickshare/issues/21.
Shipped in plugin version 1.0.2 and live on production.
Leaving notes on this repository as well (Originated from https://github.com/mcndt/obsidian-quickshare/issues/21)
Came from https://mcndt.dev/posts/how-to-e2e-encryption/ 👋🏻
Describe the bug
Currently the code sets the IV to static value of 0s, and this is considered to be insecure.. Consider randomizing your IVs.
https://github.com/mcndt/obsidian-quickshare/blob/73733c0292cb3f0d6775c69c734e80c690932777/src/crypto/crypto.ts#L45-L49
https://github.com/mcndt/noteshare.space/blob/f84ddba528b73c160a16b707ede064b752d3528a/webapp/src/lib/crypto/decrypt.ts#L54-L59
Also, please consider reading https://security.stackexchange.com/a/17046 with regards to secure usage of AES-CBC on your service. I honestly think it's better off to do something with GCM than with CBC mode.