search

mcndt / noteshare.space

A service for sharing encrypted Markdown notes from Obsidian. Notes are end-to-end-encrypted and are only stored temporarily.
https://noteshare.space
MIT License
202 stars 19 forks source link

[Security] Static IV during encryption/decryption #33

Closed stypr closed 1 year ago

stypr commented 1 year ago

Leaving notes on this repository as well (Originated from https://github.com/mcndt/obsidian-quickshare/issues/21)

Came from https://mcndt.dev/posts/how-to-e2e-encryption/ 👋🏻

Describe the bug

Currently the code sets the IV to static value of 0s, and this is considered to be insecure.. Consider randomizing your IVs.

https://github.com/mcndt/obsidian-quickshare/blob/73733c0292cb3f0d6775c69c734e80c690932777/src/crypto/crypto.ts#L45-L49

https://github.com/mcndt/noteshare.space/blob/f84ddba528b73c160a16b707ede064b752d3528a/webapp/src/lib/crypto/decrypt.ts#L54-L59

Also, please consider reading https://security.stackexchange.com/a/17046 with regards to secure usage of AES-CBC on your service. I honestly think it's better off to do something with GCM than with CBC mode.

mcndt commented 1 year ago

Closing as duplicate of https://github.com/mcndt/obsidian-quickshare/issues/21.

mcndt commented 1 year ago

Shipped in plugin version 1.0.2 and live on production.