Does the encryption key in url post a security risk? #64
Replies: 2 comments 1 reply
-
|
Sure, happy to discuss. In what ways would it be an attack vector? The key is only stored in your Obsidian vault and with whoever you send the link to. The link in your comment is regarding the query portion of the URL, which is sent to the server so that can indeed be an attack vector. This plugin uses the URI hash fragment (the part of the URL after the |
Beta Was this translation helpful? Give feedback.
-
|
No VPN means your network admin and ISP has it. If you use Obsidian-Git or other backup or sync solutions, the security is lost. The solution could be a key management tool with an API we could integrate with that allows for sharing keys via a different channel, and ideally support for rotation and revocation, but I have not see any usable implementations. |
Beta Was this translation helpful? Give feedback.
-
No, it's never sent from your browser, so your network admin and ISP will not see it. |
Beta Was this translation helpful? Give feedback.
-
Not really a security expert here. Would the key in url be an attack vector? What are the trade offs one can make?
https://www.fullcontact.com/blog/2016/04/29/never-put-secrets-urls-query-parameters/
Beta Was this translation helpful? Give feedback.
All reactions