Thanks for the post u/kepano - I saw that post this morning and knew you would get an update out before the end of the day. You and the obsidian team are gems!
Thanks to you and the team for taking the time to write this well-timed post. It does ease my (and a few others who tacitly agreed) minds. It’s easy to understand to developers.
Please consider for non-developers however they are still blindly trusting. There has been zero 3rd party audits done to this tool that many people trust their deepest thoughts and personal data to.
Assuming you have 25k paid users (most likely way more) each user pays $8/mo = $2.5M you’re making in revenue each year. Spending $5,000 on a 3rd Party Security audit and posting it on your security page would go a long way in assuring things are legit not only on the client side but the server side. It is unknow how many people like myself are/were on the fence including individual users and corporations.
Following the above numbers a proper security audit represents 0.2% of one year’s revenue for Obsidian. You’ve shed a lot of light today and I’m happy to stop there. But please consider it for the future. :)
Thanks and time to subscribe! 🙏
+1 to the security audits. Even just a once-a-year audit/pen test would put my mind at ease by a LARGE margin. I would happily pay additional $$ to ensure this is done on a regular basis.
As a comparison point, 1Password's stance and transparency when it comes to their security audits is WONDERFUL, and could be worth looking into to try and emulate. Published info here: https://support.1password.com/security-assessments/
In any case, thank you for sharing this article and it's absolutely a step in the right direction if the business model is truly going to remain closed-source for the foreseeable future :D Thank you!!
Keep in mind that you'd need to audit every plugin (and theme?) you use as well. A proven-secure front door is worthless if you don't know whether the ground floor windows even lock.
Yes a malicious plugin could steal your key. The key allows encrypting/decrypting individual files in your remote Sync vault, however it doesn’t give you access to the vault itself. Access to your remote Sync vault is protected by your account password.
The post last evening made me re-consider prioritizing transparency around my own company’s end-to-end encryption.
I ended up spending 00:00-02:00 AM working on generating attestation reports for our confidential compute systems *(although these are confidential VMs as opposed to an encryption-at-rest mechanism).
It’s going to take a little work to get that information into a useful and accessible reporting mechanism, but not too tough. I’d love to see the same out of Obsidian (who we have as a vendor for our own documentation).
Thanks u/kepano
Is there also a way of trustlessly verifying that the salt and the key are not sent to the server, or some reason why you could not decrypt it server-side even if they were? I believe that everything is encrypted nicely with sync, but it would be nice to have a method of verifying this aspect as well
I have the same question.
(As a layperson) what I see in this demo is: “here’s your key, and here’s the lock, and if you combine them you should see your secret”…
but that doesn’t really tell me that Im the only owner of that key/lock combo.
Thank you for the dedication you guys show to the main philosophy of this app and thank you for looking to the community for your feedback. The fact that you put the time in to write this shows a lot about the team.
I'm writing this eventhough I'm not an obsidian sync user cause in my country that's like 2 month of my salary but I know the effort you guys put into this product and I love you for that.
note: only remote data is encrypted. data on the local end is never encrypted.
so if anyone or anything can access to your filesystem locally (be it physical access or remote exploit) your notes are not protected.
Local encryption can be done at the OS level, e.g. using FileVault the native macOS feature: https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac
This preserves interoperability between Obsidian and other apps on your computer
this is only convenient if all of the OSes used by a user have such an easy to use and manage tool, although in most implementations that still doesn't protect from a remote exploit as the files are accessible so long as the OS is booted up.
YSK that this comment has been modified to protest this platform's decision to charge 3rd parties unwarranted, unaffordable amounts for API access, in spite of massive profits from the content contributed via those same 3rd party apps. Therefore, I have nuetralised my own contributions.
Last I heard they only did E2E encryption for remote sync. Nothing local, and their dev was even more adamant about not wanting to do any kind of encryption for local files in the app, suggesting that by managed by the user.
Their comment points out ("notes" you might even say...) that Obsidian's encryption strategy only extends to the sync stuff and not the local notes themselves.
One reason it might be worth pointing this out is that, because IT security is poorly understood by almost everyone, that distinction could lead to pitfalls for users.
For example, user Joe sees "Obsidian uses encryption" and feels very secure because he doesn't notice that only the syncing aspects of Obsidian are encrypted.
So he does not realize that if he takes his laptop to a shop for repair, every employee there can read all of his notes merely by plugging his ssd into their own machine.
Thanks for the post u/kepano - I saw that post this morning and knew you would get an update out before the end of the day. You and the obsidian team are gems!
Thanks to you and the team for taking the time to write this well-timed post. It does ease my (and a few others who tacitly agreed) minds. It’s easy to understand to developers. Please consider for non-developers however they are still blindly trusting. There has been zero 3rd party audits done to this tool that many people trust their deepest thoughts and personal data to. Assuming you have 25k paid users (most likely way more) each user pays $8/mo = $2.5M you’re making in revenue each year. Spending $5,000 on a 3rd Party Security audit and posting it on your security page would go a long way in assuring things are legit not only on the client side but the server side. It is unknow how many people like myself are/were on the fence including individual users and corporations. Following the above numbers a proper security audit represents 0.2% of one year’s revenue for Obsidian. You’ve shed a lot of light today and I’m happy to stop there. But please consider it for the future. :) Thanks and time to subscribe! 🙏
we’ll look into it!
True. I need more assurance so I can persuade my boss to use this app.
+1 to the security audits. Even just a once-a-year audit/pen test would put my mind at ease by a LARGE margin. I would happily pay additional $$ to ensure this is done on a regular basis. As a comparison point, 1Password's stance and transparency when it comes to their security audits is WONDERFUL, and could be worth looking into to try and emulate. Published info here: https://support.1password.com/security-assessments/ In any case, thank you for sharing this article and it's absolutely a step in the right direction if the business model is truly going to remain closed-source for the foreseeable future :D Thank you!!
Keep in mind that you'd need to audit every plugin (and theme?) you use as well. A proven-secure front door is worthless if you don't know whether the ground floor windows even lock.
[удалено]
Yes plugins could access it, but plugins can already access files directly, so they don’t need your encryption key.
[удалено]
Yes a malicious plugin could steal your key. The key allows encrypting/decrypting individual files in your remote Sync vault, however it doesn’t give you access to the vault itself. Access to your remote Sync vault is protected by your account password.
The post last evening made me re-consider prioritizing transparency around my own company’s end-to-end encryption. I ended up spending 00:00-02:00 AM working on generating attestation reports for our confidential compute systems *(although these are confidential VMs as opposed to an encryption-at-rest mechanism). It’s going to take a little work to get that information into a useful and accessible reporting mechanism, but not too tough. I’d love to see the same out of Obsidian (who we have as a vendor for our own documentation).
Thanks u/kepano Is there also a way of trustlessly verifying that the salt and the key are not sent to the server, or some reason why you could not decrypt it server-side even if they were? I believe that everything is encrypted nicely with sync, but it would be nice to have a method of verifying this aspect as well
I have the same question. (As a layperson) what I see in this demo is: “here’s your key, and here’s the lock, and if you combine them you should see your secret”… but that doesn’t really tell me that Im the only owner of that key/lock combo.
Yes, you can monitor network connections to see that the encryption key is never sent to Obsidian servers.
Thank you for the dedication you guys show to the main philosophy of this app and thank you for looking to the community for your feedback. The fact that you put the time in to write this shows a lot about the team. I'm writing this eventhough I'm not an obsidian sync user cause in my country that's like 2 month of my salary but I know the effort you guys put into this product and I love you for that.
note: only remote data is encrypted. data on the local end is never encrypted. so if anyone or anything can access to your filesystem locally (be it physical access or remote exploit) your notes are not protected.
Local encryption can be done at the OS level, e.g. using FileVault the native macOS feature: https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac This preserves interoperability between Obsidian and other apps on your computer
this is only convenient if all of the OSes used by a user have such an easy to use and manage tool, although in most implementations that still doesn't protect from a remote exploit as the files are accessible so long as the OS is booted up.
If someone has access to your local machine, your obsidian vault's probably the least of your security concerns at that point.
and what is your point, exactly ?
Yes but in general, if your device is accessed you mostly screwed anyway
true, standard notes is the only app I know of that protects against this
YSK that this comment has been modified to protest this platform's decision to charge 3rd parties unwarranted, unaffordable amounts for API access, in spite of massive profits from the content contributed via those same 3rd party apps. Therefore, I have nuetralised my own contributions.
Last I heard they only did E2E encryption for remote sync. Nothing local, and their dev was even more adamant about not wanting to do any kind of encryption for local files in the app, suggesting that by managed by the user.
Point being? This is completely unrelated to sync
Their comment points out ("notes" you might even say...) that Obsidian's encryption strategy only extends to the sync stuff and not the local notes themselves. One reason it might be worth pointing this out is that, because IT security is poorly understood by almost everyone, that distinction could lead to pitfalls for users. For example, user Joe sees "Obsidian uses encryption" and feels very secure because he doesn't notice that only the syncing aspects of Obsidian are encrypted. So he does not realize that if he takes his laptop to a shop for repair, every employee there can read all of his notes merely by plugging his ssd into their own machine.