[Security] Static IV during encryption/decryption

[stypr]

Leaving notes on this repository as well (Originated from mcndt/obsidian-quickshare#21)

---

Came from https://mcndt.dev/posts/how-to-e2e-encryption/ 👋🏻

Describe the bug

Currently the code sets the IV to static value of 0s, and this is considered to be insecure.. Consider randomizing your IVs.

https://github.com/mcndt/obsidian-quickshare/blob/73733c0292cb3f0d6775c69c734e80c690932777/src/crypto/crypto.ts#L45-L49

noteshare.space/webapp/src/lib/crypto/decrypt.ts

Lines 54 to 59 in f84ddba

	const md = await window.crypto.subtle.decrypt(
	{ name: 'AES-CBC', iv: new Uint8Array(16) },
	await _getAesKey(secret),
	ciphertext_buf
	);
	return new TextDecoder().decode(md);

Also, please consider reading https://security.stackexchange.com/a/17046 with regards to secure usage of AES-CBC on your service. I honestly think it's better off to do something with GCM than with CBC mode.

[mcndt]

Closing as duplicate of mcndt/obsidian-quickshare#21.

[mcndt]

Shipped in plugin version 1.0.2 and live on production.