惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
Y
Y Combinator Blog
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
S
SegmentFault 最新的问题
IT之家
IT之家
Recent Announcements
Recent Announcements
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
Martin Fowler
Martin Fowler
Microsoft Azure Blog
Microsoft Azure Blog
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
U
Unit 42
WordPress大学
WordPress大学
博客园 - Franky
L
LangChain Blog
人人都是产品经理
人人都是产品经理
小众软件
小众软件
博客园 - 叶小钗
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
雷峰网
雷峰网
腾讯CDC
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Help Net Security
Help Net Security
C
Check Point Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
N
News and Events Feed by Topic
V2EX - 技术
V2EX - 技术
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Schneier on Security
Schneier on Security
博客园 - 聂微东
A
Arctic Wolf
H
Heimdal Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
C
Cyber Attacks, Cyber Crime and Cyber Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google DeepMind News
Google DeepMind News

Obsidian Blog

The future of Obsidian plugins Obsidian October 2025 Less is safer: how Obsidian reduces the risk of supply chain attacks Obsidian is now free for work 2024 Gems of the year winners 2024 Gems of the year nominations Second audit of Obsidian apps completed by Cure53 Obsidian Softwear: new Fractal t-shirts and hoodies Save the web Obsidian October 2024 Obsidian Sync now starts at $4 per month with the new Standard plan Announcing JSON Canvas: an open file format for infinite canvas data 2023 Gems of the year winners New security page and independent audit completed by Cure53 2023 Gems of the year nominations New Obsidian Sync plans: bigger, better, faster, smoother Goodbye legacy editor Obsidian Importer now converts Apple Notes to portable, durable files Obsidian October 2023 Free your notes How to verify Obsidian Sync's end-to-end encryption The new Obsidian icon New developer documentation site Obsidian Publish now offers more for less: a lower price, with new features, improved SEO and accessibility 2022 Gems of the year winners I’m joining Obsidian full-time as CEO New Code of Conduct for our community 2022 Gems of the year nominations Obsidian October 2022 winners Obsidian October 2022 1.0 Theme migration guide How to update your plugin to support pop-out windows Plugin developers: CodeMirror 6 migration guide for v6.0 2021 Gems of the year winners Live Preview update 2021 Gems of the year nominations Obsidian October 2021 winners Obsidian October 2021: make plugins and themes together and win awards! Last chance to get early bird discount for Sync and Publish 2020 Gems of the year winners 2020 Gems of the year nominations
Obsidian Sync audits by Cure53 and Trail of Bits
kepano · 2026-05-13 · via Obsidian Blog

Obsidian regularly performs security audits with independent research firms to ensure that our code and procedures meet the highest security standards. Previously we shared audits assessing Obsidian’s desktop and mobile apps in January 2024 and December 2024.

Two new audits are now available on our Security page assessing the Obsidian Sync API, server, and cryptography. These were completed by Cure53 in October 2024, and Trail of Bits in December 2025.

We’re pleased to report that all findings from these reports have been addressed via remediations and disclosures validated by the respective auditors.

Background

Obsidian Sync’s encryption code has been relatively unchanged since the launch of the service in 2020. The most notable change was a minor encryption upgrade released on August 22, 2025 alongside Obsidian 1.9.11. At that time we also published updated instructions for how to verify Obsidian Sync’s end-to-end encryption.

Obsidian Sync audit by Cure53

We asked the Berlin-based security firm Cure53 to perform an audit of the Obsidian Sync service including the API, server, and cryptography.

We invite you to read a summary of the findings and the full report.

The report identified four low priority issues and one medium priority issue. We’re proud to report that the Cure53 team reviewed the resolutions and concluded that their recommendations were properly followed:

It is imperative to acknowledge the swift actions taken by the Obsidian team in working on addressing several of these identified vulnerabilities shortly after the conclusion of the audit. This proactive approach underscores the Obsidian team’s unwavering dedication to safeguarding the user experience.

Encryption upgrade

During this audit Cure53 validated our proposed August 2025 encryption upgrade, stating:

Cure53 was favorably impressed by the enhanced backend security features implemented in the latest version of the Obsidian Sync software. In comparison to its predecessors, Obsidian has made substantial progress in fortifying its cryptographic mechanisms.

Renaming "Managed encryption" to "Standard encryption"

Cure53 identified DYL-04-005 described as "Key mgmt. confusion in managed vault encryption mode". It found that the app and documentation did not clearly describe the risks of not choosing Sync’s default end-to-end encryption option.

Since launch Obsidian Sync has always provided two encryption options: end-to-end encryption (default) and "managed encryption" (optional) which was renamed to "standard encryption".

As a result of this audit the app and Help site were updated to reflect the risks of choosing standard encryption in October 2024, via commit d18640c.

Obsidian Sync audit by Trail of Bits

After completing the August 2025 Sync encryption upgrade, we asked the New York-based firm Trail of Bits to perform a new audit of the Sync API, server, and cryptography.

Our aim was to gain even deeper coverage of potential vulnerabilities in Obsidian Sync. We invite you to read the full report.

The audit identified eleven issues. Remediations were implemented and validated by Trail of Bits. The report mentions three unresolved issues, which we cover below. The latter two were documented on our Sync security page in November 2025, via commit ec32a5c.

Deleting vaults for inactive subscriptions

Trail of Bits identified TOB-OBSYNC-2, "Logged-out clients can look up and trigger deletion of vaults with inactive subscriptions":

Using Obsidian Sync requires a subscription, and 30 days after a vault owner’s subscription expires, the server-side copy of the synchronized vault can be deleted. […] Since this applies only to vaults that are already due for deletion, it does not appear to create any security concern.

For now we have decided to keep this endpoint so that the Sync server can clean up data after the grace period. In the future we will consider how this action can be handled via a scheduled job.

Deterministic file-hash encryption

Trail of Bits identified TOB-OBSYNC-9, Deterministic encryption of file hash endangers file confidentiality.

In response to this report we created a new Limitations section on our Sync security page to help explain trade-offs we make so that we can deliver fast, reliable sync, and efficient storage across devices.

We encrypt file hashes deterministically: the same file content, using the same encryption key and salt, always produces the same encrypted hash on the server. This helps Sync detect duplicates and avoid re-uploading or re-storing identical data, which saves bandwidth and remote storage, especially in version history or when large files repeat.

However, if an attacker compromises a Sync server, and they have a separate way to force a user to upload files of their choosing, then the attacker could force the user to upload specific files and determine if the file matches against a file the user has previously uploaded.

No cryptographic binding between path and content

Trail of Bits identified TOB-OBSYNC-10, General lack of cryptographic binding between file content and metadata. As with the issue above, we added the following details to our Sync security page:

Some metadata is not end-to-end encrypted: which device uploaded or deleted a file, when it was uploaded, and the mapping between encrypted file paths and encrypted content. This data is readable by the server so it can route changes, determine the version history for a file, and keep devices in sync.

If a Sync server were compromised, an attacker could tamper with that mapping, causing the contents of one encrypted file to be delivered under a different file path. This doesn’t reveal your plaintext data, it remains encrypted.

Conclusion

We’d like to thank Cure53 and Trail of Bits for their collaboration with us on these audits. Their depth of expertise reinforced our confidence in the security of Obsidian Sync.

We make Obsidian to capture our own private thoughts and ideas, and we want you to feel confident doing the same. We will continue working with industry-leading security firms on audits that provide comprehensive coverage and transparency towards this commitment.