Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added disclaimer for AES-CBC-128 weakness with simplepush:// #1215

Merged
merged 1 commit into from
Oct 4, 2024
Merged

Added disclaimer for AES-CBC-128 weakness with simplepush:// #1215

merged 1 commit into from
Oct 4, 2024

Conversation

caronc
Copy link
Owner

@caronc caronc commented Oct 4, 2024
edited
Loading

Description:

Related issue (if applicable): n/a

Updated SendPush Wiki as well here with the following content:

🔒 AES-CBC-128 Encryption Weakness

The Apprise team recognizes that the encryption used by this plugin is AES-CBC-128 which has been identified to have weaknesses including being vulnerable to the padding oracle attack (Reference).

If the level of encryption is not satisfactory to you, your options are:

  1. Reach out to SimplePush and ask for them to improve their security (to which Apprise will gladly accomodate) ...or
  2. Choose not to use Simple Push and select one of the many other options available.

What is important to identify is this weak encryption used by Apprise to access SimplePush is in place for compliance only. This will never have any cascading effect or impact any other secure notification service also supported by Apprise.

Below is a screenshot from https://simplepush.io/features explaining the defined encryption setting from the upstream source:
Screenshot from 2024-10-03 21-52-46

Checklist

  • The code change is tested and works locally.
  • There is no commented out code in this PR.
  • No lint errors (use flake8)
  • 100% test coverage

Testing

Anyone can help test this source code as follows:

# Create a virtual environment to work in as follows:
python3 -m venv apprise

# Change into our new directory
cd apprise

# Activate our virtual environment
source bin/activate

# Install the branch
pip install git+https://github.com/caronc/apprise.git@simple-push-encryption-weak-id

@codecov Codecov
Copy link

codecov bot commented Oct 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.36%. Comparing base (f656069) to head (9ee019c).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1215   +/-   ##
=======================================
  Coverage   99.36%   99.36%           
=======================================
  Files         148      148           
  Lines       20682    20682           
  Branches     4042     4042           
=======================================
  Hits        20551    20551           
  Misses        121      121           
  Partials       10       10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@caronc caronc merged commit 130edde into master Oct 4, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@caronc