I am not having any confused thoughts about any of that. I do this stuff for living. The only confusion here is the one introduced by yourself.
Thanks for the link - it explains a lot. Here is a perspective to look at - by reading this thread, and not knowing there is two separate methods of end-to-end encryption you’ve implemented - it is very easy to read it as you transmit encryption passphrase or a hash of it to the server, which defeats it all. Just read the following statements of yours and try to read it as someone without the context you just provided:
The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.
A hash of the salted password is sent for additional verification along with the login token.
Now, after reading Security and privacy - now I understand you were probably talking about managed encryption and not end-to-end encryption. Is that right?
MFA has everything to do with the encryption and I am not confusing MFA with encryption here. You are confusing me with other people who confused it here in previous posts. I simply stated that the lack of MFA gives me a certain impression about your expertise in implementing your backend stuff and raise a lot of red flags, including, but not limited, to your implementation of encryption. This is how the two are related. I provided quotes of you in this thread, where you were discussing encryption, to demonstrate how you add to that lack of confidence, but I was not making any comments on the subject itself or making any direct relation in between MFA and encryption.
And a note about antagonizing. I am not antagonizing anyone. Not being nice is not the same as antagonizing. I don’t have to be nice to you or anyone else. So as you do not have to be nice to me. Here is another perspective to look at - if I were nice to you, I would not be able to give you that perspective. I would not be able to tell you what a typical commercial potential user thinks when they find this thread, because what a typical commercial potential user thinks after reading this thread is not nice. And then you will never learn about that perspective. And then - you would never had opportunity to object to these thoughts and provide a link with explanation of your encryption implementation. Potential user then would leave this thread, this website, and go look for alternatives. So nice, but so pathetic and pointless. Because unfortunately most of the people tend to be nice and not tell you what they truly think, and a-holes like myself are rare and they are usually busy. So as a business owner you may fall into a survivorship bias fallacy. So, I personally find my antagonizing comment 100 times more valuable than a 100 of other nice comments. It so happens that I am interested in your product, and I will greatly benefit if you address my concern and make me able to use it, so I am genuinely trying to help. As an a-hole that doesn’t expect niceness, I do not expect you to thank me, I expect you to implement the damn feature, so I can give you my money.
Meanwhile, I am going to look at the foam plugin for vscode, and who knows, maybe I am never coming back. I have created an account with you yesterday with the intention to subscribe to the Sync, and inability to set up MFA is what stopped me. Here is one more perspective on how a potential Obsidian Sync user leaves literally seconds before giving you money, after they’ve already made a decision to give you money.