[wildduck]

Well on the site it was said

"We encrypt the content with that random key. In this case, we only encrypt the content once with the random key so we don’t need an iv and can leave it filled with 0 (I hope…)."

Anyone think that is a good idea?

[dchest]

It's a good idea if you encrypt with the same key _once_ — you can avoid attaching nonces to your ciphertext (less code and data), and have only 16-byte key in the URL.

In fact, using a random IV with AES-GCM is not exactly safe: 12-byte nonce is too small to avoid collisions with many encryptions. The recommendation is to not encrypt more than 2^32 messages with the same key if you use the random nonce.

[vbezhenar]

What would happen if an attacker gets two different messages with identical IV and key?

[dchest]

They'll get the XOR of the two original messages, and also can break authentication: https://crypto.stackexchange.com/questions/26790/how-bad-it-...

[vbezhenar]

That's scary, thanks!

[SAI_Peregrinus]

If the key is securely random AND only used once, it won't compromise the encryption. But it's a bad idea, since it requires enforcing that the key is a nonce, instead of just a key. It's a bad habit, and can easily lead to compromise (when someone inevitably uses it as example code in a situation where those guarantees don't hold, for instance.)