All the instances where obsidian generates network traffic
When you open one of your notes that embeds online content. For example, an image 
Periodically check for updates (can be disabled in the settings)
When you access your Obsidian account in Settings
When you use Obsidian Sync
When you use Obsidian Publish
When you browse/download third-party themes
When you browse/download third-party plugins
If you have third party plugins enabled, there is a check, done once every 12 hours from the time the app starts up, which fetches a file hosted on GitHub we use to issue “plugin deprecations”. This file is used to remotely disable specific versions of plugins that are known to malfunction, cause data loss, or could potentially be vulnerable or malicious.
The dictionary file for each language is downloaded on first use (from a Google CDN).
The plugins you enable can also generate network traffic
Bonus:
DNS requests if a hostname needs to be resolved before establishing a connection (including DNS over HTTPS).
Not that I’m not trusting you, but I just want to brute force all supporting evidence for that. How do I check these statements, and how do I know if my checking tool is not compromised?
I wanted click-to-load for online content, instead of automatically loading remote resources like images and embeds. So I blocked the Obsidian executable in the firewall.
In the space of 8 minutes it logged 700 firewall events, outbound towards the following IP addresses:
I’m new in here and this will become my first post
I know this is an old thread but it hit the head of the nail.
I just started to use Obsidian today… and i was starting to swear as we all do more or less learning new software. LOL
Then Obsidian tried to connect to *****45c-5gol. googlevideo .com and i just looked at my firewall message and thinking… what now!!! as i haven’t written a single ink in the different notes.
as i Block all google related content as i boycotting Google as a company, no traffic went out.
Do you guys know why this is happening and is it possible to tweak some settings in Obsidian to prevent network connections unless asked for?
I have set updates to manual and i have no account and i will not get one as i dont want to sync or have any cloud solutions what so ever.
I use Debian and installed Obsidian the last version with the Deb package.
Hi, can you please add an option to disable the phone home requests during application startup? Better yet, remove it altogether, please?
On Linux, using OpenSnitch, I see that every time I start Obsidian it tries to make multiple requests to Github domains (githubusercontent, etc) over the course of about 3 minutes (if blocked, it keeps re-trying).
I do have the option for “Automatic updates” turned off in settings, but this does not stop these requests at startup. We should, at the very least, be informed they are occurring. It took OpenSnitch to identify these surreptitious requests.
Please disable these internet requests, whatever they are doing. For a “privacy focused” application, this is unacceptable. Otherwise, Obsidian seems like a pretty great application so far.
However, Obsidian is promoted as a “privacy focused” application. Therefore, as such, it would benefit from, and increase trust for users, by having these above points communicated more clearly after installing the application, upon first run.
Also, please allow us to see when these network requests occur, where exactly they are connecting to, and why. And please grant us the option of allowing or denying these specific network requests in the settings. Ask us, please, and be more transparent. That is being “privacy focused”. And allow us to permanently disable each request if the user so chooses.
By the way, I can’t recall if it has been done already or not, but Obsidian should most certainly disable Electron’s initial phone-home request to Google (redirector dot gvt1 dot com) upon first run after installation (check it with OpenSnitch).
Since I can’t edit my post, I’ll add an update: OpenSnitch just alerted me that another request to this Google-owned domain was being attempted, so it doesn’t only occur on first run after installation. Definitely not “privacy friendly”. Please disable these Electron network requests.
Hi there. Interesting there’s been no response to this and it’s been over two weeks It doesn’t seem like the Obsidian devs really care very much about this. Others clearly do (see the likes).
Can you devs please at least remove the Electron/Google tracking (the domain is redirector dot gvt1 dot com). Easily viewable if you run OpenSnitch or other firewall. This is extremely anti-privacy and not covered in your first post in this thread. Signal fixed it, why can’t you guys? (github dot com/signalapp/Signal-Desktop/issues/5767)
Also, I have “automatic updates” turned off, yet every time I start the application, Obsidian attempts to make multiple requests to Github domains (githubusercontent, etc) over the course of about 3 minutes (if blocked, it keeps re-trying). If I’ve turned off automatic updates, not using push/sync, this shouldn’t happen. Yes, it could be third party plugins, but I don’t know. And I’d rather not download your “plugin deprecations” file every 12hrs (item #8 in your list above). Can you please give us an option to change the time (once a week, etc) or disable this check entirely? I should have the option to actually stop these sorts of things in a “privacy focused” application, shouldn’t I?
Which complete URL exactly did you detect? Because gvt1.com is (also) used for downloading spelling dictionaries on first use, and this is listed in OP.
All I saw in OpenSnitch was what I listed (redirector dot gvt1 dot com), I’m not sure if that was the entire URL or just the domain. Do you have it?
But did you read how Signal fixed it? They moved the dictionary request to their servers to avoid it pinging Google since they are privacy-focused.
Ah okay. What is the best place to do that, on Github or in these forums somewhere? What is the URL?
Also, would an FR be the right way to ask for the privacy invading network requests to redirector dot gvt1 dot com be removed? (this includes dictionary requests; ie. move the dictionary files to Obsidian servers like Signal did since they also take privacy seriously; to stop sending requests to Google - see github dot com/signalapp/Signal-Desktop/issues/5767)
I deleted your feature request because it was too broad (we agreed on a FR for dictionaries), and contained incorrect information. I made a new one.
I want to reiterate here that we are open about the network connections that the app makes (we have this thread and the list is also in the docs). I asked multiple times to report which EXACT URLs that you see outside of dictionaries but you haven’t given me any.
As addressed in the plugin security thread, there is no mechanism available to us to block their access to the network.
If you are unhappy with the current state of the app, You can add firewall rules to block it from accessing the internet. Perhaps, you can run the app in sandboxed environment, or use something else.
You deleted my FR? What the heck? It wasn’t too broad, it was very specific, actually. It was about reducing the number of network requests, one of which just happened to be the dictionary issue. No freedom on these forums, I guess? Wow. Outrageous. I made some good points in that post and it took me awhile to write. It was even polite and friendly.
I don’t have the “exact URLs” because OpenSnitch (the firewall software) doesn’t give them - just the domain, which should be enough because that’s the point. Why don’t you guys do a bit of looking into Electron to find the URLs it is communicating to, since you’re the developers…
But maybe you didn’t want some of what I wrote to be there in that FR, like how all Obsidian users’ IP addresses go to Google. You seem to forget in your rather zealous security thread, that “user data” includes a user’s IP address, and therefore shouldn’t be shared.
And, part of my request regarding the dictionaries was to eliminate the default requests of the dictionaries at first-run (which users cannot disable - thus resulting in the surreptitious “phone home to Google” upon first-run, which is what Signal recognized as a valid security and privacy concern and fixed, but you guys don’t, which I find surprising). Another part of the request was to turn off those dictionary requests entirely after turning off the dictionary. But you rather flippantly wrote up in your FR as “moving from one company’s CDN you don’t like to another company you probably don’t like”. That’s just rude, patronizing, and misrepresenting my concern.
as i haven’t written a single ink in the different notes.